Solved Windows clock change and keyboard malfunction

don1721 · 2009/08/17

[Resolved] Windows clock change and keyboard malfunction

Hi I'm new here and I would like some help I really don't know if my pc is infected. I'm using vista home and for the past few days I have been experiencing some issues like time changes, keyboard malfunction. when i'm typing the characters are in capital even if the capslock key is off and vise versa. Also there are times that I can't open the yahoo site.

Here is the logfile from hijackthis

Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:03:30 PM, on 8/17/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18294)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe "
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O13 - Gopher Prefix:
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 5555 bytes

PeteC · 2009/08/17

Welcome to WindowsBBS

We encourage all members to complete their System Specifications which help us to help you

Please read this as indicated at the head of the forum and post the logs requested in this thread. An HJT log is no longer sufficient.

don1721 · 2009/08/17

Here is the log from DDS

DDS (Ver_09-07-30.01) - NTFSx86
Run by Don at 18:19:15.84 on Mon 08/17/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vistaâ„¢ Home Basic 6.0.6001.1.1252.1.1033.18.3326.2339 [GMT -7:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Windows\system32\wuauclt.exe
C:\Windows.old\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Don\Downloads\dds.scr

============== Pseudo HJT Report ===============

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe "
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
StartupFolder: c:\users\don\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2010\ie_banner_deny.htm
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-12-15 33808]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2009-5-15 21008]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-5-16 19472]

