BleepingComputer.com: My computer acts like the alt key is being held down

First, I wouldn't be coming here except as a last resort, so I really appreciate you taking the time to read this and help out.

My computer (Windows XP Home) was working fine last night (although it had a google-redirect virus that I was unable to remove, I was just using dogpile and living with it), and when I tried to log in this morning, the keyboard seemed to not work. I eventually figured out that if I hold down the right arrow key, I can type mostly as normal, and I logged in successfully. From there, I discovered that the alt key seemed to be activated, because any time I hit a key it invokes the alt+shortcut instead of typing the key. Holding down right arrow (or certain other keys) bypasses that and allows me to type but it is a huge nuisance. In addition, my mouse clicks act as if alt is held down, i.e., double-clicking a file opens its properties instead of opening the file and clicking a url downloads the target source.

I have already tried: Swapping keyboards, swapping mice, using the onscreen keyboard (it also acts as if alt is pressed), unplugging the keyboard/mouse, reinstalling the keyboard/mouse drivers, my usual suite of rkill/CCleaner/MBAM, restoring my system to two days ago, as well as stopZilla and Hitman Pro. The last time I ran each of the antivirus programs they didn't find anything, but the alt problem (and the google redirect) is still there. The most recent thing I did was a system restore, but it didn't do anything. I haven't yet tried Gmer or ComboFix.

I've exhausted what I know to repair this; the only next steps I can think of are severe repair tools like ComboFix, which i have never used and may not even help, or a Windows re-installation, which seems like the simplest solution at this point.

I'll subscribe to this thread and try to rapidly respond to any requests for more info or recommendations. If I haven't fixed this by next weekend I think I will have to reinstall Windows.

Thanks for your help

This post has been edited by Personb: 07 August 2011 - 04:50 PM

Welcome aboard

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:

• Report IE Proxy Settings
  
• Report FF Proxy Settings
  
• List content of Hosts
  
• List IP configuration
  
• List last 10 Event Viewer log
  
• List Users, Partitions and Memory size

Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
  
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

• Disconnect from the Internet and close all running programs.
  
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  
• Now click the Scan button. If you see a rootkit warning window, click OK.
  
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  
• Click the Copy button and paste the results into your next reply.
  
• Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 2
Out of date service pack!!
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java™ 6 Update 17
Java™ 6 Update 12
Java™ 6 Update 3
Java™ 6 Update 4
Java™ 6 Update 5
Java™ 6 Update 7
Out of date Java installed!
Adobe Flash Player 10.1.102.64
Adobe Reader 8.2.3
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
``````````End of Log````````````





MiniToolBox by Farbar
Ran by Administrator (administrator) on 07-08-2011 at 19:53:27
Microsoft Windows XP Service Pack 2 (X64)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

"network.proxy.http", "127.0.0.1"
"network.proxy.http_port", 53273
"network.proxy.type", 0
========================= Hosts content: =================================


127.0.0.1 localhost

========================= IP Configuration: ================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp

# Interface IP Configuration for "Local Area Connection 2"

set address name="Local Area Connection 2" source=dhcp
set dns name="Local Area Connection 2" source=dhcp register=PRIMARY
set wins name="Local Area Connection 2" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : jubilee

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : maine.rr.com



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : maine.rr.com

Description . . . . . . . . . . . : NVIDIA nForce Networking Controller

Physical Address. . . . . . . . . : 00-1E-8C-75-10-8A

DHCP Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.102

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 209.18.47.61

209.18.47.62

Lease Obtained. . . . . . . . . . : Sunday, August 07, 2011 5:19:25 PM

Lease Expires . . . . . . . . . . : Monday, August 08, 2011 5:19:25 PM



Ethernet adapter Local Area Connection 2:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : NVIDIA nForce Networking Controller #2

Physical Address. . . . . . . . . : 00-1E-8C-75-16-08

Server: dns-cac-lb-01.rr.com
Address: 209.18.47.61

Name: google.com
Addresses: 74.125.115.99, 74.125.115.103, 74.125.115.104, 74.125.115.105
74.125.115.106, 74.125.115.147



Pinging google.com [74.125.113.104] with 32 bytes of data:



Reply from 74.125.113.104: bytes=32 time=55ms TTL=50

Reply from 74.125.113.104: bytes=32 time=46ms TTL=50



Ping statistics for 74.125.113.104:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 46ms, Maximum = 55ms, Average = 50ms

Server: dns-cac-lb-01.rr.com
Address: 209.18.47.61

Name: yahoo.com
Addresses: 209.191.122.70, 67.195.160.76, 69.147.125.65, 72.30.2.43
98.137.149.56



Pinging yahoo.com [69.147.125.65] with 32 bytes of data:



Reply from 69.147.125.65: bytes=32 time=34ms TTL=53

Reply from 69.147.125.65: bytes=32 time=39ms TTL=53



Ping statistics for 69.147.125.65:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 34ms, Maximum = 39ms, Average = 36ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms


IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 1e 8c 75 10 8a ...... NVIDIA nForce Networking Controller - Packet Scheduler Miniport
0x3 ...00 1e 8c 75 16 08 ...... NVIDIA nForce Networking Controller #2 - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.102 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.102 192.168.1.102 20
192.168.1.102 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.102 192.168.1.102 20
224.0.0.0 240.0.0.0 192.168.1.102 192.168.1.102 20
255.255.255.255 255.255.255.255 192.168.1.102 192.168.1.102 1
255.255.255.255 255.255.255.255 192.168.1.102 3 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (08/07/2011 05:24:02 PM) (Source: LoadPerf) (User: )
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The
Error code is the first DWORD in Data section.

Error: (08/07/2011 05:24:02 PM) (Source: LoadPerf) (User: )
Description: The performance strings in the Performance registry value is corrupted when
process Performance extension counter provider. BaseIndex value from Performance
registry is the first DWORD in Data section, LastCounter value is the second
DWORD in Data section, and LastHelp value is the third DWORD in Data section.

Error: (08/07/2011 05:13:01 PM) (Source: LoadPerf) (User: )
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The
Error code is the first DWORD in Data section.

Error: (08/07/2011 05:13:01 PM) (Source: LoadPerf) (User: )
Description: The performance strings in the Performance registry value is corrupted when
process Performance extension counter provider. BaseIndex value from Performance
registry is the first DWORD in Data section, LastCounter value is the second
DWORD in Data section, and LastHelp value is the third DWORD in Data section.

Error: (08/07/2011 05:10:18 PM) (Source: LoadPerf) (User: )
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The
Error code is the first DWORD in Data section.

Error: (08/07/2011 05:10:18 PM) (Source: LoadPerf) (User: )
Description: The performance strings in the Performance registry value is corrupted when
process Performance extension counter provider. BaseIndex value from Performance
registry is the first DWORD in Data section, LastCounter value is the second
DWORD in Data section, and LastHelp value is the third DWORD in Data section.

Error: (08/07/2011 04:39:38 PM) (Source: LoadPerf) (User: )
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The
Error code is the first DWORD in Data section.

Error: (08/07/2011 04:39:38 PM) (Source: LoadPerf) (User: )
Description: The performance strings in the Performance registry value is corrupted when
process Performance extension counter provider. BaseIndex value from Performance
registry is the first DWORD in Data section, LastCounter value is the second
DWORD in Data section, and LastHelp value is the third DWORD in Data section.

Error: (08/07/2011 03:26:20 PM) (Source: LoadPerf) (User: )
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The
Error code is the first DWORD in Data section.

Error: (08/07/2011 03:26:20 PM) (Source: LoadPerf) (User: )
Description: The performance strings in the Performance registry value is corrupted when
process Performance extension counter provider. BaseIndex value from Performance
registry is the first DWORD in Data section, LastCounter value is the second
DWORD in Data section, and LastHelp value is the third DWORD in Data section.


