Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by malware, cannot run Malwarebytes and GMER


  • Please log in to reply
41 replies to this topic

#1 cwjian90

cwjian90

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 25 September 2011 - 07:23 AM

Hi,

I've been infected by a malware that seems to have hijacked my browser, reset my Windows Firewall, and won't let me run Malwarebytes or GMER (Both will start up for a moment before shutting down by themselves)...When I try to run GMER again after it shuts down, it simply says that Windows cannot access the specified path/folder, and that I may not have appropriate permission to access the item. I have been able to run DDR, however, and have the logs attached...

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19048 BrowserJavaVersion: 1.6.0_24
Run by CW at 8:11:37 on 2011-09-25
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3069.1843 [GMT -4:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\1706881988:990659482.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\brsvc01a.exe
C:\Windows\system32\brss01a.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\OEM02Mon.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Windows\system32\taskeng.exe
C:\Windows\system32\aestsrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\ApexDC++\ApexDC.exe
C:\Users\CW\Desktop\The Stump\YnHub.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Users\CW\Bento\YnHub.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Windows\system32\conime.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = local
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [i8kfangui] c:\program files\i8kfangui\I8kfanGUI.exe /startup
uRun: [Google Update] "c:\users\cw\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
StartupFolder: c:\users\cw\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
LSP: mswsock.dll
DPF: {1FAF427B-1EE5-43D3-A023-3009142AFCD6} - hxxps://www.aaasec.com.my/webecos/control2/csoex_aaa.cab
DPF: {B9B2EE1A-E314-4338-A305-BE845EACB113} - hxxps://www.aaasec.com.my/webecos/control/csw25.cab
TCP: DhcpNameServer = 128.100.56.135 128.100.100.128 128.100.96.34
TCP: Interfaces\{1844231D-006C-430C-A823-7E4B2B0516C9} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{3E06F239-1990-4747-B480-A10D1F07A3EB} : DhcpNameServer = 128.100.56.135 128.100.100.128 128.100.96.34
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\cw\appdata\roaming\mozilla\firefox\profiles\t42tfozs.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - google.ca
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\users\cw\appdata\local\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Click to call with Skype: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\mozilla firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [2011-1-6 14464]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2011-1-6 73728]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-1-6 102448]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-11-28 1962136]
S3 kbeepm;kbeepm;c:\users\cw\appdata\local\temp\kbeepm.sys [2011-3-28 29696]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-11-28 122008]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-09-25 12:08:57 -------- d-----w- c:\users\cw\appdata\local\{3181F8CC-CC21-4D67-B9CC-3D0556DCCE8D}
2011-09-25 11:28:42 -------- d-----w- c:\users\cw\appdata\local\{46D59756-B9E3-4651-8F81-A9F9B6717AED}
2011-09-25 06:57:42 -------- d-----w- c:\program files\Storm Eagle Studios
2011-09-25 06:50:17 -------- d-----w- c:\users\cw\appdata\roaming\Downloaded Installations
2011-09-24 21:54:17 -------- d-----w- c:\users\cw\appdata\local\{FAD35A0A-1909-4EFE-B084-46D822F11B93}
2011-09-23 05:48:41 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{96eb0c3c-d4a5-4e4e-939a-e96e3acadc45}\offreg.dll
2011-09-23 05:48:38 7269712 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{96eb0c3c-d4a5-4e4e-939a-e96e3acadc45}\mpengine.dll
2011-09-21 02:39:40 -------- d-----w- c:\program files\Combined Community Codec Pack
2011-09-20 22:58:00 -------- d-----w- c:\users\cw\maxima
2011-09-20 12:33:13 -------- d-----w- c:\users\cw\appdata\local\{2BCB7F54-4029-4D91-9CD1-1FB6B72250A0}
2011-09-17 04:16:06 -------- d-----w- c:\windows\system32\Adobe
2011-09-16 04:18:54 -------- d-----w- c:\users\cw\appdata\local\{5E630D12-DFA6-419A-9CEF-FBE9126F611A}
2011-09-13 21:55:12 -------- d-----w- c:\program files\Maxima-5.25.1-gcl
2011-09-11 13:31:27 -------- d-----w- C:\Desktop
2011-09-09 17:32:41 -------- d-----w- c:\users\cw\appdata\local\{79C96E4E-6210-4EBC-BEAC-9A24D1BCCEF8}
2011-09-08 18:08:02 -------- d-----w- c:\users\cw\appdata\local\{EA0DADA0-C34A-469E-84DF-4BAA12B077D2}
2011-09-07 16:26:05 -------- d-----w- c:\users\cw\language
2011-09-07 16:26:05 -------- d-----w- c:\users\cw\feed
2011-09-07 16:25:46 2083840 ---ha-w- c:\users\cw\YnHub.exe
2011-09-07 16:25:46 -------- d-----w- c:\users\cw\settings
2011-09-06 19:48:08 -------- d-----w- c:\users\cw\appdata\local\{9762E9D1-FD52-417E-8642-327FEE4207CD}
2011-09-05 19:40:39 -------- d-----w- c:\program files\Vietcong
2011-09-04 17:14:26 -------- d-----w- c:\program files\Blitzkrieg Anthology
2011-09-04 07:58:34 -------- d-----w- c:\program files\MSXML 4.0
2011-09-04 07:55:37 -------- d-----w- c:\program files\1C
2011-09-04 06:04:54 -------- d-----w- c:\program files\Borg
2011-09-03 21:55:11 -------- d-----w- c:\users\cw\appdata\local\{CBF1C4B5-A2CD-4BED-B71F-16ACFD80BD72}
2011-09-03 18:23:57 -------- d-----w- c:\users\cw\appdata\local\{C2824B49-68E8-4543-9E4A-47B4733A153F}
2011-09-02 07:32:43 -------- d-----w- c:\users\cw\appdata\local\{75653811-D5B0-4023-9BEB-7783A757A629}
2011-09-02 04:06:32 -------- d-----w- c:\users\cw\appdata\local\{60FC629F-2F38-4A39-8685-967AABFFBC26}
2011-08-28 05:54:26 -------- d-----w- c:\users\cw\appdata\local\{8250585A-5943-4D40-B776-B1AE884ECF9D}
2011-08-27 07:30:51 -------- d-----w- c:\users\cw\appdata\local\{4F50E792-54B0-48A5-BCC1-8C31F4C6CD75}
2011-08-27 01:32:06 -------- d-----w- c:\users\cw\appdata\local\{D6DF5BF7-755C-4E3C-B287-827274A88DF3}
.
==================== Find3M ====================
.
2011-09-25 11:59:33 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-08 19:52:59 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2011-08-31 21:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-02 03:17:58 233984 ----a-w- c:\users\cw\WrathEdLauncher.exe
2011-07-08 10:49:21 9359560 ----a-w- c:\users\cw\Install_MSN_Messenger_7.5.exe
.
============= FINISH: 8:13:12.85 ===============


