Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Win32/Olmarik.ZC trojan redirect virus


  • This topic is locked This topic is locked
18 replies to this topic

#1 Camaroon

Camaroon

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 16 June 2010 - 11:42 AM

Hi everyone, I'm new to this forum. I found it through the cnet.com forums. As you can read by my subject I am infected by a redirect virus. All search results in Bing and Google show up normal, then when clicked on redirect me to a different page. I know there are a lot of topics on this but from what I read it seems like cleaning should be taken on a case by case basis which is why I'm starting a new topic. First, a little history.

I have Panda Cloud Antivirus installed and Windows Defender running with it. Yesterday I got infected by one of the fake AV Suite virus'. It disabled task manager and Panda and wouldn't allow me to run anything else. I immediately closed out of everything, rebooted in safe mode, and ran Malwarebytes. MWB found a couple of things and cleaned them (I've attached the log file). So at that point my computer seemed to be running normally. I ran a scan with Panda and it found nothing. However, sometime later I did a search for something and noticed the strange search behavior. I figured it must be a virus still and found out that it was. Every search I did about this seemed to bring me to a forum that instructed to use Combofix. But at the same time, I didn't go through any of those fixes because they all seemed specific to that user. Last night I tried System Restore to a couple of different points but that failed every time. So this morning, I ran SuperAntispyware, which found 816 cookies and one possible trojan (a different one than this) and cleaned them. I then posted about this in the cnet.com virus forums and was pointed to a thread about Hitmanpro which seemed to be fixing this issue. I ran that program and sure enough it found the trojan I mentioned above and BackDoor.Tdss.2459 infected in the smb.sys file. But for some reason, when I tried to delete it with that program it wouldn't work. I've attached the XML log from Hitmanpro. After this, I ran CCleaner and cleaned stuff up.

So this is basically where I'm at right now. I've scanned that specific smb.sys file with Panda, MWB, and AdAware and none of them ever flag it as infected. I really don't want to have to do a clean install but in one of the last threads here the moderator mentioned that even if we clean this, the system may never be scure again. I would appreciate any help that anyone is willing to give. Thanks in advance!

I'm running Windows Vista Ultimate 32bit with all current updates.

Attached Files



BC AdBot (Login to Remove)

 


#2 Camaroon

Camaroon
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 16 June 2010 - 02:48 PM

Just to follow up from my original post, I found and read the thread about what should be posted under a new topic and wanted to provide those details. I ran DDS and the results are below and attached. Gmer was a different story however. The first time I ran it in Normal mode, it crashed. The subsequent times I ran it in normal mode, maybe 4 more, it caused my system to crash (BSOD). So I restarted in Safe Mode. The first time I ran it in SM, it crashed again. The second time the system crashed again. The first couple of times I ran it I was still connected to the internet and I hadn't disabled virus software (Panda). Then I found the different instructions and made sure to turn off my internet connection and disable Panda and Windows Defender. Still didn't work. I'm starting to fear the worst about my system. Any details on this is appreciated.

Here's DDS.txt:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Work at 14:47:56.07 on Wed 06/16/2010
Internet Explorer: 8.0.6001.18928 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.2526.1437 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\ATK Hotkey\ASLDRSrv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskeng.exe
C:\Program Files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\WizMouse\WizMouse.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\ATK Hotkey\Hcontrol.exe
C:\Program Files\ATK Hotkey\MsgTranAgt.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\ATK Hotkey\LOSD.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Lenovo\Energy Management\utility.exe
C:\Program Files\Lenovo\Energy Management\Energy Management.exe
C:\Program Files\ATK Hotkey\HControlUser.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\Program Files\ViGlance\ViGlance.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe
C:\Program Files\ATK Hotkey\ATKOSD.exe
C:\Program Files\ATK Hotkey\WDC.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANToManager.exe
C:\Users\Work.Cam-Laptop\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ViGlance] c:\program files\viglance\ViGlance.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [EnergyUtility] c:\program files\lenovo\energy management\utility.exe
mRun: [Energy Management] c:\program files\lenovo\energy management\Energy Management.exe
mRun: [HControlUser] "c:\program files\atk hotkey\HcontrolUser.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: Send image to &Bluetooth Device... - c:\program files\lenovo\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\lenovo\bluetooth software\btsendto_ie.htm
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\lenovo\bluetooth software\btsendto_ie.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
Trusted Zone: msn.com\my
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxps://lowes.2020.net/Core/Player/2020PlayerAX_Win32.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {7070D8E0-650A-46b3-B03C-9497582E6A74} - %SystemRoot%\system32\soundschemes.exe /AddRegistration
mASetup: {B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24} - %SystemRoot%\system32\soundschemes2.exe /AddRegistration