System errors:
=============
Error: (08/07/2011 05:19:45 PM) (Source: DCOM) (User: LOCAL SERVICE)
Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{555F3418-D99E-4E51-800A-6E89CFD8B1D7}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19). This security permission can be modified using the Component Services administrative tool.

Error: (08/07/2011 05:19:45 PM) (Source: DCOM) (User: LOCAL SERVICE)
Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{555F3418-D99E-4E51-800A-6E89CFD8B1D7}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19). This security permission can be modified using the Component Services administrative tool.

Error: (08/07/2011 05:06:07 PM) (Source: DCOM) (User: LOCAL SERVICE)
Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{555F3418-D99E-4E51-800A-6E89CFD8B1D7}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19). This security permission can be modified using the Component Services administrative tool.

Error: (08/07/2011 05:06:07 PM) (Source: DCOM) (User: LOCAL SERVICE)
Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{555F3418-D99E-4E51-800A-6E89CFD8B1D7}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19). This security permission can be modified using the Component Services administrative tool.

Error: (08/07/2011 03:23:10 PM) (Source: Service Control Manager) (User: )
Description: The is3srv service failed to start due to the following error:
%%2

Error: (08/07/2011 03:23:10 PM) (Source: Service Control Manager) (User: )
Description: The szkg5 service failed to start due to the following error:
%%2

Error: (08/07/2011 03:23:10 PM) (Source: Service Control Manager) (User: )
Description: The szkg5 service failed to start due to the following error:
%%2

Error: (08/07/2011 03:23:10 PM) (Source: Service Control Manager) (User: )
Description: The szkg5 service failed to start due to the following error:
%%2

Error: (08/07/2011 03:22:01 PM) (Source: DCOM) (User: LOCAL SERVICE)
Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{555F3418-D99E-4E51-800A-6E89CFD8B1D7}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19). This security permission can be modified using the Component Services administrative tool.

Error: (08/07/2011 03:22:01 PM) (Source: DCOM) (User: LOCAL SERVICE)
Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{555F3418-D99E-4E51-800A-6E89CFD8B1D7}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19). This security permission can be modified using the Component Services administrative tool.


Microsoft Office Sessions:
=========================
Error: (08/07/2011 05:24:02 PM) (Source: LoadPerf)(User: )
Description: WmiApRplWmiApRpl

Error: (08/07/2011 05:24:02 PM) (Source: LoadPerf)(User: )
Description: Performance

Error: (08/07/2011 05:13:01 PM) (Source: LoadPerf)(User: )
Description: WmiApRplWmiApRpl

Error: (08/07/2011 05:13:01 PM) (Source: LoadPerf)(User: )
Description: Performance

Error: (08/07/2011 05:10:18 PM) (Source: LoadPerf)(User: )
Description: WmiApRplWmiApRpl

Error: (08/07/2011 05:10:18 PM) (Source: LoadPerf)(User: )
Description: Performance

Error: (08/07/2011 04:39:38 PM) (Source: LoadPerf)(User: )
Description: WmiApRplWmiApRpl

Error: (08/07/2011 04:39:38 PM) (Source: LoadPerf)(User: )
Description: Performance

Error: (08/07/2011 03:26:20 PM) (Source: LoadPerf)(User: )
Description: WmiApRplWmiApRpl

Error: (08/07/2011 03:26:20 PM) (Source: LoadPerf)(User: )
Description: Performance


========================= Memory info: ===================================

Percentage of memory in use: 43%
Total physical RAM: 4094.19 MB
Available physical RAM: 2332.79 MB
Total Pagefile: 5892.16 MB
Available Pagefile: 4521.18 MB
Total Virtual: 4095.88 MB
Available Virtual: 4025.67 MB

========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:74.5 GB) (Free:15.76 GB) NTFS
5 Drive f: (Mass Effect 1) (CDROM) (Total:7.18 GB) (Free:0 GB) CDFS

========================= Users: ========================================

User accounts for \\JUBILEE

Administrator ASPNET Guest
postgres SUPPORT_388945a0


== End of log ==





Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7403

Windows 5.2.3790 Service Pack 2
Internet Explorer 6.0.3790.1830

8/7/2011 7:57:46 PM
mbam-log-2011-08-07 (19-57-46).txt

Scan type: Quick scan
Objects scanned: 156089
Time elapsed: 1 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{0568A8F4-C236-4902-B966-75511B1CCC2a} (Trojan.Tracur.XGen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0568A8F4-C236-4902-B966-75511B1CCC2A} (Trojan.Tracur.XGen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\SysWOW64\bidispl32.dll (Trojan.Tracur.XGen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\bidispl32.dll (Trojan.Tracur.XGen) -> Quarantined and deleted successfully.





GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-08-07 20:20:18
Windows 5.2.3790 Service Pack 2
Running: urjg0042.exe


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xB4 0xFE 0xC0 0xEE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xB9 0x26 0xEF 0xD1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x0C 0xD5 0x5C 0x8B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x4B 0x18 0xE5 0x64 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x6C 0xA5 0x95 0xA5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x08 0xF6 0xCD 0x77 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF7 0x38 0x98 0x7C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xB7 0x97 0xA6 0xE0 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x9E 0xCA 0x3F 0xCF ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xB4 0xFE 0xC0 0xEE ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xB9 0x26 0xEF 0xD1 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x0C 0xD5 0x5C 0x8B ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 2
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x4B 0x18 0xE5 0x64 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x6C 0xA5 0x95 0xA5 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x08 0xF6 0xCD 0x77 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF7 0x38 0x98 0x7C ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xB7 0x97 0xA6 0xE0 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x9E 0xCA 0x3F 0xCF ...