Hope you can help...

Thanks in advance...

Attached Files


Edited by cwjian90, 25 September 2011 - 07:26 AM.


BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:24 AM

Posted 28 September 2011 - 09:07 PM

cwjian90,

The information provided shows the characteristics of the ZeroAccess Rootkit.

First, let's take care of this file:
C:\Windows\1706881988:990659482.exe

It throws a wrench in the works, and programs will not run successfully...

Please download DummyCreator.zip

Unzip the folder:
Right-click and select: Extract all
Follow the prompts to extract

Open the new folder that appears on the Desktop:
Double-click DummyCreator/DummyMaker to run the tool.

Now, copy/paste the following into the blank area:

C:\Windows\1706881988

Press the Create button.

Save the content of the Result.txt to your Desktop, and post it in your reply.

Next, restart the computer!


Please do not run any malware removal programs while we are in the process of malware repairs. Doing so may just make matters worse, and that, you do not want!

Thanks!

Old duck...


#3 cwjian90

cwjian90
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 28 September 2011 - 09:17 PM

Hi Aaflac,

Thanks for the reply :). I've done as you've asked:

DummyCreator by Farbar
Ran by CW (administrator) on 28-09-2011 at 22:08:45
**************************************************************

C:\Windows\1706881988 [28-09-2011 22:08:45]

== End of log ==

Please advise. :)

#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:24 AM

Posted 28 September 2011 - 10:25 PM

That is the result we want. :thumbup2:


Please do the following, running ComboFix first, and the TDSSKiller next. If ComboFix does not run, press on to run TDSSKiller.


If you have ComboFix (CF) already on your Desktop, please remove it. We'll download an updated version.

Download ComboFix

Save ComboFix.exe to your Desktop!!

Make sure you temporarily disable your AntiVirus, Firewall, and any other AntiSpyware applications, usually via a right clicking on the System Tray icon. They may interfere with the running of CF.

Note: Information on disabling security programs is available through this link


Right-click on ComboFix.exe and select: 'Run as Administrator'


Click on Yes, to continue scanning for malware.

When finished, CF produces a report.

Please provide a copy of the C:\ComboFix.txt in your reply.


Notes:

1. Do not mouse-click the ComboFix window while it is running.
This action may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.

3. CF disconnects your machine from the internet. However, the connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



Next, remove any previous download of TDSSKiller (if used) and download the latest version: TDSSKiller.exe

Save the file to your Desktop!!

Execute the file:
Right-click TDSSKiller and select: 'Run as Administrator'

Press the button: Start Scan

The tool scans and detects two object types:
Malicious (where the malware has been identified)
Suspicious (where the malware cannot be identified)

When the scan is over, the tool outputs a list of detected objects (Malicious or Suspicious) with their description.

It automatically selects an action (Cure or Delete) for Malicious objects. Leave the setting as it is.

It also prompts the User to select an action to apply to Suspicious objects (Skip, by default). Leave the setting as it is.

After clicking 'Next/Continue', the tool applies the selected actions.


A Reboot Required prompt may appear after a disinfection. Please reboot.


By default, the tool outputs its log to the system disk root folder (the disk with the Windows operating system, normally C:\).

Logs have a name like:
C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txt

Please post the TDSSKiller report in your reply.



Need to see the following in your reply:
**The ComboFix log
**The TDSSKiller log
**Whether TDSSKiller needed a reboot


Thanks!

Old duck...


#5 cwjian90

cwjian90
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 29 September 2011 - 10:07 AM

Hi Aaflac,

I ran the Combofix, and it rebooted, but now my keyboard can't work and I can't find the log...I remember it saying that it found rootkits in a few files and restored them.
I tried running it again, but this time nothing came up...TDSSKiller detected a rootkit in kbdclass.sys, which I suspect is causing the inbuilt keyboard and mouse to not work. Only my USB mouse works...

Attached Files



#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:24 AM

Posted 29 September 2011 - 02:49 PM

cwjian90,

The file that is patched looks like the keyboard driver. That is why you are having the problems.


Combofix shows it ran four times...

Please post the other logs, they should be here:

C:\qoobox\ComboFix2.txt
C:\Qoobox\ComboFix3.txt


Also need to see what the first run of Combofix removed, it should be here:

C:\Qoobox\ComboFix-quarantined-files.txt

You can attach the files to your reply.


Now, please download SystemLook from one of the links below:
Link 1
Link 2


Save the file to the Desktop

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following code box into the open textfield:


:filefind
kbdclass
  • Click the Look button to start the scan.
  • When finished, a Notepad window opens with the results of the scan.
    Please post the SystemLook.txt in your reply.


Thanks.

Edited by Aaflac, 29 September 2011 - 02:51 PM.

Old duck...


#7 cwjian90

cwjian90
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 29 September 2011 - 06:38 PM

keyboard not working...Copypasting txt...Please advise

Attached Files



#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:24 AM

Posted 29 September 2011 - 08:57 PM

Please run SystemLook once again.

This time, use the following in the open text-field:

:filefind
kbdclass.*

Just >post< the results in your reply.


What brand/model computer is this?

Edited by Aaflac, 29 September 2011 - 09:02 PM.

Old duck...


#9 cwjian90

cwjian90
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 29 September 2011 - 11:37 PM

Hi,

Brand is Dell.
Model is Inspiron 1520.

Here's the log:
SystemLook 30.07.11 by jpshortstuff
Log created at 00:34 on 30/09/2011 by CW
Administrator - Elevation successful

========== filefind ==========

Searching for "kbdclass.*"
C:\Windows\LastGood\system32\DRIVERS\kbdclass.sys --a---- 35384 bytes [13:12 29/09/2011] [02:23 21/01/2008] 1E9BA92F2B971F07B0772B9F805F5A0C
C:\Windows\System32\drivers\kbdclass.sys --a---- 35384 bytes [02:23 21/01/2008] [02:23 21/01/2008] 1E9BA92F2B971F07B0772B9F805F5A0C
C:\Windows\System32\drivers\en-US\kbdclass.sys.mui --a---- 4608 bytes [12:41 02/11/2006] [12:41 02/11/2006] 69A5D812DA82E2236BF5A00E977E3E5C
C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_93b1c41f\kbdclass.sys --a---- 32872 bytes [10:25 02/11/2006] [09:49 02/11/2006] 1A48765F92BA1A88445FC25C9C9D94FC
C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_a81145df\kbdclass.sys --a---- 35384 bytes [02:09 21/01/2008] [02:09 21/01/2008] B076B2AB806B3F696DAB21375389101C
C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_da7e599e\kbdclass.sys --a---- 35384 bytes [02:23 21/01/2008] [02:23 21/01/2008] 37605E0A8CF00CBBA538E753E4344C6E
C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_f55d5e51\kbdclass.sys --a---- 35384 bytes [02:23 21/01/2008] [02:23 21/01/2008] 37605E0A8CF00CBBA538E753E4344C6E
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16386_en-us_2c720f8d6f7323d4\kbdclass.sys.mui --a---- 4608 bytes [12:41 02/11/2006] [12:41 02/11/2006] 69A5D812DA82E2236BF5A00E977E3E5C
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_ar-sa_982bf1fdaa2cfde6\kbdclass.sys.mui --a---- 4608 bytes [02:09 21/01/2008] [02:09 21/01/2008] 45190983C75D892CCDD4834F09DCEE14
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_cs-cz_e9754a2188352b68\kbdclass.sys.mui --a---- 4608 bytes [02:09 21/01/2008] [02:09 21/01/2008] 5C66636BBC99C406E8DB2EBE3C250E24
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_da-dk_86af2a487e7b2767\kbdclass.sys.mui --a---- 5120 bytes [02:09 21/01/2008] [02:09 21/01/2008] 64850C48023D1F36671216088F1577B2
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_de-de_83dabf8480517c01\kbdclass.sys.mui --a---- 5632 bytes [02:09 21/01/2008] [02:09 21/01/2008] D60B9C38273A97F14431679C63507184
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_el-gr_2c70ed176f66e48f\kbdclass.sys.mui --a---- 6144 bytes [02:09 21/01/2008] [02:09 21/01/2008] 63F99369155876F698B251989F86205E
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_en-us_2ccb957d6f2f87c6\kbdclass.sys.mui --a---- 4608 bytes [02:09 21/01/2008] [02:09 21/01/2008] BEE6D87D0AAC1C0E639DD4BE4CB05024
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_es-es_2c96f2616f56796b\kbdclass.sys.mui --a---- 5120 bytes [02:09 21/01/2008] [02:09 21/01/2008] A899EC8ECAB2A5F1B4240901772FDA34
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_fi-fi_cbb1f70e64706b95\kbdclass.sys.mui --a---- 4608 bytes [02:09 21/01/2008] [02:09 21/01/2008] 9C63C3593304E5C3D5003CF5C974B6C1
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_fr-fr_cf4e686062288fcd\kbdclass.sys.mui --a---- 5632 bytes [02:09 21/01/2008] [02:09 21/01/2008] 404544824FCEF54AE17F2739A07FCE83
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_he-il_136e1002489790bb\kbdclass.sys.mui --a---- 4608 bytes [02:09 21/01/2008] [02:09 21/01/2008] 5823AACA41FFD613A9D83A1A460BF5FB
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_hu-hu_16bee8a846885ee9\kbdclass.sys.mui --a---- 5120 bytes [02:09 21/01/2008] [02:09 21/01/2008] 67D97A8C3497AA1B9A16BB4D864802BC
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_it-it_b9765ea7395a754b\kbdclass.sys.mui --a---- 5120 bytes [02:09 21/01/2008] [02:09 21/01/2008] 21D1A0DF1117B20CA4D876959B1FE3E3
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_ja-jp_5b9bddb42c758726\kbdclass.sys.mui --a---- 4096 bytes [02:09 21/01/2008] [02:09 21/01/2008] 151CEAD6D2DE0109150A2C6BDA20E354
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_ko-kr_ff05ba691ee64e3c\kbdclass.sys.mui --a---- 4096 bytes [02:09 21/01/2008] [02:09 21/01/2008] 9E5CE928E2FCAA35FDE877CF3D8E73B7
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_nb-no_e7983b9df70b79f8\kbdclass.sys.mui --a---- 4608 bytes [02:09 21/01/2008] [02:09 21/01/2008] 8475390D112F5377E6131A0009C1FF8B
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_nl-nl_e5d786dbf83783cd\kbdclass.sys.mui --a---- 5632 bytes [02:09 21/01/2008] [02:09 21/01/2008] 517497F7C4AC3219882454600AC8F92B
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_pl-pl_2c13e15ddd59f181\kbdclass.sys.mui --a---- 5120 bytes [02:09 21/01/2008] [02:09 21/01/2008] 4C52C6741A6199D756C463966DA1DD08
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_pt-br_2e67cc01dbe38565\kbdclass.sys.mui --a---- 5120 bytes [02:09 21/01/2008] [02:09 21/01/2008] 0E3CF2840FFCF864A1C1FD55D63B3838
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_pt-pt_2f499b6ddb52f541\kbdclass.sys.mui --a---- 5632 bytes [02:09 21/01/2008] [02:09 21/01/2008] 3B2B979CACA04268C75B4B8235961511
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_ru-ru_75ecad31c034836d\kbdclass.sys.mui --a---- 5120 bytes [02:10 21/01/2008] [02:10 21/01/2008] 764092540B76BE70D2E2B680878282E9
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_sv-se_11e797a6b75d8dc8\kbdclass.sys.mui --a---- 5120 bytes [02:10 21/01/2008] [02:10 21/01/2008] 54A8D4D73A290DA5DDEF551FA850A5DD
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_tr-tr_baf4e1eda6198fb9\kbdclass.sys.mui --a---- 5120 bytes [02:10 21/01/2008] [02:10 21/01/2008] 7FEC310A14B9145206919EA7E5B3ED7A
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_zh-cn_8c51ffeb565161d8\kbdclass.sys.mui --a---- 3584 bytes [02:10 21/01/2008] [02:10 21/01/2008] E1FB9F5510379F8B1B22B2F677242F35
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.16609_zh-tw_904e3d4153c23e48\kbdclass.sys.mui --a---- 3584 bytes [02:10 21/01/2008] [02:10 21/01/2008] 853CDA44EFFB5A19464388823ADE8F14
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_ar-sa_98901d92c36772d0\kbdclass.sys.mui --a---- 4608 bytes [02:09 21/01/2008] [02:09 21/01/2008] FA5E8B274DB99B89392B98CFADCDEE04
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_cs-cz_e9d975b6a16fa052\kbdclass.sys.mui --a---- 4608 bytes [02:09 21/01/2008] [02:09 21/01/2008] 1B6B540117C1AFDB9C51D230DD81CFBD
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_da-dk_871355dd97b59c51\kbdclass.sys.mui --a---- 5120 bytes [02:09 21/01/2008] [02:09 21/01/2008] 0E52245E966112DB881DF64C14EF5AD4
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_de-de_843eeb19998bf0eb\kbdclass.sys.mui --a---- 5632 bytes [02:09 21/01/2008] [02:09 21/01/2008] E336FA755BFBAB1D5C239A1A02063279
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_el-gr_2cd518ac88a15979\kbdclass.sys.mui --a---- 6144 bytes [02:09 21/01/2008] [02:09 21/01/2008] 476B0FE6DE853EA26E3E37780135CAEA
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_en-us_2d2fc1128869fcb0\kbdclass.sys.mui --a---- 4608 bytes [02:09 21/01/2008] [02:09 21/01/2008] A33543C00396091B942D560374CD3E04
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_es-es_2cfb1df68890ee55\kbdclass.sys.mui --a---- 5120 bytes [02:09 21/01/2008] [02:09 21/01/2008] 9BC15C6F6ED8C0362C38D1C46DFFF679
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_fi-fi_cc1622a37daae07f\kbdclass.sys.mui --a---- 4608 bytes [02:09 21/01/2008] [02:09 21/01/2008] 6914A8E6184C41E22EFC67211202053D
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_fr-fr_cfb293f57b6304b7\kbdclass.sys.mui --a---- 5632 bytes [02:09 21/01/2008] [02:09 21/01/2008] 28B18A8A56E231831E6B5BB56AFB9ECA
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_he-il_13d23b9761d205a5\kbdclass.sys.mui --a---- 4608 bytes [02:09 21/01/2008] [02:09 21/01/2008] 767CFBFED83226E1531FAEAE1002398D
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_hu-hu_1723143d5fc2d3d3\kbdclass.sys.mui --a---- 5120 bytes [02:09 21/01/2008] [02:09 21/01/2008] 2A52F4886DF1046FFD049ADDF509A882
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_it-it_b9da8a3c5294ea35\kbdclass.sys.mui --a---- 5120 bytes [02:09 21/01/2008] [02:09 21/01/2008] 2F4643E92F10B8D0CFD336B90F9F9014
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_ja-jp_5c00094945affc10\kbdclass.sys.mui --a---- 4096 bytes [02:09 21/01/2008] [02:09 21/01/2008] E85D18767FAD4548DCC1A482CC566287
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_ko-kr_ff69e5fe3820c326\kbdclass.sys.mui --a---- 4096 bytes [02:09 21/01/2008] [02:09 21/01/2008] 46C6F5BE892EE3A613E615752D77EE10
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_nb-no_e7fc67331045eee2\kbdclass.sys.mui --a---- 4608 bytes [02:09 21/01/2008] [02:09 21/01/2008] F82D25634F9C4B8F0F040B9B8893761A
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_nl-nl_e63bb2711171f8b7\kbdclass.sys.mui --a---- 5632 bytes [02:09 21/01/2008] [02:09 21/01/2008] E859900D8D8861DE0532127915D47A4E
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_pl-pl_2c780cf2f694666b\kbdclass.sys.mui --a---- 5120 bytes [02:09 21/01/2008] [02:09 21/01/2008] C8C961C007C69E7DBCAD6F0E248DABC5
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_pt-br_2ecbf796f51dfa4f\kbdclass.sys.mui --a---- 5120 bytes [02:09 21/01/2008] [02:09 21/01/2008] 9D6C395DC3518532D6F54B125DA98E91
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_pt-pt_2fadc702f48d6a2b\kbdclass.sys.mui --a---- 5632 bytes [02:09 21/01/2008] [02:09 21/01/2008] C2E0AE807934438618F5DBE1EFFEDC55
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_ru-ru_7650d8c6d96ef857\kbdclass.sys.mui --a---- 5120 bytes [02:10 21/01/2008] [02:10 21/01/2008] A3FAA588EAC25B685E46F8F070A7A842
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_sv-se_124bc33bd09802b2\kbdclass.sys.mui --a---- 5120 bytes [02:10 21/01/2008] [02:10 21/01/2008] F8ED42E9F0D10A6FCE79E7F4DF1C197D
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_tr-tr_bb590d82bf5404a3\kbdclass.sys.mui --a---- 5120 bytes [02:10 21/01/2008] [02:10 21/01/2008] 3D370EDB5A572709DAACD77DBD1639A7
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_zh-cn_8cb62b806f8bd6c2\kbdclass.sys.mui --a---- 3584 bytes [02:10 21/01/2008] [02:10 21/01/2008] 534972FFE765037DA235253B80F32EC7
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6000.20734_zh-tw_90b268d66cfcb332\kbdclass.sys.mui --a---- 3584 bytes [02:10 21/01/2008] [02:10 21/01/2008] 617521218377A7B6384F299A82366872
C:\Windows\winsxs\x86_keyboard.inf.resources_31bf3856ad364e35_6.0.6001.18000_en-us_2ea8d1896c5e34a8\kbdclass.sys.mui --a---- 4608 bytes [12:41 02/11/2006] [12:41 02/11/2006] 69A5D812DA82E2236BF5A00E977E3E5C
C:\Windows\winsxs\x86_keyboard.inf_31bf3856ad364e35_6.0.6000.16609_none_957131ccdbca3f9c\kbdclass.sys --a---- 35384 bytes [02:09 21/01/2008] [02:09 21/01/2008] B076B2AB806B3F696DAB21375389101C
C:\Windows\winsxs\x86_keyboard.inf_31bf3856ad364e35_6.0.6000.20734_none_95d55d61f504b486\kbdclass.sys --a---- 35384 bytes [02:09 21/01/2008] [02:09 21/01/2008] C9B0CF786D5F151A43C7BE8E243F2819
C:\Windows\winsxs\x86_keyboard.inf_31bf3856ad364e35_6.0.6001.18000_none_974e6dd8d8f8ec7e\kbdclass.sys --a---- 35384 bytes [02:23 21/01/2008] [02:23 21/01/2008] 37605E0A8CF00CBBA538E753E4344C6E
C:\Windows\winsxs\x86_keyboard.inf_31bf3856ad364e35_6.0.6002.18005_none_9939e6e4d61ab7ca\kbdclass.sys --a---- 35384 bytes [02:23 21/01/2008] [02:23 21/01/2008] 37605E0A8CF00CBBA538E753E4344C6E

-= EOF =-

#10 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:24 AM

Posted 30 September 2011 - 08:01 AM

cwjian90,

Are you able to use the mouse or the touchpad on the I 1520?

Do you have a USB keyboard you can use while we get the laptop keyboard working?

Do you have a CD with drivers for the laptop?


Let's see if we can copy the kbdclass.sys from the DriverStore\FileRepository of the system with a file of the same size:

1. Please continue to disable (temporarily) all AntiVirus and AntiMalware programs so they do not interfere with the running of ComboFix.

2. Open Notepad (Start 'R', type: notepad Click: OK)

3. Copy/paste the text in the code box below to it:


Fcopy::
C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_da7e599e\kbdclass.sys | C:\Windows\System32\drivers\kbdclass.sys

Save to your Desktop as CFScript.txt

4. In Notepad
Click File > Save as..., and save to the Desktop
In the File Name box, type: CFScript.txt
Click: Save

5. Close all browser or open windows so that you are at the Desktop.

6. Referring to the picture below, using your mouse, left button, drag CFScript into ComboFix.exe
Posted Image

7. When finished, produces a log located at C:\ComboFix.txt

8. When done, please post the Combofix.txt in your reply.


Note: Do not mouse-click the ComboFix window while it is running. It may cause CF to stall.

Old duck...


#11 cwjian90

cwjian90
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 30 September 2011 - 02:34 PM

Hi,

Touchpad cannot be used, only USB mouse. No USB keyboard, only the onscreen one. No CD but can dl drivers.

Attached Files



#12 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:24 AM

Posted 30 September 2011 - 04:48 PM

In order to get a further look on the cause of the problem with the keyboard, etc., we need to scan the system with this special tool.
  • Please download Junction.zip
  • Save to the Desktop.
  • Unzip the file and save junction.exe in the Windows directory (C:\Windows). No need to run it.
Now, please run Notepad (Start > All Programs > Accessories > Notepad)
Copy/paste the text in the code box to Notepad:

@ECHO OFF
junction -s >log.txt
start log.txt

•Go to the File menu at the top of the Notepad and select Save as.
•Select Save in: Desktop
•File name: look.bat
•Save as type: All file types (*.*)
•Click: Save.
•Close Notepad.
•Locate look.bat on the Desktop.
•Vista/Seven - Right-click and select: ‘Run it as Administrator‘.
•The command prompt opens, and then Notepad opens

Please copy/paste the log.txt that appears in your reply.
(Please do not attach!)

Edited by Aaflac, 30 September 2011 - 04:49 PM.

Old duck...


#13 cwjian90

cwjian90
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 30 September 2011 - 05:26 PM

Here it is:

Junction v1.06 - Windows junction creator and reparse point viewer
Copyright © 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


Failed to open \\?\C:\Users\CW\Desktop\gmer.exe: Access is denied.
...


Failed to open \\?\C:\Users\CW\Desktop\UTPPD-v1.0.1-Win\Python(x,y)-2.6.6.0.exe: Access is denied.
..No reparse points found.

#14 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:24 AM

Posted 30 September 2011 - 08:50 PM

The file in the DriverStore\FileRepository did not take care of replacing the kbdclass.sys file in C:\Windows\System32\drivers.

Please go to the Dell website and download the drivers. Also read whatever their recommendations are on how to and where to download them.

There may also be a Chat area where you can talk to one of the Dell representatives who can give you some specifics on the 'how to'. Make sure you tell them your computer was infected by the ZeroAccess Rootkit, although it is now neutralized.


After the above, we will take care of the two entries Junction.zip showed, and any remnants of the infection.

Old duck...


#15 cwjian90

cwjian90
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 30 September 2011 - 10:00 PM

Hi,
It's not on their list...seems to be a microsoft driver. Windows found it but couldn't install it (device cannot start)

UPDATE: Reinstalled but still have Code 10 error

UPDATE2: Keyboard works after restart! :D Thanks! Now for the other stuff? Also, it seems we're back to square one, it's still redirecting Google searches...

Edited by cwjian90, 30 September 2011 - 10:53 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users