Solved Ps/2 Keyboard Failure and kbdclass.sys Problem

broni · 2011/02/20

If you did what you could run Combofix anyway.

Do you have Windows XP CD?

Gideon · 2011/02/20

Unfortunately I lost my xp disc long ago, that's mostly the reason I have yet to completely wipe the computer and reinstall windows. I will run combo fix now...

broni · 2011/02/20

Ok...

Gideon · 2011/02/20

ComboFix 11-02-20.01 - Gideon 2011-02-20 14:26:43.10.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1486 [GMT -8:00]
Running from: c:\documents and settings\Gideon\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Gideon\Desktop\CFScript.txt
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ActiveArmor Firewall *Enabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
* Created a new restore point

FILE ::
"c:\windows\system32\FxGoWinFu.dll "
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\FxGoWinFu.dll

c:\windows\system32\winlogon.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2011-01-20 to 2011-02-20 )))))))))))))))))))))))))))))))
.

2011-02-15 05:18 . 2011-02-15 05:18 -------- dc-h--w- c:\documents and settings\All Users.WINDOWS\Application Data\{D7CFB71A-972A-44FF-AE44-8780EB53ABB2}
2011-02-15 04:58 . 2011-02-15 04:58 -------- dc-h--w- c:\documents and settings\All Users.WINDOWS\Application Data\{BC13C66E-D01E-4443-A1D1-35EEDF3A964A}
2011-02-15 04:32 . 2011-02-15 04:32 -------- dc-h--w- c:\documents and settings\All Users.WINDOWS\Application Data\{3689B77C-90FA-4663-91AB-5AB34383CD81}
2011-02-15 04:32 . 2011-02-15 04:32 -------- dc-h--w- c:\documents and settings\All Users.WINDOWS\Application Data\{24E3A4D8-9E57-4B19-9715-6E61513095D7}
2011-02-15 04:19 . 2011-02-15 04:19 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\{A0DFE2A5-DE68-41F3-8861-73E954C1D41D}
2011-02-14 01:15 . 2011-02-14 01:15 -------- d-----w- c:\program files\XILS-lab
2011-02-13 22:55 . 2011-02-13 23:19 -------- d-----w- c:\program files\D16 Group
2011-02-12 20:02 . 2011-02-12 20:02 218688 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2011-02-12 20:01 . 2011-02-12 20:03 -------- d-----w- c:\documents and settings\Gideon\Application Data\DAEMON Tools Pro
2011-02-12 20:01 . 2011-02-12 20:01 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\DAEMON Tools Pro
2011-02-12 05:46 . 2006-09-14 09:21 2240 ----a-w- c:\windows\LENDIG.sys
2011-02-12 05:03 . 2010-09-07 15:53 340048 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-02-12 05:03 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-02-12 05:03 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-02-12 05:03 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-02-12 05:03 . 2010-09-07 15:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-02-12 05:03 . 2010-09-07 15:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-02-12 05:03 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-02-12 05:03 . 2010-09-07 15:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-02-12 05:02 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr
2011-02-12 05:02 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2011-02-12 05:02 . 2011-02-12 05:02 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Alwil Software
2011-02-12 03:56 . 1999-12-17 18:13 86016 ----a-w- c:\windows\unvise32.exe
2011-02-11 22:47 . 2003-07-06 17:10 17408 ------w- c:\windows\system32\minimp3.exe
2011-02-11 21:18 . 2011-02-11 21:18 -------- d-----w- c:\documents and settings\Gideon\Application Data\iZotope
2011-02-11 21:10 . 2011-02-11 21:09 710496 ----a-w- c:\program files\Uninstall Information\{842C6AFC-7856-4fd9-99AF-8900554ACAA2}\unins000.exe
2011-02-11 18:15 . 2010-12-21 02:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-11 18:15 . 2011-02-11 18:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-11 18:15 . 2010-12-21 02:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-11 17:17 . 2010-01-17 07:27 2440704 ----a-w- c:\windows\system32\SYNSOEMU.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-02 00:12 . 2007-05-17 16:48 720896 ----a-w- c:\windows\iun6002.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\windows\system32\drivers\dtsoftbus01.sys ---
Company: DT Soft Ltd
File Description: DAEMON Tools Virtual Bus Driver
File Version: 4.40.0312.0210
Product Name: DAEMON Tools Pro
Copyright: © 2000-2010 DT Soft Ltd.
Original Filename: dtsoftbus01.sys
File size: 218688
Created time: 2011-02-12 20:02
Modified time: 2011-02-12 20:02
MD5: 87B0F28C43B50BBB917F4400FA63CD31
SHA1: ADBAD403C9A2A48EFBB4E04EAC0DC6AAC66A5CD9

------- Sigcheck -------

[-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe
[-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\system32\lsass.exe

[-] 2010-04-14 . 6BDF6B80F3C6C37BEF59637FA8A652F2 . 505856 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe
[-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
.
((((((((((((((((((((((((((((( SnapShot@2011-02-19_23.38.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-02-20 16:17 . 2011-02-20 16:17 16384 c:\windows\temp\Perflib_Perfdata_890.dat
+ 2011-02-20 16:17 . 2011-02-20 16:17 16384 c:\windows\temp\Perflib_Perfdata_5f0.dat
- 2004-08-04 12:00 . 2011-02-17 20:28 87492 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2011-02-20 16:22 87492 c:\windows\system32\perfc009.dat
+ 2010-11-21 01:44 . 2011-02-20 13:20 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
- 2010-11-21 01:44 . 2010-12-18 11:01 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
- 2004-08-04 12:00 . 2011-02-17 20:28 501712 c:\windows\system32\perfh009.dat
+ 2004-08-04 12:00 . 2011-02-20 16:22 501712 c:\windows\system32\perfh009.dat
+ 2011-02-20 11:00 . 2011-02-20 11:00 20308992 c:\windows\Installer\d7036a1.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{88c7f2aa-f93f-432c-8f0e-b7d85967a527} "= "c:\program files\BitTorrentBar\tbBit0.dll" [2010-11-14 3913000]

[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-11-14 05:58 3913000 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
2010-11-14 05:58 3913000 ----a-w- c:\program files\BitTorrentBar\tbBit0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{88c7f2aa-f93f-432c-8f0e-b7d85967a527} "= "c:\program files\BitTorrentBar\tbBit0.dll" [2010-11-14 3913000]
"{30F9B915-B755-4826-820B-08FBA6BD249D} "= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-11-14 3913000]

[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\snxPluginsShell]
@= "{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE} "
[HKEY_CLASSES_ROOT\CLSID\{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}]
2010-09-07 16:14 152160 ----a-w- c:\program files\Alwil Software\Avast5\snxPlugins.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-14 68856]
"DAEMON Tools Pro Agent "= "k:\daemon tools pro\DTAgent.exe" [2011-01-13 840000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"amd_dc_opt "= "c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824]
"Profiler "= "c:\program files\Saitek\Software\ProfilerU.exe" [2005-08-30 163840]
"SaiMfd "= "c:\program files\Saitek\Software\SaiMfd.exe" [2005-09-10 126976]
"nwiz "= "c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-06-03 1753192]
"NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2010-06-08 110696]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2010-06-08 13902440]
"Kernel and Hardware Abstraction Layer "= "KHALMNPR.EXE" [2009-06-17 55824]
"SwitchBoard "= "c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"LXCGCATS "= "c:\windows\system32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-7-6 813584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 19:28 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"Midi2 "=ma_cmidn.dll
"midi3 "=ma_cmidn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=" "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2009-06-17 16:55 55824 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
2009-06-17 16:55 55824 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-06-08 00:34 13902440 ----a-w- c:\windows\system32\nvcpl.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Java\\jre1.5.0_05\\bin\\rmiregistry.exe "=
"c:\\WINDOWS\\system32\\dpvsetup.exe "=
"c:\\WINDOWS\\system32\\PnkBstrA.exe "=
"c:\\WINDOWS\\system32\\PnkBstrB.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\DNA\\btdna.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\program files\Microsoft ActiveSync\rapimgr.exe "= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe "= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe "= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142Pace.exe "=
"c:\\Program Files\\BitTorrent\\bittorrent.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe "=
"c:\\Program Files\\Steam\\Steam.exe "=
"c:\\WINDOWS\\system32\\winver.exe "=
"c:\\Program Files\\ComicRack\\ComicRack.exe "=

R0 ABIT-IO;ABIT-IO;c:\windows\system32\drivers\ABIT-IO.sys [2007-06-29 4608]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-02-11 340048]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-02-11 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-02-11 17744]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [2010-06-05 20072]
R3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-02-12 218688]
R3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\drivers\nvoclock.sys [2009-09-15 38248]
S1 MpKslcb21d3e3;MpKslcb21d3e3;\??\c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6F3C876A-1946-4FDD-8B3C-C4B9E1C5C240}\MpKslcb21d3e3.sys --> c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6F3C876A-1946-4FDD-8B3C-C4B9E1C5C240}\MpKslcb21d3e3.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-25 135664]
S3 dsaudiodevice_286;DsAudioDevice_286;c:\windows\system32\drivers\DsAudioDevice_286.sys [2009-02-08 16640]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2010-07-24 14424]
S3 SaiH80C0;SaiH80C0;c:\windows\system32\drivers\SaiH80C0.sys [2007-05-06 176384]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
S3 UKS11LDR;M-Audio USB Keystation Loader;c:\windows\system32\drivers\uks11ldr.sys [2010-06-08 13504]
S3 USBKT1X1;M-Audio USB Keystation;c:\windows\system32\drivers\usbkt1x1.sys [2010-06-08 22304]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2008-06-16 717296]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{b2c3bb6b-e005-4246-b8e5-df0a4d073cdc}]
2008-06-18 23:04 8192 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2011-02-20 c:\windows\Tasks\AdobeAAMUpdater-1.0-TELETRAN-Gideon.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-01-12 11:44]

2011-02-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-25 18:40]

2011-02-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-25 18:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2790392
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Free YouTube Download - c:\documents and settings\Gideon\Application Data\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
FF - ProfilePath - c:\documents and settings\Gideon\Application Data\Mozilla\Firefox\Profiles\6vmax83e.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=ConduitEngine&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Conduit Engine Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=616163&p=
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Arabic spell-checking dictionary: ar@dictionaries.addons.mozilla.org - %profile%\extensions\ar@dictionaries.addons.mozilla.org
FF - Ext: DVDVideoSoft Menu: {ACAA314B-EEBA-48e4-AD47-84E31C44796C} - %profile%\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: BitTorrentBar Community Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - %profile%\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-20 14:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCGCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

C:\## aswSnx private storage

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-823518204-838170752-725345543-1004\Software\SecuROM\!caution! never delete or change any key*]
"?? "=hex:06,6a,34,8c,2c,ee,0c,df,81,f2,44,9c,83,04,9d,b9,ae,11,19,28,ea,cf,84,
08,4f,c4,9b,d6,da,49,5a,4e,98,bb,65,1b,68,82,00,5f,3f,4e,d9,96,b1,d0,cc,67,\
"?? "=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49

[HKEY_USERS\S-1-5-21-823518204-838170752-725345543-1004\Software\SecuROM\License information*]
"datasecu "=hex:b4,7c,02,9a,a8,fd,49,1e,71,20,25,04,4f,b9,9e,8c,9e,74,ad,88,b0,
ae,93,a0,e7,c7,99,f5,24,5a,47,33,11,15,77,ac,01,d8,43,54,01,6e,7d,7b,af,b0,\
"rkeysecu "=hex:fc,c0,7e,17,05,7d,fc,b5,1a,af,54,29,89,3b,60,32
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(932)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(992)
c:\windows\system32\nvappfilter.dll
.
Completion time: 2011-02-20 14:44:04
ComboFix-quarantined-files.txt 2011-02-20 22:44
ComboFix2.txt 2011-02-19 23:41
ComboFix3.txt 2010-05-13 18:17

Pre-Run: 16,129,888,256 bytes free
Post-Run: 16,120,090,624 bytes free

- - End Of File - - 6A27BB145D76E8C245FEF6E9B7855CC2

broni · 2011/02/20

At this point this:

c:\windows\system32\winlogon.exe . . . is infected!!
Click to expand...

is our main concern.
We can try to fix it in couple of ways, but since you don't have Service Pack 3 installed, I want you to download it from here: http://www.microsoft.com/downloads/...a8-5e76-401f-be08-1e1555d4f3d4&displaylang=en and install it.
Possibly, it'll overwrite bad file.

When done, post fresh Combofix log.

Gideon · 2011/02/20

I have dled the service pack 3. When I click on the .exe file it extracts to my K drive. Does it matter where it initially extracts to? I would think it does but I wanted to ask you first. The K drive is not my primary drive.

broni · 2011/02/20

Just in case, I'd instruct it to extract to C drive.

Gideon · 2011/02/20

hmmm I'm not sure what to do, as before when I execute the file it extracts to the K drive and I'm not sure where to put the file if I manually extract it to the C drive. When extracted it produces a folder called i386 and it has numerous files within it. any ideas?

broni · 2011/02/20

Yeah, that folder should reside just in root directory (C:\)

Gideon · 2011/02/21

I have installed in the service pack, however the progress bar has been preforming clean up for some time now, about 30 min. I planned to give some time to finish, but wasn't sure if it had stalled out completely. Does this seem like a normal thing to have happen?

broni · 2011/02/21

Cleanup running after installing SP3?
If so, definitely give it some time.

Gideon · 2011/02/21

It's been at the same status for over an hour now. Should I wait?

broni · 2011/02/21

I guess you'll have to shut it down manually.

Gideon · 2011/02/21

I rebooted and on restart, once the desktop loaded a dos window opened and was labeled windows system 32 .exe.

The dialog within the box I believe said process incomplete. Aside from all this windows booted and I am able to navigate. Should I try to install service pack 3 again. Sorry for all the trouble

broni · 2011/02/21

Well, no reason to be sorry

Go ahead and retry SP3 installation.

Gideon · 2011/02/21

Well, it looks like the same thing is happening. I could leave it alone all night just to make sure, but I'm pretty sure that the installation is going nowhere, same as before.

broni · 2011/02/21

OK. It may be our infection causing issues.

I uploaded zipped winlogon.exe file from my XP here: http://www.filedropper.com/winlogon
Download it, unzip it and place winlogon.exe file in a root C:\ directory.

Now, I want to see, it's in a right place, so...

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64-bit users go HERE
Double-click SystemLook.exe to run it.

Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
Copy the content of the following box into the main textfield:
Code:
:filefind
winlogon.exe
Click the Look button to start the scan.

When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Gideon · 2011/02/23

SystemLook 04.09.10 by jpshortstuff
Log created at 10:31 on 23/02/2011 by Gideon
Administrator - Elevation successful

========== filefind ==========

Searching for "winlogon.exe "
C:\winlogon.exe --a---- 507904 bytes [18:30 23/02/2011] [09:36 21/03/2008] B8135E9ED99A0858DF535CE0A0271558
C:\Documents and Settings\Gideon\Desktop\BBS\winlogon.exe --a---- 507904 bytes [19:34 27/05/2010] [08:36 21/03/2008] B8135E9ED99A0858DF535CE0A0271558
C:\Documents and Settings\Gideon\Desktop\hezb0ller\winlogon.exe --a---- 507904 bytes [18:30 23/02/2011] [09:36 21/03/2008] B8135E9ED99A0858DF535CE0A0271558
C:\Documents and Settings\Gideon\My Documents\Downloads\winlogon.exe --a---- 505856 bytes [21:31 20/02/2011] [21:31 20/02/2011] 6BDF6B80F3C6C37BEF59637FA8A652F2
C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe -----c- 505856 bytes [21:44 21/02/2011] [21:17 14/04/2010] 6BDF6B80F3C6C37BEF59637FA8A652F2
C:\WINDOWS\ServicePackFiles\i386\winlogon.exe ------- 507904 bytes [21:49 21/02/2011] [13:42 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\WINDOWS\system32\winlogon.exe --a---- 507904 bytes [12:00 04/08/2004] [13:42 14/04/2008] ED0EF0A136DEC83DF69F04118870003E

-= EOF =-

broni · 2011/02/23

It looks like you actually have some, seemingly healthy, replacements on your computer.

Download BlitzBlank and save it to your desktop.
Double click on Blitzblank.exe

Click OK at the warning (and take note of it, this is a VERY powerful tool!).

Click the Script tab and copy/paste the following text there:
Code:
CopyFile:
C:\WINDOWS\ServicePackFiles\i386\winlogon.exe C:\WINDOWS\system32\winlogon.exe
Click Execute Now. Your computer will need to reboot in order to replace the files.

When done, post the report created by Blitzblank.
You can find it in the root of the drive, normally C:\

Gideon · 2011/02/24

BlitzBlank 1.0.0.32

File/Registry Modification Engine native application
CopyFileOnReboot: sourceFile = "\??\c:\windows\servicepackfiles\i386\winlogon.exe ", destinationFile = "\??\c:\windows\system32\winlogon.exe "

Log in or Sign up

Solved Ps/2 Keyboard Failure and kbdclass.sys Problem

broni Moderator Malware Analyst

Gideon Inactive Thread Starter

broni Moderator Malware Analyst

Gideon Inactive Thread Starter

broni Moderator Malware Analyst

Gideon Inactive Thread Starter

broni Moderator Malware Analyst

Gideon Inactive Thread Starter

broni Moderator Malware Analyst

Gideon Inactive Thread Starter

broni Moderator Malware Analyst

Gideon Inactive Thread Starter

broni Moderator Malware Analyst

Gideon Inactive Thread Starter

broni Moderator Malware Analyst

Gideon Inactive Thread Starter

broni Moderator Malware Analyst

Gideon Inactive Thread Starter

broni Moderator Malware Analyst

Gideon Inactive Thread Starter

Share This Page

Log in or Sign up

Solved Ps/2 Keyboard Failure and kbdclass.sys Problem

broni Moderator Malware Analyst

Gideon Inactive Thread Starter

broni Moderator Malware Analyst

Gideon Inactive Thread Starter

broni Moderator Malware Analyst

Gideon Inactive Thread Starter

broni Moderator Malware Analyst

Gideon Inactive Thread Starter

broni Moderator Malware Analyst

Gideon Inactive Thread Starter

broni Moderator Malware Analyst

Gideon Inactive Thread Starter

broni Moderator Malware Analyst

Gideon Inactive Thread Starter

broni Moderator Malware Analyst

Gideon Inactive Thread Starter

broni Moderator Malware Analyst

Gideon Inactive Thread Starter

broni Moderator Malware Analyst

Gideon Inactive Thread Starter

Share This Page

Useful Searches