---- EOF - GMER 1.0.15 ----

I kept it short in the other post because I was working on the infected computer. I ran all of those programs and posted their logs in order (Security Check, MiniToolBox, MBAM, GMER). MBAM found a couple of things that didn't fix the problems, but that has been normal lately with the google redirect virus. This keyboard problem is much worse, but none of my antivis have noticed it yet.

Thanks for getting to this so quickly.

I can see several issues there, but we have to proceed one step at a time.

First of all I don't see any AV program running.
Install one of these:
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
- Avira free antivirus: http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html
Update, run full scan, report on any findings.

When done...

Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

• Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  
• An icon will be created on your desktop. Double-click that icon to launch the program.
  
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
  
• Close SUPERAntiSpyware.

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen

• Open SUPERAntiSpyware.
  
• Under "Configuration and Preferences", click the Preferences button.
  
• Click the Scanning Control tab.
  
• Under Scanner Options make sure the following are checked (leave all others unchecked):
  
  • Close browsers before scanning.
    
  • Terminate memory threats before quarantining.
  
  
• Click the "Close" button to leave the control center screen.
  
• Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  
• On the left, make sure you check C:\Fixed Drive.
  
• On the right, under "Complete Scan", choose Perform Complete Scan.
  
• Click "Next" to start the scan. Please be patient while it scans your computer.
  
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  
• Make sure everything has a checkmark next to it and click "Next".
  
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  
• If asked if you want to reboot, click "Yes".
  
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  
  • Click Preferences, then click the Statistics/Logs tab.
    
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    
  • Copy and paste the Scan Log results in your next reply.
  
  
• Click Close to exit the program.

Post SUPERAntiSpyware log.

We posted at the same time, so I want to make sure you saw my last reply.

I'm running the Avast full scan now, so it will take awhile but I'll post my reply in the next couple of hours.

No problem

So the Avast scan finished after about an hour and twenty, and it found approximately 20 threats. I clicked to remove them all, and all except for one of them were considered successfully removed. That one it said unable to remove for some reason. Avast recommended that I schedule a boot-time scan and I clicked yes, then my computer BSOD'ed a second later.

I'm posting from the other computer, rebooting the infected one now to see if I can salvage the Avast log, run it again, and run SuperAntiSpyware.

**edit**
However, it seems like Avast's boot-time scan is running now, so I'll let it run its course
**/edit**

This post has been edited by Personb: 07 August 2011 - 09:07 PM

OK.....

the boot-time scan finished running, and i clicked yes to remove various threats. after re-booting, the alt problem was gone for a short bit (10-20 seconds) **edit** i was able to log in normally **/edit**, then it re-appeared. the google redirect is also still present. where can i find the avast log? i just found the report section now and hadn't checked it before running avast. should i run it again? I am working on superantivirus now.

thank you again for helping me solve this

**edit2** i forgot to mention, i got this error popup after the reboot

Error loading C:\WINDOWS\obafirujiqigisoh.dll

The specified module could not be loaded

**/edit**

This post has been edited by Personb: 07 August 2011 - 10:33 PM

You're welcome

Avast scan log should be located in C:\Documents and Settings\All Users\Alwil Software\Avast5\log folder.

I ran superantispyware in safe mode, and here is the log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/07/2011 at 11:45 PM

Application Version : 5.0.1108

Core Rules Database Version : 7524
Trace Rules Database Version: 5336

Scan type : Quick Scan
Total Scan Time : 00:05:23

Operating System Information
Windows XP Professional 64-bit, Service Pack 2 (Build 5.02.3790)
Administrator

Memory items scanned : 199
Memory threats detected : 0
Registry items scanned : 58030
Registry threats detected : 10
File items scanned : 14314
File threats detected : 0

Trojan.Agent/Gen-SSHNAS
(x86) HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS
(x86) HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS#NextInstance
(x86) HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000
(x86) HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#Service
(x86) HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#Legacy
(x86) HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#ConfigFlags
(x86) HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#Class
(x86) HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#ClassGUID
(x86) HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#DeviceDesc

Disabled.SecurityCenterOption
(x64) HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#ANTIVIRUSDISABLENOTIFY


as for the avast log, i found my avast directory at C:\Program Files\AVAST Software\Avast, but there was no log folder. i think i should run avast again, since it seemed to temporarily remove the problem, despit the bsod, and i think i can configure it to make a log file.

**edit**
i got that same error popup as before on startup again, which is also new as of today
**/edit**

This post has been edited by Personb: 07 August 2011 - 11:25 PM

Quote

If it's not there you can certainly re-run the scan.

Okay, I am running the Avast scan again, and if it asks for a boot-time scan and BSODs again, then I'll do that scan as well. This time I've configured it to save a log file (I'm surprised it wasn't checked by default). It's getting pretty late here so I probably won't finish the scans and post the log until tomorrow, maybe 10 or 12 hours from now.