"Win32:Rootkit-gen [Rtk]" has been found in "F\keybd.exe" file. pls help

[warmy]

Hi,

avast detected this virus on my usb.
Here is what it says:

sign of "Win32:Rootkit-gen [Rtk]" has been found in "F\keybd.exe" file.

I moved it to chest. Can i use my usb now safely? When i double click the icon for usb, it doesn't go directly inside of it. instead, my pc asks me to choose a program to open it.

pls help. i just reformatted my pc so i dont want it to have any virus again (aside from the issue of date and time always changes and not up to date after i boot my pc)

[Lisandro]

Maybe this helps...

• Download Flash Drive Disinfector and save it to your desktop.
  
• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.
• Note: Flash Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder... it will help protect your drives from future infection.

[polonus]

Hi warmy,

Go here and download Flash Disinfector from here: http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe
Save it to your desktop, make your USB drive is connected with a USB stick or what you have/had inserted there, and run this tool for all removables you had inserted there to disinfect.

Download the latest version of Combofix.exe from http://download.bleepingcomputer.com/sUBs/ComboFix.exe, and save it to your C folder (C:\ComboFix.exe).

Doubleclick on combofix.exe and the scan will start. When the scan completes, a text window with your log will open. Please copy and paste that log back here.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Attach the log.txt  to your next posting. Also post as a txt attachment a HijackThis scanfile. Download HJT from here: http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

Later we will make a script to cleanse the instances on your computer of keybd.exe and the registry entry for it, but that will be a next step, first let comboscript and hijackthis have a run on your computer.
Do not worry all will be OK,

polonus

[warmy]

Hi, i cant paste the log file of combo fix and hijack this.. it says that i exceeded the maximum characters...

[Lisandro]

Hi, i cant paste the log file of combo fix and hijack this.. it says that i exceeded the maximum characters...

Post in more than one post, dividing the text...

[warmy]

Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.381 [GMT 8:00]
Running from: d:\documents and settings\BUNAO\Desktop\Downloads\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\windows\system32\hpvaut32.dll
d:\windows\system32\hpvcp70.dll
d:\windows\system32\hpvcr70.dll

.
(((((((((((((((((((((((((   Files Created from 2008-10-21 to 2008-11-21  )))))))))))))))))))))))))))))))
.