=============== Created Last 30 ================

2009-08-17 12:47 <DIR> --d----- c:\program files\Trend Micro
2009-08-15 11:11 <DIR> --d----- c:\program files\MSXML 4.0
2009-08-15 10:55 <DIR> --d----- c:\programdata\GlobalSCAPE
2009-08-15 10:55 <DIR> --d----- c:\progra~2\GlobalSCAPE
2009-08-15 10:54 <DIR> --d----- c:\program files\GlobalSCAPE
2009-08-15 10:44 <DIR> --d----- c:\users\don\appdata\roaming\ESTsoft
2009-08-15 10:44 <DIR> --d----- c:\programdata\ESTsoft
2009-08-15 10:44 <DIR> --d----- c:\progra~2\ESTsoft
2009-08-15 10:44 <DIR> --d----- c:\program files\ESTsoft
2009-08-15 10:37 453,632 a------- c:\windows\system32\stdvcl40.dll
2009-08-14 13:26 <DIR> --d----- c:\programdata\WEBREG
2009-08-14 13:26 <DIR> --d----- c:\progra~2\WEBREG
2009-08-14 13:24 <DIR> --d----- c:\programdata\HPSSUPPLY
2009-08-14 13:21 <DIR> --d----- c:\program files\common files\Hewlett-Packard
2009-08-14 13:21 <DIR> --d----- c:\program files\common files\HP
2009-08-14 13:17 <DIR> --d----- c:\program files\HP
2009-08-14 13:16 148,958 a------- c:\windows\hpoins19.dat
2009-08-14 13:16 <DIR> --d----- c:\programdata\HP
2009-08-14 13:16 675,840 a------- c:\windows\system32\hpowiav1.dll
2009-08-14 13:16 573,440 a------- c:\windows\system32\hpotscl1.dll
2009-08-14 13:16 303,104 a------- c:\windows\system32\hpovst01.dll
2009-08-14 13:16 258,048 a------- c:\windows\system32\hpzids01.dll
2009-08-14 13:16 26,952 a------- c:\windows\hpomdl19.dat
2009-08-13 07:38 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-08-13 07:36 71,680 a------- c:\windows\system32\atl.dll
2009-08-13 07:36 91,136 a------- c:\windows\system32\avifil32.dll
2009-08-13 07:36 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-08-13 07:36 7,680 a------- c:\windows\system32\spwmp.dll
2009-08-13 07:36 4,096 a------- c:\windows\system32\msdxm.ocx
2009-08-13 07:36 4,096 a------- c:\windows\system32\dxmasf.dll
2009-08-13 07:36 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-08-13 07:36 43,520 a------- c:\windows\system32\msdxm.tlb
2009-08-13 07:36 18,432 a------- c:\windows\system32\amcompat.tlb
2009-08-13 07:34 160,256 a------- c:\windows\system32\wkssvc.dll
2009-08-11 11:59 <DIR> --d----- c:\programdata\Yahoo! Companion
2009-08-11 11:57 <DIR> --d----- c:\programdata\Yahoo!
2009-08-11 11:57 <DIR> --d----- c:\program files\Yahoo!
2009-08-11 10:33 1,056,768 a------- c:\windows\system32\ROBOEX32.DLL
2009-08-11 10:33 49,152 a------- c:\windows\system32\INETWH32.DLL
2009-08-11 10:33 <DIR> --d----- c:\program files\NetObjects
2009-08-11 10:22 327,168 a------- c:\windows\IsUninst.exe
2009-08-10 22:58 56 a---h--- c:\programdata\ezsidmv.dat
2009-08-10 22:58 56 a---h--- c:\progra~2\ezsidmv.dat
2009-08-10 22:57 <DIR> --d--r-- c:\program files\Skype
2009-08-10 22:57 <DIR> --d----- c:\programdata\Skype
2009-08-10 16:54 <DIR> --d----- c:\programdata\NVIDIA
2009-08-10 14:07 1,108,512 a------- c:\windows\system32\nvcpluir.dll
2009-08-10 14:07 801,312 a------- c:\windows\system32\nvcplui.exe
2009-08-10 14:07 453,152 a------- c:\windows\system32\nvuninst.exe
2009-08-10 14:07 420,384 a------- c:\windows\system32\nvcpl.cpl
2009-08-10 14:00 97,800 a------- c:\windows\system32\infocardapi.dll
2009-08-10 14:00 622,080 a------- c:\windows\system32\icardagt.exe
2009-08-10 14:00 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-08-10 14:00 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-08-10 14:00 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-08-10 14:00 11,264 a------- c:\windows\system32\icardres.dll
2009-08-10 14:00 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-08-10 14:00 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-08-10 13:54 96,760 a------- c:\windows\system32\dfshim.dll
2009-08-10 13:54 282,112 a------- c:\windows\system32\mscoree.dll
2009-08-10 13:54 41,984 a------- c:\windows\system32\netfxperf.dll
2009-08-10 13:54 158,720 a------- c:\windows\system32\mscorier.dll
2009-08-10 13:54 83,968 a------- c:\windows\system32\mscories.dll
2009-08-10 13:49 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-08-10 13:36 604,140 a--sh--- c:\windows\system32\drivers\ISwift3.dat
2009-08-10 13:33 105,395 a------- c:\windows\system32\drivers\klin.dat
2009-08-10 13:33 94,643 a------- c:\windows\system32\drivers\klick.dat
2009-08-10 13:33 <DIR> --d----- c:\programdata\Kaspersky Lab
2009-08-10 13:33 <DIR> --d----- c:\program files\Kaspersky Lab
2009-08-10 13:33 <DIR> --d----- c:\progra~2\Kaspersky Lab
2009-08-10 13:31 <DIR> --d----- c:\programdata\Kaspersky Lab Setup Files
2009-08-10 13:31 <DIR> --d----- c:\progra~2\Kaspersky Lab Setup Files
2009-08-10 12:01 86,016 a------- c:\windows\unvise32.exe
2009-08-10 12:01 <DIR> --d----- c:\program files\Recover Deleted Files
2009-08-10 11:39 <DIR> --d----- c:\users\don\appdata\roaming\OpenOffice.org
2009-08-09 18:24 <DIR> --d----- c:\windows\Panther
2009-08-09 18:24 8,192 a--s-r-- C:\BOOTSECT.BAK
2009-08-09 18:23 333,203 a--shr-- C:\bootmgr
2009-08-09 18:23 <DIR> --dsh--- C:\Boot
2009-08-09 18:17 <DIR> --d----- C:\Windows.old
2009-08-09 17:54 2,048 a------- c:\windows\system32\tzres.dll
2009-08-09 17:53 376,832 a------- c:\windows\system32\winhttp.dll
2009-08-09 17:52 625,152 a------- c:\windows\system32\drivers\dxgkrnl.sys
2009-08-09 17:52 565,248 a------- c:\windows\system32\emdmgmt.dll
2009-08-09 17:52 148,480 a------- c:\windows\system32\drivers\nwifi.sys
2009-08-09 17:52 45,056 a------- c:\windows\system32\dataclen.dll
2009-08-09 17:52 36,864 a------- c:\windows\system32\cdd.dll
2009-08-09 17:49 268,288 a------- c:\windows\system32\schannel.dll
2009-08-09 17:49 1,191,936 a------- c:\windows\system32\msxml3.dll
2009-08-09 17:49 443,392 a------- c:\windows\system32\win32spl.dll
2009-08-09 17:49 147,456 a------- c:\windows\system32\Faultrep.dll
2009-08-09 17:49 125,952 a------- c:\windows\system32\wersvc.dll
2009-08-09 17:49 212,480 a------- c:\windows\system32\drivers\mrxsmb10.sys
2009-08-09 17:49 269,312 a------- c:\windows\system32\es.dll
2009-08-09 17:49 1,645,568 a------- c:\windows\system32\connect.dll
2009-08-09 17:49 <DIR> --d----- c:\program files\JRE
2009-08-09 17:48 <DIR> --d----- c:\program files\OpenOffice.org 3
2009-08-09 17:47 410,984 a------- c:\windows\system32\deploytk.dll
2009-08-09 17:46 <DIR> --dsh--- c:\windows\Installer
2009-08-09 17:44 1,334,272 a------- c:\windows\system32\msxml6.dll
2009-08-09 17:44 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2009-08-09 17:44 113,664 a------- c:\windows\system32\drivers\rmcast.sys
2009-08-09 17:38 <DIR> --d----- c:\users\Don
2009-08-09 17:37 1,524,736 a------- c:\windows\system32\wucltux.dll
2009-08-09 17:37 83,456 a------- c:\windows\system32\wudriver.dll
2009-08-09 17:37 162,064 a------- c:\windows\system32\wuwebv.dll
2009-08-09 17:37 31,232 a------- c:\windows\system32\wuapp.exe