================= FIREFOX ===================

FF - ProfilePath - c:\users\work~1.cam\appdata\roaming\mozilla\firefox\profiles\bb27b4rf.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.msn.com
FF - component: c:\users\work.cam-laptop\appdata\roaming\mozilla\firefox\profiles\bb27b4rf.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\nbc direct\npDirectPlayerMozilla.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\cam\appdata\roaming\idm\bin\flash\platform\winnt\plugins\npidmdcp.dll
FF - plugin: c:\users\cam\appdata\roaming\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\users\work.cam-laptop\appdata\roaming\mozilla\firefox\profiles\bb27b4rf.default\extensions\2020player@2020technologies.com\plugins\NP2020Player.dll
FF - plugin: c:\users\work.cam-laptop\appdata\roaming\mozilla\firefox\profiles\bb27b4rf.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-8 64288]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2008-5-20 15328]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2010-5-4 125960]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-6 67656]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2010-4-30 136448]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2010-5-27 141384]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2010-4-30 99336]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2010-4-30 111112]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2010-5-12 111176]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2008-8-6 216032]
R2 System_Repair_UpdateMonitor;System Repair Windows Update Monitor;c:\program files\lenovo\onekey app\system repair\UpdateMonitor.exe [2009-5-4 430080]
R2 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [2009-5-4 47680]
R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\drivers\AcpiVpc.sys [2009-5-19 21520]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-3-28 210432]
R3 itecir;ITECIR Infrared Receiver;c:\windows\system32\drivers\itecir.sys [2010-3-8 62496]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2009-4-6 3668480]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-8-21 66592]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-8-14 133104]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2009-8-29 29736]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-5-5 21504]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352832]
S3 PSMounter;Macrium Reflect Image Explorer Service;c:\windows\system32\drivers\psmounter.sys [2008-7-8 31712]
S3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [2009-5-4 81192]

=============== Created Last 30 ================

2010-06-16 18:45:25 361722123 ----a-w- c:\windows\MEMORY.DMP
2010-06-16 14:39:51 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-16 14:38:41 0 d-----w- c:\programdata\Hitman Pro
2010-06-16 14:38:40 0 d-----w- c:\program files\Hitman Pro 3.5
2010-06-16 02:40:55 264 ----a-w- c:\windows\system32\PSUNCpl.dat
2010-06-16 02:40:00 0 d-----w- c:\programdata\Panda Security
2010-06-10 16:44:02 0 d-----w- c:\program files\OffiSync
2010-06-08 21:14:40 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-27 22:39:33 141384 ----a-w- c:\windows\system32\drivers\PSINAflt.sys
2010-05-27 20:34:44 0 d-----w- c:\windows\system32\20-20 Technologies
2010-05-27 15:26:11 0 d-----w- c:\users\work~1.cam\appdata\roaming\Panda Security
2010-05-27 15:24:09 0 d-----w- c:\program files\Panda Security
2010-05-26 19:32:40 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-26 15:16:45 0 d-----w- c:\users\work~1.cam\appdata\roaming\Malwarebytes
2010-05-26 15:16:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-26 15:16:16 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-26 15:16:16 0 d-----w- c:\programdata\Malwarebytes
2010-05-26 15:16:16 0 d-----w- c:\program files\Malwarebytes
2010-05-26 04:04:11 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-05-25 21:13:48 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-25 21:11:13 0 dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-25 21:10:19 0 d-----w- c:\programdata\Lavasoft
2010-05-25 21:10:19 0 d-----w- c:\program files\Lavasoft
2010-05-25 19:41:09 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-05-25 19:41:02 0 d-----w- c:\users\work~1.cam\appdata\roaming\SUPERAntiSpyware.com
2010-05-25 19:41:02 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-25 19:15:22 691 ----a-w- c:\users\work~1.cam\appdata\roaming\GetValue.vbs
2010-05-25 19:15:22 35 ----a-w- c:\users\work~1.cam\appdata\roaming\SetValue.bat

==================== Find3M ====================

2010-06-16 18:46:13 418038 ----a-w- c:\programdata\nvModes.dat
2010-05-26 17:06:41 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47:41 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-25 19:21:11 0 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-05-25 19:15:21 3472 ----a-w- c:\windows\system32\tmp.reg
2010-05-12 15:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-12 14:57:45 111176 ----a-w- c:\windows\system32\drivers\PSINProt.sys
2010-05-04 12:36:04 125960 ----a-w- c:\windows\system32\drivers\PSINKNC.sys
2010-05-04 05:59:21 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55:42 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55:42 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31:05 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 14:13:48 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-04-30 17:46:10 111112 ----a-w- c:\windows\system32\drivers\PSINProc.sys
2010-04-30 17:46:08 99336 ----a-w- c:\windows\system32\drivers\PSINFile.sys
2010-04-05 17:01:01 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-03-31 13:07:42 51200 ----a-w- c:\windows\inf\infpub.dat
2010-03-31 13:07:42 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-03-31 13:07:41 86016 ----a-w- c:\windows\inf\infstor.dat
2009-11-04 17:10:34 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-05-05 14:13:52 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-12-30 05:28:12 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\cookies\index.dat
2009-12-30 05:28:12 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\history\history.ie5\index.dat
2009-12-30 05:28:12 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\temporary internet files\content.ie5\index.dat
2009-10-18 02:26:50 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 14:54:22.37 ===============

And DDS Attach.txt:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft® Windows Vista™ Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 5/4/2009 9:13:03 PM
System Uptime: 6/16/2010 2:45:02 PM (0 hours ago)

Motherboard: Lenovo | | INVALID
Processor: Intel® Core™2 Duo CPU T6400 @ 2.00GHz | CPU 1 | 2000/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 254 GiB total, 168.313 GiB free.
D: is FIXED (NTFS) - 29 GiB total, 19.883 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4d36e96b-e325-11ce-bfc1-08002be10318}
Description: Microsoft eHome Remote Control Keyboard keys
Device ID: HID\IRDEVICE&COL05\2&D6067AB&0&0004
Manufacturer: Microsoft
Name: Microsoft eHome Remote Control Keyboard keys
PNP Device ID: HID\IRDEVICE&COL05\2&D6067AB&0&0004
Service: kbdhid

Class GUID: {4d36e96b-e325-11ce-bfc1-08002be10318}
Description: Microsoft eHome MCIR Keyboard
Device ID: HID\IRDEVICE&COL06\2&D6067AB&0&0005
Manufacturer: Microsoft
Name: Microsoft eHome MCIR Keyboard
PNP Device ID: HID\IRDEVICE&COL06\2&D6067AB&0&0005
Service: kbdhid

Class GUID: {4d36e96b-e325-11ce-bfc1-08002be10318}
Description: Microsoft eHome MCIR 109 Keyboard
Device ID: HID\IRDEVICE&COL07\2&D6067AB&0&0006
Manufacturer: Microsoft
Name: Microsoft eHome MCIR 109 Keyboard
PNP Device ID: HID\IRDEVICE&COL07\2&D6067AB&0&0006
Service: kbdhid

==== System Restore Points ===================


==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 2 (SP2)
AAC Decoder
Acrobat.com
Ad-Aware
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.2
AeroSnap 0.61
Applian FLV Player
ATK Hotkey
AutoUpdate
AvaCam v3.0.1
Broadcom Gigabit Integrated Controller
Canon IJ Network Scan Utility
Canon IJ Network Tool
Canon MX700 series
Canon MX700 series User Registration
Canon My Printer
CCleaner
Citrix XenApp Plugin for Hosted Apps
Compatibility Pack for the 2007 Office system
Cooliris for Internet Explorer
DFX for Windows Media Player
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
Dolby Control Center
doPDF 6.3 printer
Dream Aquarium
Energy Management
Foxit PDF Editor
Free FLV Converter V 6.6.4
Free Sound Recorder v8.1.1
G-Force
Google Earth Plug-in
Google Update Helper
GoToMeeting 4.1.0.366
H.264 Decoder
HDView for Internet Explorer
Hitman Pro 3.5
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
ieSpell
ImgBurn
Inter-Tel Collaboration Client 2.0
ITECIR Driver
Java™ 6 Update 17
Junk Mail filter update
Lenovo Bluetooth with Enhanced Data Rate Software 6.1.0.5100
Lenovo EasyCamera
Lenovo OneKey Recovery
Lenovo System Repair - Windows Update Monitor
LimeWire 5.4.6
Macrium Reflect - Free Edition
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.5
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office Word Viewer 2003
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MKV Splitter
MLB.TV NexDef Plug-in
Motorola SM56 Speakerphone Modem
Mozilla Firefox (3.6.3)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NBC Direct
NVIDIA Drivers
NVIDIA PhysX
ODF Add-in for Microsoft Office
OffiSync
OGA Notifier 2.0.0048.0
Orbit Downloader
Panda Cloud Antivirus
Pando Media Booster
Pixillion Image Converter
QuickTime
Realtek High Definition Audio Driver
Revo Uninstaller 1.87
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.55.03
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB982135)
SoulSeek 157 NS 13d
SUPERAntiSpyware Free Edition
Switch Sound File Converter
Synaptics Pointing Device Driver
Trader Workstation
Ultimate Extras sounds from Microsoft® Tinker™
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb983486)
VC80CRTRedist - 8.0.50727.762
ViGlance
Virtual Earth 3D (Beta)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebEx
WhiteCap
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sync
Windows Live Upload Tool
Windows Sound Schemes
WinRAR archiver
WizMouse v1.0.0.9
Zune
Zune Language Pack (DE)
Zune Language Pack (ES)
Zune Language Pack (FR)
Zune Language Pack (IT)