2008-11-18 21:10 . 2004-08-04 09:07   221,184   --a------   d:\windows\system32\wmpns.dll
2008-11-17 23:43 . 2008-11-17 23:50   <DIR>   d--------   d:\documents and settings\All Users\Application Data\WinZip
2008-11-17 23:42 . 2008-11-17 23:42   <DIR>   d--------   d:\program files\7-Zip
2008-11-17 23:37 . 2008-11-17 23:37   <DIR>   d--------   d:\program files\VS Revo Group
2008-11-17 23:37 . 2004-06-01 00:27   <DIR>   d--------   d:\program files\SUPERAntiSpyware
2008-11-17 23:37 . 2008-11-17 23:37   <DIR>   d--------   d:\documents and settings\BUNAO\Application Data\SUPERAntiSpyware.com
2008-11-17 23:37 . 2008-11-17 23:37   <DIR>   d--------   d:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-17 23:19 . 2003-12-11 11:15   1,230,336   -ra------   d:\windows\system32\MSXML4.dll
2008-11-17 23:19 . 2003-12-11 11:15   82,432   -ra------   d:\windows\system32\MSXML4r.dll
2008-11-17 23:19 . 2003-12-11 11:15   44,544   -ra------   d:\windows\system32\MSXML4a.dll
2008-11-17 23:17 . 2008-11-17 23:17   <DIR>   d--------   d:\program files\HP
2008-11-17 23:17 . 2008-11-17 23:19   <DIR>   d--------   d:\program files\Hewlett-Packard
2008-11-17 23:15 . 2008-11-17 23:20   210,134   --a------   d:\windows\hpdj3740.his
2008-11-17 23:15 . 2003-04-07 00:05   155,648   --a------   d:\windows\system32\igfxres.dll
2008-11-17 23:15 . 2008-11-17 23:20   10,754   --a------   d:\windows\hpdj3740.ini
2008-11-17 23:13 . 2001-08-17 22:36   175,104   --a--c---   d:\windows\system32\dllcache\csamsp.dll
2008-11-17 23:13 . 2001-08-17 22:36   175,104   --a------   d:\windows\system32\csamsp.dll
2008-11-17 23:13 . 2001-08-17 13:57   16,128   --a------   d:\windows\system32\drivers\MODEMCSA.sys
2008-11-17 23:13 . 2001-08-17 13:57   16,128   --a--c---   d:\windows\system32\dllcache\modemcsa.sys
2008-11-17 23:12 . 2001-08-17 13:28   604,253   --a------   d:\windows\system32\drivers\vmodem.sys
2008-11-17 23:12 . 2001-08-17 13:28   604,253   --a--c---   d:\windows\system32\dllcache\vmodem.sys
2008-11-17 23:12 . 2001-08-17 13:28   397,502   --a------   d:\windows\system32\drivers\vpctcom.sys
2008-11-17 23:12 . 2001-08-17 13:28   397,502   --a--c---   d:\windows\system32\dllcache\vpctcom.sys
2008-11-17 23:12 . 2003-07-18 03:00   131,072   -ra------   d:\windows\system32\ptuninst.exe
2008-11-17 23:12 . 2001-08-17 22:36   86,016   --a------   d:\windows\system32\pctspk.exe
2008-11-17 23:12 . 2001-08-17 22:36   86,016   --a--c---   d:\windows\system32\dllcache\pctspk.exe
2008-11-17 23:12 . 2001-08-17 13:28   64,605   --a------   d:\windows\system32\drivers\vvoice.sys
2008-11-17 23:12 . 2001-08-17 13:28   64,605   --a--c---   d:\windows\system32\dllcache\vvoice.sys
2008-11-17 23:09 . 2008-11-17 23:09   <DIR>   d--------   d:\windows\OPTIONS
2008-11-17 23:09 . 2004-08-03 22:39   142,464   --a------   d:\windows\system32\drivers\aec.sys
2008-11-17 23:09 . 2004-08-03 22:39   142,464   --a--c---   d:\windows\system32\dllcache\aec.sys
2008-11-17 23:09 . 2004-08-03 23:15   82,944   --a------   d:\windows\system32\drivers\wdmaud.sys
2008-11-17 23:09 . 2004-08-03 23:15   82,944   --a--c---   d:\windows\system32\dllcache\wdmaud.sys
2008-11-17 23:09 . 2001-08-17 14:00   54,272   --a------   d:\windows\system32\drivers\swmidi.sys
2008-11-17 23:09 . 2001-08-17 14:00   54,272   --a--c---   d:\windows\system32\dllcache\swmidi.sys
2008-11-17 23:09 . 2004-08-03 23:07   52,864   --a------   d:\windows\system32\drivers\DMusic.sys
2008-11-17 23:09 . 2004-08-03 23:07   52,864   --a--c---   d:\windows\system32\dllcache\dmusic.sys
2008-11-17 23:09 . 2002-06-13 11:37   45,568   --a------   d:\windows\system32\drivers\R8139n51.sys
2008-11-17 23:09 . 2004-08-03 23:07   6,400   --a------   d:\windows\system32\drivers\splitter.sys
2008-11-17 23:09 . 2004-08-03 23:07   6,400   --a--c---   d:\windows\system32\dllcache\splitter.sys
2008-11-17 23:07 . 2008-11-17 23:07   <DIR>   d--------   d:\windows\Drivers
2008-11-17 23:06 . 2008-11-17 23:08   <DIR>   d--------   d:\program files\C-Media 3D Audio