==================== Find3M ====================

2009-08-14 13:18 86,016 a------- c:\windows\inf\infstor.dat
2009-08-14 13:18 51,200 a------- c:\windows\inf\infpub.dat
2009-08-14 13:18 86,016 a------- c:\windows\inf\infstrng.dat
2009-08-10 16:48 665,600 a------- c:\windows\inf\drvindex.dat
2009-07-18 09:06 827,904 a------- c:\windows\system32\wininet.dll
2009-07-18 09:01 78,336 a------- c:\windows\system32\ieencode.dll
2009-07-18 02:46 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-07-03 15:48 219,664 a------- c:\windows\system32\klogon.dll
2009-07-03 15:45 27,507 a------- c:\windows\system32\drivers\klopp.dat
2009-06-15 08:24 156,672 a------- c:\windows\system32\t2embed.dll
2009-06-15 08:20 72,704 a------- c:\windows\system32\fontsub.dll
2009-06-15 08:20 10,240 a------- c:\windows\system32\dciman32.dll
2009-06-15 05:52 289,792 a------- c:\windows\system32\atmfd.dll
2008-01-20 19:57 174 a--sh--- c:\program files\desktop.ini
2006-11-02 05:39 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:39 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:39 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:39 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 18:20:08.73 ===============
This is the attach log

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft® Windows Vistaâ„¢ Home Basic
Boot Device: \Device\HarddiskVolume2
Install Date: 8/9/2009 5:32:15 PM
System Uptime: 8/17/2009 5:34:48 PM (1 hours ago)

Motherboard: ASUSTeK Computer INC. | | P5K PRO
Processor: Intel(R) Core(TM)2 Quad CPU Q8200 @ 2.33GHz | LGA775 | 2331/333mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 149 GiB total, 67.847 GiB free.
D: is FIXED (NTFS) - 149 GiB total, 105.907 GiB free.
E: is FIXED (NTFS) - 149 GiB total, 148.276 GiB free.
F: is CDROM ()
G: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID:
Description: PC Camera
Device ID: USB\VID_0AC8&PID_307B\5&3A5B01F9&0&2
Manufacturer:
Name: PC Camera
PNP Device ID: USB\VID_0AC8&PID_307B\5&3A5B01F9&0&2
Service:

Class GUID: {4d36e96f-e325-11ce-bfc1-08002be10318}
Description: Microsoft PS/2 Mouse
Device ID: ACPI\PNP0F03\4&23F9C1E3&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Mouse
PNP Device ID: ACPI\PNP0F03\4&23F9C1E3&0
Service: i8042prt

Class GUID:
Description: SM Bus Controller
Device ID: PCI\VEN_8086&DEV_2930&SUBSYS_82771043&REV_02\3&11583659&0&FB
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_8086&DEV_2930&SUBSYS_82771043&REV_02\3&11583659&0&FB
Service:

==== System Restore Points ===================

RP17: 8/12/2009 2:43:30 PM - Scheduled Checkpoint
RP18: 8/13/2009 10:46:53 PM - Windows Update
RP19: 8/14/2009 12:44:41 PM - Scheduled Checkpoint
RP20: 8/14/2009 1:17:29 PM - Device Driver Package Install: Hewlett-Packard IEEE 1284.4 compatible printer
RP21: 8/14/2009 1:17:41 PM - Device Driver Package Install: Hewlett-Packard Universal Serial Bus controllers
RP23: 8/15/2009 10:53:58 AM - Installed CuteFTP 8 Home
RP24: 8/15/2009 11:10:46 AM - Windows Update
RP25: 8/17/2009 10:40:16 AM - Windows Update

==== Installed Programs ======================

32 Bit HP CIO Components Installer
4300
4300_Help
4300Trb
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
AIO_CDB_ProductContext
AIO_CDB_Software
AIO_Scan
ALZip
BufferChm
Copy
CustomerResearchQFolder
CuteFTP 8 Home
Destinations
DeviceManagementQFolder
DocProc
DocProcQFolder
eSupportQFolder
Fax
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Customer Participation Program 8.0
HP Imaging Device Functions 8.0
HP OCR Software 8.0
HP Photosmart Essential
HP Photosmart, Officejet, PSC and Deskjet All-In-One Driver Software 8.0.B
HP Solution Center 8.0
HP Update
HPProductAssistant
HPSSupply
Java(TM) 6 Update 13
Kaspersky Internet Security 2010
MarketResearch
Microsoft .NET Framework 3.5 SP1
Microsoft Visual C++ 2005 Redistributable
MSXML 4.0 SP2 (KB954430)
NetObjects Fusion Essentials
NVIDIA Drivers
OpenOffice.org 3.1
Recover Deleted Files
Scan
Skypeâ„¢ 4.1
SolutionCenter
Status
Toolbox
TrayApp
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Web CEO 8.0
WebReg
Yahoo! Messenger
Yahoo! Software Update
Yahoo! Toolbar

==== End Of File ===========================

PeteC · 2009/08/17

Thanks

One of our trained malware analysts will take a look at your logs ASAP, but it may be a day or so before you get a response as they are always very busy. All logs are dealt with in the order received.

Thank you for your patience.

broni · 2009/08/17

I don't see any immediate threat, but let's check.....

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

STEP 1. Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes ". If not, update the definitions before scanning by selecting "Check for Updates ". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Close SUPERAntiSpyware.

PHYSICALLY DISCONNECT FROM THE INTERNET

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Click Scan your Computer... button.
* Click Scanning Preferences/Control Center... button.
* Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Terminate memory threats before quarantining.
* Click the Close button to leave the control center screen.
* On the left, make sure you check C:\Fixed Drive.
* On the right, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
* Make sure everything has a checkmark next to it and click Next.
* A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
* If asked if you want to reboot, click Yes.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.

RECONNECT TO THE INTERNET

RESTART COMPUTER!