==== End Of File ===========================

Attached Files



#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:13 AM

Posted 16 June 2010 - 03:40 PM

Hi Camaroon,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Also please avoid editting your post and if needed add a new reply.
  1. Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      CODE
      :filefind
      kbdhid.*
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt

  2. Run GMER, uncheck all boxes except the box next to Sections (C drive should remain checked), click Scan.
    When it finished press Save to save the log and post it to your reply. It will not take more than a minute.

  3. Please download MBR.EXE by GMER. Save the file in your Windows directory (C:\Windows).

    Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:

    CODE
    @ECHO OFF
    if exist mbr.log del mbr.log
    mbr.exe -t
    ping 1.1.1.1 -n 1 -w 1500 >nul
    start mbr.log

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: look.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate look.bat on the desktop. It should look like this:
    • Right-click to run it as administrator.
    • A notepad opens, copy and paste the content (log.txt) to your reply.


#4 Camaroon

Camaroon
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 16 June 2010 - 11:09 PM

I ran systemlook, attached the txt file and pasted the contents below. I also succesfully ran gmer, attached the text file, and pasted the contents. But the mbr look.bat file didn't work. I got an error when running it. I created a jpeg file of each error I recieved and attached it. Let me know if you can't open the jpeg's and I'll type the errors out. Thanks for your help!

This is log from systemlook:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 23:59 on 16/06/2010 by Work (Administrator - Elevation successful)

========== filefind ==========

Searching for "kbdhid.*"
C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_93b1c41f\kbdhid.sys --a--- 15872 bytes [10:25 02/11/2006] [08:51 02/11/2006] D2600CB17B7408B4A83F231DC9A11AC3
C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_a81145df\kbdhid.sys --a--- 15872 bytes [04:22 05/05/2009] [04:22 05/05/2009] ED61DBC6603F612B7338283EDBACBC4B
C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_da7e599e\kbdhid.sys --a--- 15872 bytes [13:37 05/05/2009] [05:49 19/01/2008] 18247836959BA67E3511B62846B9C2E0
C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_f55d5e51\kbdhid.sys --a--- 17408 bytes [03:15 28/05/2009] [04:38 11/04/2009] EDE59EC70E25C24581ADD1FBEC7325F7
C:\Windows\System32\drivers\en-US\kbdhid.sys.mui --a--- 3072 bytes [12:39 02/11/2006] [12:39 02/11/2006] 280DB70CDCDB97009AEA5E4BD15F30B3
C:\Windows\System32\drivers\kbdhid.sys --a--- 0 bytes [03:15 28/05/2009] [19:21 25/05/2010] D41D8CD98F00B204E9800998ECF8427E
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16386_en-us_2c720f8d6f7323d4\kbdhid.sys.mui --a--- 3072 bytes [12:39 02/11/2006] [12:39 02/11/2006] 280DB70CDCDB97009AEA5E4BD15F30B3
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_ar-sa_982bf1fdaa2cfde6\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] DEDDA58D1372ADB6026C1965B5B54483
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_cs-cz_e9754a2188352b68\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] 2A6644A6613A395D662B9C33B0F9E1BD
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_da-dk_86af2a487e7b2767\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] FF973993A58E1D2CD6AB435C44FCEAAD
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_de-de_83dabf8480517c01\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] 622279C62773A515D23772569479A952
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_el-gr_2c70ed176f66e48f\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] DD867E1E8D411441776093274321D25D
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_en-us_2ccb957d6f2f87c6\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] 8E057CC3A1805EBAB5F2524EAAE30985
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_es-es_2c96f2616f56796b\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] 8DC0B62E69F05E894292A4A14920B224
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_fi-fi_cbb1f70e64706b95\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] 76EEF9733583132AAD1E88897761162C
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_fr-fr_cf4e686062288fcd\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] 468E284A34540854F0A6B1B35CE0082D
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_he-il_136e1002489790bb\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] DAC98CB18F0BAE46EEFB5722453D497E
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_hu-hu_16bee8a846885ee9\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] 8088A0FEAB186ABC63527B53B1258843
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_it-it_b9765ea7395a754b\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] 0AEFE5E7B55185EEA41577CCBFB18794
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_ja-jp_5b9bddb42c758726\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] BCA50C70D20353C065446151C2A957E1
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_ko-kr_ff05ba691ee64e3c\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] FBEDD2AE1DAC3026C9689576E66D42F5
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_nb-no_e7983b9df70b79f8\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] 2D872FBE885DD6804274DF2322E8D1A3
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_nl-nl_e5d786dbf83783cd\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] BF57EBC4A2F3BAD243833BA8F1B2A7AC
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_pl-pl_2c13e15ddd59f181\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] 16F808F059CEFA1FBB509B1E04780B52
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_pt-br_2e67cc01dbe38565\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] C08D68DFA950A5E4A7DFEE4E5D3E3E4C
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_pt-pt_2f499b6ddb52f541\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] 8899BB64098C527CF16FAA88561C0825
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_ru-ru_75ecad31c034836d\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] 8D5DA98FA6799055A074E830252B4FE5
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_sv-se_11e797a6b75d8dc8\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] DCAEBA6854E61B22B031650FCB19D646
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_tr-tr_baf4e1eda6198fb9\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] A7B504A110802E93F57CEC2F7D6B3EF2
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_zh-cn_8c51ffeb565161d8\kbdhid.sys.mui --a--- 2560 bytes [04:22 05/05/2009] [04:22 05/05/2009] 8BBD06CD26BD7380FEEC97D8C7D2AFA2
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_zh-tw_904e3d4153c23e48\kbdhid.sys.mui --a--- 2560 bytes [04:22 05/05/2009] [04:22 05/05/2009] 228D0C6E371A8E168DBD667E9DEC0ADA
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_ar-sa_98901d92c36772d0\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] 68F13E952E40AA43BC6134999DAE5BA5
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_cs-cz_e9d975b6a16fa052\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] 347D96DBEDF30754808E854389575F74
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_da-dk_871355dd97b59c51\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] 1F7F2CD9B6177A28CE3B4718BB6CC8DA
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_de-de_843eeb19998bf0eb\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] 4954D0F1F14A1309BEE8F0BCC35FA2BA
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_el-gr_2cd518ac88a15979\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] C2C62515ECD6B851F3D88F7A75499A8D
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_en-us_2d2fc1128869fcb0\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] 8FA6EF98726C1BD9D56BF92C5111A92B
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_es-es_2cfb1df68890ee55\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] AA1C9F11252EFC2A0EDDE9F2007691AE
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_fi-fi_cc1622a37daae07f\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] 2BC65D039DDC3EA32D014E7EC0265D60
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_fr-fr_cfb293f57b6304b7\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] 4DE2FE3CC9084FBBD8A09053F80AE36A
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_he-il_13d23b9761d205a5\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] 7806FD63810A7173BFAEC9BF930BFB01
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_hu-hu_1723143d5fc2d3d3\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] 5205DBD7A76F9867DA19825C464D890D
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_it-it_b9da8a3c5294ea35\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] BE708C4DD8B34DF89D9583CA26A0A9AC
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_ja-jp_5c00094945affc10\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] A665A87A69610DB72EE4BA45F2CB76F2
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_ko-kr_ff69e5fe3820c326\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] 08A19E955FC25FC98FD252F79F2C6DF7
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_nb-no_e7fc67331045eee2\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] 71BAC6B20C688E5C820287A1B1CF5129
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_nl-nl_e63bb2711171f8b7\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] 4C5B7B7F2BC46209BB6A621C2652B57E
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_pl-pl_2c780cf2f694666b\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] 18A169556AD5EF33F54DACB88AD3DB71
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_pt-br_2ecbf796f51dfa4f\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] 12AE9AFC8131E1ED156A1441BD8576B1
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_pt-pt_2fadc702f48d6a2b\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] 1A80EEB9EDFC8E37D596A04107D43E55
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_ru-ru_7650d8c6d96ef857\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] B78BB35A2D327797CA73AF3582FC40BF
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_sv-se_124bc33bd09802b2\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] DD8FBA36AA45503ED885A0872E9F1801
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_tr-tr_bb590d82bf5404a3\kbdhid.sys.mui --a--- 3072 bytes [04:22 05/05/2009] [04:22 05/05/2009] BF8C82F76BB369B0B0D214F79A3DE061
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_zh-cn_8cb62b806f8bd6c2\kbdhid.sys.mui --a--- 2560 bytes [04:22 05/05/2009] [04:22 05/05/2009] AA075FB3E94CC155A2AC5C55B2E15596
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_zh-tw_90b268d66cfcb332\kbdhid.sys.mui --a--- 2560 bytes [04:22 05/05/2009] [04:22 05/05/2009] A27153CCF5E3E5D83AF3A9B2233D0BC6
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6001.18000_en-us_2ea8d1896c5e34a8\kbdhid.sys.mui --a--- 3072 bytes [12:39 02/11/2006] [12:39 02/11/2006] 280DB70CDCDB97009AEA5E4BD15F30B3
C:\Windows\winsxs\x86_keyboard.inf_31bf3856ad364e35_6.0.6000.16609_none_957131ccdbca3f9c\kbdhid.sys --a--- 15872 bytes [04:22 05/05/2009] [04:22 05/05/2009] ED61DBC6603F612B7338283EDBACBC4B
C:\Windows\winsxs\x86_keyboard.inf_31bf3856ad364e35_6.0.6000.20734_none_95d55d61f504b486\kbdhid.sys --a--- 15872 bytes [04:22 05/05/2009] [04:22 05/05/2009] 97AB2FB84E8E77D93CEE85550F4CF7F9
C:\Windows\winsxs\x86_keyboard.inf_31bf3856ad364e35_6.0.6001.18000_none_974e6dd8d8f8ec7e\kbdhid.sys --a--- 15872 bytes [13:37 05/05/2009] [05:49 19/01/2008] 18247836959BA67E3511B62846B9C2E0
C:\Windows\winsxs\x86_keyboard.inf_31bf3856ad364e35_6.0.6002.18005_none_9939e6e4d61ab7ca\kbdhid.sys --a--- 17408 bytes [03:15 28/05/2009] [04:38 11/04/2009] EDE59EC70E25C24581ADD1FBEC7325F7

-=End Of File=-


GMER Log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-16 23:28:54
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\WORK~1.CAM\AppData\Local\Temp\pwloakow.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\Windows\system32\DRIVERS\smb.sys entry point in ".rsrc" section [0x8EFF0014]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\Explorer.EXE[3560] ntdll.dll!NtProtectVirtualMemory 77D74D34 5 Bytes JMP 0024000A
.text C:\Windows\Explorer.EXE[3560] ntdll.dll!NtWriteVirtualMemory 77D75674 5 Bytes JMP 008F000A
.text C:\Windows\Explorer.EXE[3560] ntdll.dll!KiUserExceptionDispatcher 77D75DC8 5 Bytes JMP 0023000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4584] ntdll.dll!NtProtectVirtualMemory 77D74D34 5 Bytes JMP 0046000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4584] ntdll.dll!NtWriteVirtualMemory 77D75674 5 Bytes JMP 0047000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4584] ntdll.dll!KiUserExceptionDispatcher 77D75DC8 5 Bytes JMP 0045000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4584] USER32.dll!CreateWindowExW 77EE1305 5 Bytes JMP 6AF3DB1C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4584] USER32.dll!DialogBoxParamW 77F010B0 5 Bytes JMP 6AE654C5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4584] USER32.dll!DialogBoxIndirectParamW 77F02EF5 5 Bytes JMP 6B03480F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4584] USER32.dll!DialogBoxParamA 77F18152 5 Bytes JMP 6B0347AC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4584] USER32.dll!DialogBoxIndirectParamA 77F1847D 5 Bytes JMP 6B034872 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4584] USER32.dll!MessageBoxIndirectA 77F2D4D9 5 Bytes JMP 6B034741 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4584] USER32.dll!MessageBoxIndirectW 77F2D5D3 5 Bytes JMP 6B0346D6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4584] USER32.dll!MessageBoxExA 77F2D639 5 Bytes JMP 6B034674 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4584] USER32.dll!MessageBoxExW 77F2D65D 5 Bytes JMP 6B034612 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5612] ntdll.dll!NtProtectVirtualMemory 77D74D34 5 Bytes JMP 014F000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5612] ntdll.dll!NtWriteVirtualMemory 77D75674 5 Bytes JMP 0150000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5612] ntdll.dll!KiUserExceptionDispatcher 77D75DC8 5 Bytes JMP 014E000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5612] USER32.dll!SetWindowsHookExW 77ED87AD 5 Bytes JMP 6AF39AC9 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5612] USER32.dll!CallNextHookEx 77ED8E3B 5 Bytes JMP 6AF2D0ED C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5612] USER32.dll!UnhookWindowsHookEx 77ED98DB 5 Bytes JMP 6AEA467C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5612] USER32.dll!CreateWindowExW 77EE1305 5 Bytes JMP 6AF3DB1C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5612] USER32.dll!DialogBoxParamW 77F010B0 5 Bytes JMP 6AE654C5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5612] USER32.dll!DialogBoxIndirectParamW 77F02EF5 5 Bytes JMP 6B03480F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5612] USER32.dll!DialogBoxParamA 77F18152 5 Bytes JMP 6B0347AC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5612] USER32.dll!DialogBoxIndirectParamA 77F1847D 5 Bytes JMP 6B034872 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5612] USER32.dll!MessageBoxIndirectA 77F2D4D9 5 Bytes JMP 6B034741 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5612] USER32.dll!MessageBoxIndirectW 77F2D5D3 5 Bytes JMP 6B0346D6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5612] USER32.dll!MessageBoxExA 77F2D639 5 Bytes JMP 6B034674 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5612] USER32.dll!MessageBoxExW 77F2D65D 5 Bytes JMP 6B034612 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5612] ole32.dll!OleLoadFromStream 77BE1E12 5 Bytes JMP 6B034B77 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5612] ole32.dll!CoCreateInstance 77C19EA6 5 Bytes JMP 6AF3DB78 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\DRIVERS\smb.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Attached Files



#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:13 AM

Posted 17 June 2010 - 01:27 AM

I'm you run the batch file as administrator. Then the error might be related to a bad download. We don't need it any more.

Download http://download.bleepingcomputer.com/farbar/TDLfix.exe and save it to your desktop.
  • Disable real-time protection of your security software and make sure it will not run at startup after reboot. They may otherwise interfere with the tool. (Information on A/V control HERE)
  • Close all the open windows.
  • Right-click TDLfix.exe to run the tool as administrator, a command window opens.
  • Type (or copy the following and right-click to paste) in the command window and press Enter:

    smb
  • The application shall restart the computer immediately and runs after restart.
  • Tell me if the computer rebooted and ran to completion.



#6 Camaroon

Camaroon
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 17 June 2010 - 08:45 AM

I just finished performing these steps and everything seemed to go smoothly. The program rebooted the computer and literally ran for about 10 seconds or less when it restarted. I've performed a couple of searches and everything seems to be linking correctly now. I'm going to enable all my system protection now. Is that it? Is this virus finally eradicated from my system?? What are the next steps?

As someone who works with this stuff every day, I'd really appreciate your opinion on the best anti-malware software to use. I used to use AVG but got a virus with it so I started researching other alternatives and Panda Cloud was getting excellent reviews for their new progam. So I started using that about 2 weeks ago. Shows that no progam is completely comprehensive. I also use Windows Defender and Windows firewall in conjunction with that. If you have any other recommendations for free software I would really appreciate it.

Again, thanks for all your help with this! smile.gif

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:13 AM

Posted 17 June 2010 - 11:59 AM

The rootkit is taken care of. thumbup2.gif
  1. Run TDLfix, type del and press Enter. This will delete the quarantined infected file and mbr.exe. Delete the tool from your desktop.

  2. Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box (without the word CODE) into a new file:


    CODE
    @ECHO OFF
    sc query kbdhid >log.txt 2>&1
    sc qc kbdhid >>log.txt 2>&1
    START log.txt

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: look.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate look.bat on the desktop. It should look like this:
    • Right-click to run it as administrator.
    • A notepad opens, copy and paste the content (log.txt) to your reply.

  3. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
    Download JavaRa from Javara for Java update or directly from here.
    Use the tool to remove old and redundant versions of the Java Runtime Environment. The latest version is Java 6 update 20. Please uninstall any version remaining versions if the tool could not uninstall them.

  4. Run CCleaner (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked). Then click run cleaner.

  5. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.






#8 Camaroon

Camaroon
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 17 June 2010 - 12:35 PM

Here is the MBAM log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4209

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

6/17/2010 1:24:03 PM
mbam-log-2010-06-17 (13-24-03).txt

Scan type: Quick scan
Objects scanned: 149223
Time elapsed: 7 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



And here's the look.bat log:

SERVICE_NAME: kbdhid
TYPE : 1 KERNEL_DRIVER
STATE : 1 STOPPED
WIN32_EXIT_CODE : 31 (0x1f)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: kbdhid
TYPE : 1 KERNEL_DRIVER
START_TYPE : 1 SYSTEM_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : system32\DRIVERS\kbdhid.sys
LOAD_ORDER_GROUP : Keyboard Port
TAG : 6
DISPLAY_NAME : Keyboard HID Driver
DEPENDENCIES :
SERVICE_START_NAME :


Again, thank you so much for all your help in this matter. I can not tell you how relieved I am. I will certainly be coming back here for computer help in the future. Again, if you have any recommendations for free anti-malware programs other than the ones I'm currently using, I would love to hear about them. Thanks!!!! thumbup.gif

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:13 AM

Posted 17 June 2010 - 12:43 PM

thumbup2.gif

Let's take care of this keyboard driver.
  1. Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box (without the word CODE) into a new file:


    CODE
    @ECHO OFF
    @ECHO OFF
    echo y| cacls C:\Windows\System32\drivers\kbdhid.sys /p everyone:f >log2.txt 2>&1
    del /a/f/q C:\Windows\System32\drivers\kbdhid.sys >>log2.txt 2>&1
    ping 1.1.1.1 -n 1 -w 10000 >nul 2>&1
    dir /a C:\Windows\System32\drivers\kbdhid.sys >>log2.txt 2>&1
    START log2.txt

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: fix.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate fix.bat on the desktop.
    • Right-click to run it as administrator.
    • A notepad opens, copy and paste the content (log.txt) to your reply.

  2. Now reboot the computer and run look.bat from previous post and post the log.


#10 Camaroon

Camaroon
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 17 June 2010 - 02:18 PM

Here's the fix.bat log:

Are you sure (Y/N)?processed file: C:\Windows\System32\drivers\kbdhid.sys
Volume in drive C has no label.
Volume Serial Number is 7241-4B1D

Directory of C:\Windows\System32\drivers

File Not Found

And here's the look.bat log:


SERVICE_NAME: kbdhid
TYPE : 1 KERNEL_DRIVER
STATE : 1 STOPPED
WIN32_EXIT_CODE : 31 (0x1f)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: kbdhid
TYPE : 1 KERNEL_DRIVER
START_TYPE : 1 SYSTEM_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : system32\DRIVERS\kbdhid.sys
LOAD_ORDER_GROUP : Keyboard Port
TAG : 6
DISPLAY_NAME : Keyboard HID Driver
DEPENDENCIES :
SERVICE_START_NAME :


I didn't realize there was a problem with a keyboard driver. What's going on?

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:13 AM

Posted 17 June 2010 - 02:52 PM

This is a Microsoft keyboard driver. The size of the file was 0 meaning if you would use one of those Microsoft keyboards (you have used it before?) it would not work. But now if you use it it will install the driver.

How is everything running?

#12 Camaroon

Camaroon
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 17 June 2010 - 03:12 PM

I've never used an external keyboard on this before (using a laptop). Thanks for fixing that!

Everything seems to be working fine. It's booting faster, and obviously no more redirect search results. However, I've been trying to run a system scan with Panda and it doesn't seem to be working right. This seems to be a problem noted in their support forums, but it will get stuck at a certain percentage and stop and freeze. Also, instead of it cycling through the files that it's scanning, it just says "Extracting file..." I tried running it before your last post and it got stuck somewhere around 244,000 files and 28%. I stopped it when I performed the steps you requested. I have it running right now and it's stuck at 51,723 and 3%. And it's eating up like 50% of my cpu. Hopefully this gets resolved as well because from what I read, this is supposed to be an excellent free AV program.

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:13 AM

Posted 17 June 2010 - 03:32 PM

Have paid for Panda?

#14 Camaroon

Camaroon
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 17 June 2010 - 03:37 PM

Nope, just the free version. It's up to 11% now but it's going very slow. In the reviews I read they seemed to mention that the scans generally were pretty quick but I've had this one on for at least a half hour now. None of the scans I've run with this since I installed it have been any shorter than the ones I used to do with AVG. I only scan once a week so I generally do a full scan of the C: drive. On another note, it doesn't say "Extracting File..." anymore.

Edited by Camaroon, 17 June 2010 - 03:37 PM.


#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:13 AM

Posted 17 June 2010 - 03:54 PM

Then I recommend this good free antivirus:

Avira
  • Download the installer from softpedia.com link as it has a secure download mirror. But don't install it now.
  • Go to Add/Remove programs and uninstall Pand then reboot.
  • Install and update it.
  • In the left pane click Status. In the right pane click Scan system now.
  • After the scan finished let it remove what it finds and then Click Report.
  • You can get the last report also by clicking on Reports on the left pane.
  • In the right window under Action double-click on the last Scan listed (you see also the corresponding Dat/Time).
  • A window opens, click on Report file.
  • Copy and paste the content of the report to your reply.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users