2008-11-17 23:06 . 2004-01-07 15:14   2,453,504   --a------   d:\windows\system\cmicnfg.cpl
2008-11-17 23:05 . 1998-10-29 16:45   306,688   --a------   d:\windows\IsUninst.exe
2008-11-17 23:03 . 2008-11-17 23:03   <DIR>   d--------   d:\documents and settings\BUNAO\Application Data\OpenOffice.org
2008-11-17 23:00 . 2008-11-17 23:00   <DIR>   d--------   d:\program files\OpenOffice.org 3
2008-11-17 23:00 . 2008-11-17 23:00   <DIR>   d--------   d:\program files\JRE
2008-11-17 23:00 . 2008-06-10 02:32   73,728   --a------   d:\windows\system32\javacpl.cpl
2008-11-17 22:59 . 2008-11-17 23:00   <DIR>   d--------   d:\program files\Java
2008-11-17 22:59 . 2008-11-17 22:59   <DIR>   d--------   d:\program files\Common Files\Java
2008-11-17 21:03 . 2008-11-17 21:03   <DIR>   d--------   d:\program files\Intel
2008-11-17 21:03 . 2008-11-17 23:10   <DIR>   d--h-----   d:\program files\InstallShield Installation Information
2008-11-17 21:02 . 2008-11-17 21:02   <DIR>   d--------   d:\program files\Common Files\InstallShield
2008-11-17 21:01 . 2000-03-29 22:17   5,824   --a------   d:\windows\system32\drivers\ASUSHWIO.SYS
2008-11-17 21:01 . 2008-11-17 23:03   2,875   --a------   d:\windows\Ascd_tmp.ini
2008-11-17 01:58 . 2008-11-17 02:04   <DIR>   d--------   d:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-17 01:36 . 2008-11-17 01:36   <DIR>   d--------   d:\windows\system32\CatRoot_bak
2008-11-16 23:23 . 2008-11-16 23:23   <DIR>   d--------   d:\program files\Lavasoft
2008-11-16 23:23 . 2008-11-16 23:24   <DIR>   d--------   d:\documents and settings\All Users\Application Data\Lavasoft
2008-11-16 23:21 . 2008-11-18 20:58   <DIR>   d--------   d:\program files\SpywareBlaster
2008-11-16 23:21 . 2008-11-18 20:58   <DIR>   d-a------   d:\documents and settings\All Users\Application Data\TEMP
2008-11-16 23:21 . 2005-04-15 20:58   1,071,088   --a------   d:\windows\system32\MSCOMCTL.OCX
2008-11-16 23:21 . 2005-08-25 19:18   118,784   --a------   d:\windows\system32\MSSTDFMT.DLL
2008-11-16 23:04 . 2008-11-16 23:04   <DIR>   d--------   d:\program files\Malwarebytes' Anti-Malware
2008-11-16 23:04 . 2008-11-16 23:04   <DIR>   d--------   d:\documents and settings\BUNAO\Application Data\Malwarebytes
2008-11-16 23:04 . 2008-11-16 23:04   <DIR>   d--------   d:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-16 23:04 . 2008-10-22 16:10   38,496   --a------   d:\windows\system32\drivers\mbamswissarmy.sys
2008-11-16 23:04 . 2008-10-22 16:10   15,504   --a------   d:\windows\system32\drivers\mbam.sys
2008-11-16 23:01 . 2008-11-16 23:01   <DIR>   d--------   d:\program files\Trend Micro
2008-11-16 23:01 . 2008-11-17 23:37   <DIR>   d--------   d:\program files\Common Files\Wise Installation Wizard
2008-11-16 23:01 . 2008-06-13 21:10   272,128   ---------   d:\windows\system32\drivers\bthport.sys
2008-11-16 23:01 . 2008-06-13 21:10   272,128   -----c---   d:\windows\system32\dllcache\bthport.sys
2008-11-16 22:42 . 2008-08-14 18:00   2,180,352   -----c---   d:\windows\system32\dllcache\ntoskrnl.exe
2008-11-16 22:42 . 2008-08-14 17:58   2,136,064   -----c---   d:\windows\system32\dllcache\ntkrnlmp.exe
2008-11-16 22:42 . 2008-08-14 17:22   2,057,728   -----c---   d:\windows\system32\dllcache\ntkrnlpa.exe
2008-11-16 22:42 . 2008-08-14 17:22   2,015,744   -----c---   d:\windows\system32\dllcache\ntkrpamp.exe
2008-11-16 22:39 . 2008-10-24 19:10   453,632   -----c---   d:\windows\system32\dllcache\mrxsmb.sys
2008-11-16 21:21 . 2008-11-17 23:51   <DIR>   d--------   d:\program files\Yahoo!
2008-11-16 21:21 . 2008-11-16 21:25   <DIR>   d--------   d:\documents and settings\All Users\Application Data\Yahoo!
2008-11-16 21:00 . 2004-08-03 23:08   26,496   --a--c---   d:\windows\system32\dllcache\usbstor.sys
2008-11-16 20:53 . 2004-06-01 02:00   754   --a------   d:\windows\WORDPAD.INI
2008-11-16 07:30 . 2008-11-16 07:30   <DIR>   d--------   d:\program files\Alwil Software
2008-11-16 06:00 . 2008-11-16 06:00   0   --a------   d:\windows\nsreg.dat

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-15 21:36   ---------   d-----w   d:\program files\microsoft frontpage
2008-10-24 11:10   453,632   ----a-w   d:\windows\system32\drivers\mrxsmb.sys
2008-10-16 06:13   202,776   ----a-w   d:\windows\system32\wuweb.dll
2008-10-16 06:13   1,809,944   ----a-w   d:\windows\system32\wuaueng.dll
2008-10-16 06:12   561,688   ----a-w   d:\windows\system32\wuapi.dll
2008-10-16 06:12   323,608   ----a-w   d:\windows\system32\wucltui.dll
2008-10-16 06:09   92,696   ----a-w   d:\windows\system32\cdm.dll
2008-10-16 06:09   51,224   ----a-w   d:\windows\system32\wuauclt.exe
2008-10-16 06:09   43,544   ----a-w   d:\windows\system32\wups2.dll
2008-10-16 06:08   34,328   ----a-w   d:\windows\system32\wups.dll
2008-09-15 11:57   1,846,016   ----a-w   d:\windows\system32\win32k.sys
2008-09-04 16:42   1,106,944   ----a-w   d:\windows\system32\msxml3.dll
2001-11-23 04:08   712,704   ----a-w   d:\windows\inf\OTHER\AUDIO3D.DLL
.

[warmy]

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="d:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-05 4347120]
"MSMSGS"="d:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"SUPERAntiSpyware"="d:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2004-06-01 1805552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="d:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-19 81000]
"SunJavaUpdateSched"="d:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"IgfxTray"="d:\windows\system32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="d:\windows\system32\hkcmd.exe" [2003-04-07 114688]
"HP Component Manager"="d:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HPDJ Taskbar Utility"="d:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"HP Software Update"="d:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-19 49152]

d:\documents and settings\BUNAO\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - d:\program files\OpenOffice.org 3\program\quickstart.exe [2008-09-12 384000]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 d:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R1 aswSP;avast! Self Protection;d:\windows\system32\drivers\aswSP.sys [2008-11-16 110160]
R2 aswFsBlk;aswFsBlk;d:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-16 20560]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{982976ce-b3de-11dd-84c6-000b6a652f35}]
\Shell\AutoRun\command - qyq826j2.com
\Shell\explore\Command - qyq826j2.com
\Shell\open\Command - qyq826j2.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a6e75f30-b31f-11d8-84d5-000b6a652f35}]
\Shell\Auto\command - F:\keybd.exe
\Shell\AutoRun\command - d:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL keybd.exe

*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl


.
------- Supplementary Scan -------
.
FireFox -: Profile - d:\documents and settings\BUNAO\Application Data\Mozilla\Firefox\Profiles\3d8hdfg1.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE -
FF -: plugin - d:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-21 19:42:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-21 19:44:10
ComboFix-quarantined-files.txt  2008-11-21 11:44:07

Pre-Run: 34,711,097,344 bytes free
Post-Run: 34,774,827,008 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

181   --- E O F ---   2008-11-16 18:32:28

[warmy]

above is the combo fix log..Here is the hijack log..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:46:23 PM, on 11/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\WINDOWS\system32\igfxtray.exe
D:\WINDOWS\system32\hkcmd.exe
D:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
D:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\OpenOffice.org 3\program\soffice.exe
D:\Program Files\OpenOffice.org 3\program\soffice.bin
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Component Manager] "D:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: OpenOffice.org 3.0.lnk = D:\Program Files\OpenOffice.org 3\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 4031 bytes


what shall i do next? the keybd.exe is in the virus vault...

[warmy]

hi all, pls advise on above..

[YoKenny]

hi all, pls advise on above..

SP3 has been available for 5 months and I have been using it on all of my systems without problems so update to SP3.

[warmy]

is it free? hehe

[Lisandro]

is it free? hehe

You've paid for Windows

[warmy]

no sreiously, tech and polonus, whats my next step?

[Ltangelic]

Hey warmy,

Important! I just made some modifications to my fix, please relook again. Thanks.

Let me help you. Your ComboFix log isn't that bad, how is your computer doing? Please make sure you have a removable disk inserted into F:\ before continuing with the fix.

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

1) Run CFScript

1. Please open Notepad

• Click Start , then Run
• Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: [Select]

KillAll:

File::
D:\qyq826j2.com
F:\keybd.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{982976ce-b3de-11dd-84c6-000b6a652f35}]
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a6e75f30-b31f-11d8-84d5-000b6a652f35}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.



5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

2) Run Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Next reply (please include):

Note: Please do NOT attach the logs and post ONE log in each post

Fresh HijackThis log
ComboFix.txt
MBAM scan log

[warmy]

ComboFix 08-11-27.07 - BUNAO 2008-11-28 22:35:47.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.220 [GMT 8:00]
Running from: d:\documents and settings\BUNAO\Desktop\Downloads\ComboFix.exe
Command switches used :: d:\documents and settings\BUNAO\Desktop\Downloads\CFScript.txt
 * Created a new restore point

FILE ::
D:\qyq826j2.com
F:\keybd.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\windows\system32\hpvaut32.dll
d:\windows\system32\hpvcp70.dll
d:\windows\system32\hpvcr70.dll

.
(((((((((((((((((((((((((   Files Created from 2008-10-28 to 2008-11-28  )))))))))))))))))))))))))))))))
.

2008-11-24 00:16 . 2008-11-24 00:16   <DIR>   d--h-----   d:\documents and settings\All Users\Application Data\CanonIJEPPEX
2008-11-23 22:47 . 2008-11-23 22:47   <DIR>   d--h-----   d:\documents and settings\All Users\Application Data\CanonIJSolutionMenu
2008-11-23 22:45 . 2004-06-01 00:23   <DIR>   d--------   d:\documents and settings\All Users\Application Data\CanonIJPLM
2008-11-23 22:45 . 2008-11-23 22:45   <DIR>   d--h-----   d:\documents and settings\All Users\Application Data\CanonIJMyPrinter
2008-11-23 22:43 . 2008-11-23 22:43   <DIR>   d--------   d:\program files\Common Files\CANON
2008-11-23 22:41 . 2008-11-23 22:41   <DIR>   d--h-----   d:\documents and settings\All Users\Application Data\CanonBJ
2008-11-23 22:40 . 2008-11-23 22:40   <DIR>   d--h-----   d:\windows\system32\CanonIJ Uninstaller Information
2008-11-23 22:40 . 2008-11-23 22:40   <DIR>   d--h-----   d:\program files\CanonBJ
2008-11-23 22:40 . 2008-03-11 13:00   230,912   --a------   d:\windows\system32\CNMLM9M.DLL
2008-11-23 22:38 . 2008-11-23 22:45   <DIR>   d--------   d:\program files\Canon
2008-11-22 20:30 . 2008-11-22 20:30   <DIR>   d--------   d:\windows\Sun
2008-11-22 19:18 . 2008-11-22 19:18   <DIR>   d--------   d:\program files\Common Files\Adobe AIR
2008-11-22 19:15 . 2008-11-22 19:16   <DIR>   d--------   d:\program files\Common Files\Adobe
2008-11-22 19:00 . 2004-06-01 00:00   <DIR>   d--------   d:\program files\NOS
2008-11-22 19:00 . 2004-06-01 00:00   <DIR>   d--------   d:\documents and settings\All Users\Application Data\NOS
2008-11-22 11:50 . 2008-11-22 11:50   <DIR>   d--------   d:\windows\PrimoPDF4
2008-11-22 11:50 . 2006-12-12 05:12   176,235   --a------   d:\windows\system32\Primomonnt.dll
2008-11-22 00:39 . 2008-11-22 00:39   <DIR>   d--------   d:\documents and settings\All Users\Application Data\GRETECH
2008-11-22 00:36 . 2008-11-22 00:36   <DIR>   d--------   d:\documents and settings\BUNAO\Application Data\GRETECH
2008-11-22 00:35 . 2008-11-22 00:35   <DIR>   d--------   d:\program files\GRETECH
2008-11-18 21:10 . 2004-08-04 09:07   221,184   --a------   d:\windows\system32\wmpns.dll
2008-11-17 23:43 . 2008-11-17 23:50   <DIR>   d--------   d:\documents and settings\All Users\Application Data\WinZip
2008-11-17 23:42 . 2008-11-17 23:42   <DIR>   d--------   d:\program files\7-Zip
2008-11-17 23:37 . 2008-11-17 23:37   <DIR>   d--------   d:\program files\VS Revo Group
2008-11-17 23:37 . 2004-06-01 00:27   <DIR>   d--------   d:\program files\SUPERAntiSpyware
2008-11-17 23:37 . 2008-11-17 23:37   <DIR>   d--------   d:\documents and settings\BUNAO\Application Data\SUPERAntiSpyware.com
2008-11-17 23:37 . 2008-11-17 23:37   <DIR>   d--------   d:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-17 23:19 . 2003-12-11 11:15   1,230,336   -ra------   d:\windows\system32\MSXML4.dll
2008-11-17 23:19 . 2003-12-11 11:15   82,432   -ra------   d:\windows\system32\MSXML4r.dll
2008-11-17 23:19 . 2003-12-11 11:15   44,544   -ra------   d:\windows\system32\MSXML4a.dll
2008-11-17 23:17 . 2004-06-01 11:05   <DIR>   d--------   d:\program files\HP
2008-11-17 23:15 . 2003-04-07 00:05   155,648   --a------   d:\windows\system32\igfxres.dll
2008-11-17 23:15 . 2004-06-01 11:05   28,715   --a------   d:\windows\hpdj3740.his
2008-11-17 23:15 . 2004-06-01 11:05   4,001   --a------   d:\windows\hpdj3740.ini
2008-11-17 23:13 . 2001-08-17 22:36   175,104   --a--c---   d:\windows\system32\dllcache\csamsp.dll
2008-11-17 23:13 . 2001-08-17 22:36   175,104   --a------   d:\windows\system32\csamsp.dll
2008-11-17 23:13 . 2001-08-17 13:57   16,128   --a------   d:\windows\system32\drivers\MODEMCSA.sys
2008-11-17 23:13 . 2001-08-17 13:57   16,128   --a--c---   d:\windows\system32\dllcache\modemcsa.sys
2008-11-17 23:12 . 2001-08-17 13:28   604,253   --a------   d:\windows\system32\drivers\vmodem.sys
2008-11-17 23:12 . 2001-08-17 13:28   604,253   --a--c---   d:\windows\system32\dllcache\vmodem.sys
2008-11-17 23:12 . 2001-08-17 13:28   397,502   --a------   d:\windows\system32\drivers\vpctcom.sys
2008-11-17 23:12 . 2001-08-17 13:28   397,502   --a--c---   d:\windows\system32\dllcache\vpctcom.sys
2008-11-17 23:12 . 2003-07-18 03:00   131,072   -ra------   d:\windows\system32\ptuninst.exe
2008-11-17 23:12 . 2001-08-17 22:36   86,016   --a------   d:\windows\system32\pctspk.exe
2008-11-17 23:12 . 2001-08-17 22:36   86,016   --a--c---   d:\windows\system32\dllcache\pctspk.exe
2008-11-17 23:12 . 2001-08-17 13:28   64,605   --a------   d:\windows\system32\drivers\vvoice.sys
2008-11-17 23:12 . 2001-08-17 13:28   64,605   --a--c---   d:\windows\system32\dllcache\vvoice.sys
2008-11-17 23:09 . 2008-11-17 23:09   <DIR>   d--------   d:\windows\OPTIONS
2008-11-17 23:09 . 2004-08-03 22:39   142,464   --a------   d:\windows\system32\drivers\aec.sys
2008-11-17 23:09 . 2004-08-03 22:39   142,464   --a--c---   d:\windows\system32\dllcache\aec.sys
2008-11-17 23:09 . 2004-08-03 23:15   82,944   --a------   d:\windows\system32\drivers\wdmaud.sys
2008-11-17 23:09 . 2004-08-03 23:15   82,944   --a--c---   d:\windows\system32\dllcache\wdmaud.sys
2008-11-17 23:09 . 2001-08-17 14:00   54,272   --a------   d:\windows\system32\drivers\swmidi.sys
2008-11-17 23:09 . 2001-08-17 14:00   54,272   --a--c---   d:\windows\system32\dllcache\swmidi.sys
2008-11-17 23:09 . 2004-08-03 23:07   52,864   --a------   d:\windows\system32\drivers\DMusic.sys
2008-11-17 23:09 . 2004-08-03 23:07   52,864   --a--c---   d:\windows\system32\dllcache\dmusic.sys
2008-11-17 23:09 . 2002-06-13 11:37   45,568   --a------   d:\windows\system32\drivers\R8139n51.sys
2008-11-17 23:09 . 2004-08-03 23:07   6,400   --a------   d:\windows\system32\drivers\splitter.sys
2008-11-17 23:09 . 2004-08-03 23:07   6,400   --a--c---   d:\windows\system32\dllcache\splitter.sys
2008-11-17 23:07 . 2008-11-17 23:07   <DIR>   d--------   d:\windows\Drivers
2008-11-17 23:06 . 2008-11-17 23:08   <DIR>   d--------   d:\program files\C-Media 3D Audio
2008-11-17 23:06 . 2004-01-07 15:14   2,453,504   --a------   d:\windows\system\cmicnfg.cpl
2008-11-17 23:05 . 1998-10-29 16:45   306,688   --a------   d:\windows\IsUninst.exe