STEP 2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 3. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

RESTART COMPUTER

STEP 4. Download HijackThis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
by clicking on Download HijackThis Installer
Install, and run it.
Post HijackThis log.
Do NOT attempt to "fix" anything!

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

don1721 · 2009/08/18

Here are the logs. thanks in advance!

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/18/2009 at 11:48 PM

Application Version : 4.27.1002

Core Rules Database Version : 4060
Trace Rules Database Version: 2000

Scan type : Complete Scan
Total Scan Time : 01:04:20

Memory items scanned : 259
Memory threats detected : 0
Registry items scanned : 5533
Registry threats detected : 0
File items scanned : 159314
File threats detected : 6

Adware.Vundo/Variant-MSFake
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A756664B-06CE-4613-9BF9-4AF71D11D77F}\RP47\A0012480.EXE
C:\USERS\MOMMY\DOCUMENTS\ANY1\7ZSA85.TMP\2_VC2008.EXE
C:\WINDOWS.OLD\DOCUMENTS AND SETTINGS\ADMINISTRATOR\7ZSA85.TMP\2_VC2008.EXE
C:\WINDOWS.OLD\DOCUMENTS AND SETTINGS\ANY1\7ZSA85.TMP\2_VC2008.EXE
C:\WINDOWS.OLD\DOCUMENTS AND SETTINGS\DEFAULT USER\7ZSA85.TMP\2_VC2008.EXE
C:\WINDOWS.OLD\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\7ZSA85.TMP\2_VC2008.EXE

Malwarebytes' Anti-Malware 1.40
Database version: 2649
Windows 6.0.6001 Service Pack 1

8/19/2009 1:03:25 AM
mbam-log-2009-08-19 (01-03-25).txt

Scan type: Full Scan (C:\|)
Objects scanned: 257957
Time elapsed: 58 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER 1.0.15.15077 [ypg3wih8.exe] - http://www.gmer.net
Rootkit scan 2009-08-19 02:01:17
Windows 6.0.6001 Service Pack 1

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAlpcConnectPort [0x8DE5AE06]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAlpcCreatePort [0x8DE5AF84]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAlpcSendWaitReceivePort [0x8DE5B014]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwClose [0x8DE59DF8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwConnectPort [0x8DE5A4EA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateEvent [0x8DE5A816]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateFile [0x8DE59F66]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateMutant [0x8DE5A6EE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateNamedPipeFile [0x8DE599D2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreatePort [0x8DE5A5AA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateSection [0x8DE59B8C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateSemaphore [0x8DE5A948]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateWaitablePort [0x8DE5A64C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwFsControlFile [0x8DE5A0C4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenEvent [0x8DE5A8B8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenFile [0x8DE59E34]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenMutant [0x8DE5A786]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenSection [0x8DE5B45C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenSemaphore [0x8DE5A9EA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwQueryDirectoryObject [0x8DE5B214]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwReplyPort [0x8DE5AD74]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwReplyWaitReceivePort [0x8DE5AC3A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSecureConnectPort [0x8DE5A1F0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSetInformationToken [0x8DE5B2C8]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetTimerEx + 370 81AD2934 8 Bytes [06, AE, E5, 8D, 84, AF, E5, ...]
.text ntkrnlpa.exe!KeSetTimerEx + 3B4 81AD2978 4 Bytes [14, B0, E5, 8D] {ADC AL, 0xb0; IN EAX, 0x8d}
.text ntkrnlpa.exe!KeSetTimerEx + 3DC 81AD29A0 4 Bytes [F8, 9D, E5, 8D] {CLC ; POPF ; IN EAX, 0x8d}
.text ntkrnlpa.exe!KeSetTimerEx + 3F4 81AD29B8 4 Bytes JMP 988DE5A4
.text ntkrnlpa.exe!KeSetTimerEx + 404 81AD29C8 4 Bytes [16, A8, E5, 8D]
.text ...

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[3328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74C87BA4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74CC98C5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74C8D3C8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74C7F527] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74C87599] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74C7E43D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74CBB33D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [74C8D68A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74C8012E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74C80095] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74C771F3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74D0D802] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74CA75E1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74C7DAE1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74C7668F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74C766BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3328] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74C81E45] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3872] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3872] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3872] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3872] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3872] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3872] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3872] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3872] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3872] @ C:\Windows\system32\USER32.dll [GDI32.dll!GetStockObject] [6113909F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3872] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3872] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3872] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3872] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3872] @ C:\Windows\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [6113909F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3872] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [61138FE2] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3872] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3872] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3872] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3872] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3872] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3872] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3872] @ C:\Windows\system32\SHELL32.dll [GDI32.dll!GetStockObject] [6113909F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3872] @ C:\Windows\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [61138FA4] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3872] @ C:\Windows\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [61138F66] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3872] @ C:\Windows\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [611390A5] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3872] @ C:\Windows\system32\SHELL32.dll [USER32.dll!GetSysColor] [61138FE2] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3872] @ C:\Windows\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3872] @ C:\Windows\system32\SHELL32.dll [USER32.dll!AnimateWindow] [611390DD] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3872] @ C:\Windows\system32\SAMLIB.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3872] @ C:\Windows\system32\SAMLIB.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\tdx \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\tdx \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:12:00 AM, on 8/19/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18294)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe "
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O13 - Gopher Prefix:
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 5388 bytes

broni · 2009/08/18

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.

This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.

Once the short scan has finished, select Complete scan.

Click the green arrow at the right, and the scan will start.

Click Yes to all if it asks if you want to cure/move the file.

When the scan has finished, in the menu, click File and choose Save report list

Save the report to your desktop. The report will be called DrWeb.csv

Close Dr.Web Cureit.

Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Post fresh HijackThis log as well.

don1721 · 2009/08/19

I could not find the log file the drbweb.cvs so here is the hijack this new log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:21:10 PM, on 8/19/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18294)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Windows.old\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe "
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O13 - Gopher Prefix:
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 5846 bytes

don1721 · 2009/08/19

Here is the log from DrWeb

A0028941.exe\data002;C:\Documents and Settings\Don\DoctorWeb\Quarantine\A0028941.exe;Trojan.NtRootKit.103;;
A0028941.exe;C:\Documents and Settings\Don\DoctorWeb\Quarantine;Archive contains infected objects;Moved.;
dldsetup.exe/dldsetup.msi/stream001\File26;C:\Documents and Settings\Don\DoctorWeb\Quarantine\dldsetup.exe/dldsetup.msi/stream001;Probably BACKDOOR.Trojan;;
stream001;C:\Documents and Settings\Don\DoctorWeb\Quarantine;Archive contains infected objects;;
dldsetup.msi;C:\Documents and Settings\Don\DoctorWeb\Quarantine;Archive contains infected objects;;
dldsetup.exe;C:\Documents and Settings\Don\DoctorWeb\Quarantine;Archive contains infected objects;Moved.;
Marketing Tools That Made Me Ric0.htm\JavaScript.0;C:\Documents and Settings\Don\DoctorWeb\Quarantine\Marketing Tools That Made Me Ric0.htm;JS.DownLoader.32;;
Marketing Tools That Made Me Ric0.htm;C:\Documents and Settings\Don\DoctorWeb\Quarantine;Container contains infected objects;Moved.;
Marketing Tools That Made Me Ric1.htm\JavaScript.0;C:\Documents and Settings\Don\DoctorWeb\Quarantine\Marketing Tools That Made Me Ric1.htm;JS.DownLoader.32;;
Marketing Tools That Made Me Ric1.htm;C:\Documents and Settings\Don\DoctorWeb\Quarantine;Container contains infected objects;Moved.;
Marketing Tools That Made Me Rich.htm\JavaScript.0;C:\Documents and Settings\Don\DoctorWeb\Quarantine\Marketing Tools That Made Me Rich.htm;JS.DownLoader.32;;
Marketing Tools That Made Me Rich.htm;C:\Documents and Settings\Don\DoctorWeb\Quarantine;Container contains infected objects;Moved.;
A0017663.exe;C:\System Volume Information\_restore{A756664B-06CE-4613-9BF9-4AF71D11D77F}\RP73;Program.PsList.126;;

don1721 · 2009/08/19

A0028941.exe\data002;C:\Documents and Settings\Don\DoctorWeb\Quarantine\A0028941.exe;Trojan.NtRootKit.103;;
A0028941.exe;C:\Documents and Settings\Don\DoctorWeb\Quarantine;Archive contains infected objects;Moved.;
dldsetup.exe/dldsetup.msi/stream001\File26;C:\Documents and Settings\Don\DoctorWeb\Quarantine\dldsetup.exe/dldsetup.msi/stream001;Probably BACKDOOR.Trojan;;
stream001;C:\Documents and Settings\Don\DoctorWeb\Quarantine;Archive contains infected objects;;
dldsetup.msi;C:\Documents and Settings\Don\DoctorWeb\Quarantine;Archive contains infected objects;;
dldsetup.exe;C:\Documents and Settings\Don\DoctorWeb\Quarantine;Archive contains infected objects;Moved.;
Marketing Tools That Made Me Ric0.htm\JavaScript.0;C:\Documents and Settings\Don\DoctorWeb\Quarantine\Marketing Tools That Made Me Ric0.htm;JS.DownLoader.32;;
Marketing Tools That Made Me Ric0.htm;C:\Documents and Settings\Don\DoctorWeb\Quarantine;Container contains infected objects;Moved.;
Marketing Tools That Made Me Ric1.htm\JavaScript.0;C:\Documents and Settings\Don\DoctorWeb\Quarantine\Marketing Tools That Made Me Ric1.htm;JS.DownLoader.32;;
Marketing Tools That Made Me Ric1.htm;C:\Documents and Settings\Don\DoctorWeb\Quarantine;Container contains infected objects;Moved.;
Marketing Tools That Made Me Rich.htm\JavaScript.0;C:\Documents and Settings\Don\DoctorWeb\Quarantine\Marketing Tools That Made Me Rich.htm;JS.DownLoader.32;;
Marketing Tools That Made Me Rich.htm;C:\Documents and Settings\Don\DoctorWeb\Quarantine;Container contains infected objects;Moved.;
A0017663.exe;C:\System Volume Information\_restore{A756664B-06CE-4613-9BF9-4AF71D11D77F}\RP73;Program.PsList.126;;

broni · 2009/08/19

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.

Accept any prompts.

Open JavaRa.exe again and select Search For Updates.

Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

=================================================================

Other than that.....

Your computer is clean

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

2. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore ".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

3. Restart computer.

4. Turn System Restore on.

5. Make sure, Windows Updates are current.

[SIZE= "4"]6. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

7. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

8. Run defrag at your convenience.

9. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

10. Please, let me know, how is your computer doing.

don1721 · 2009/08/26

hi sorry for the late reply on this, my computer is working fine and I think I know what caused the clock settings to change. it was because of skype whenever I used it to call it changes the time to the one reflected in the time zone in skype.

Thanks for the help I think all issues are now okay

don1721 · 2009/08/26

my pc running fine everything is okay thanks!

broni · 2009/08/26

Very well
Thanks for posting back...

Log in or Sign up

Solved Windows clock change and keyboard malfunction

don1721 Inactive Thread Starter

PeteC SuperGeek Staff

don1721 Inactive Thread Starter

PeteC SuperGeek Staff

broni Moderator Malware Analyst

don1721 Inactive Thread Starter

broni Moderator Malware Analyst

don1721 Inactive Thread Starter

don1721 Inactive Thread Starter

don1721 Inactive Thread Starter

broni Moderator Malware Analyst

don1721 Inactive Thread Starter

don1721 Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Solved Windows clock change and keyboard malfunction

don1721 Inactive Thread Starter

PeteC SuperGeek Staff

don1721 Inactive Thread Starter

PeteC SuperGeek Staff

broni Moderator Malware Analyst

don1721 Inactive Thread Starter

broni Moderator Malware Analyst

don1721 Inactive Thread Starter

don1721 Inactive Thread Starter

don1721 Inactive Thread Starter

broni Moderator Malware Analyst

don1721 Inactive Thread Starter

don1721 Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches