WiredWX Hobby Weather ToolsLog in

 


Keyboard virus problem, Types "/..,nffffffffffffff...."

2 posters

descriptionKeyboard virus problem, Types "/..,nffffffffffffff...." EmptyKeyboard virus problem, Types "/..,nffffffffffffff...."

more_horiz
Hello,
Sorry about the last post it was due to a holiday break with my wife overseas, and couldnt reply to the post.

Again...I have another problem with my laptop

Im currently using another laptop.

Myother laptop has been infected with a virus?...or something
The symtoms were that, Whenever i typed something on the keyboard...4 letters would be typed when i only typed 1 letter...And everytime this happened....it would type this first.

"/..,nffffffffffffffffffffffffffffffffffffffffffff....." And it would keep typing the letter f continously ....

I hope you can help me with my problem with the laptop Big Grin
Hope to hear you soon ^^

descriptionKeyboard virus problem, Types "/..,nffffffffffffff...." EmptyRe: Keyboard virus problem, Types "/..,nffffffffffffff...."

more_horiz
The 'f' key is getting stuck down?
Lets have a look around.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    Link 1
    Link 2
    Link 3
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.

descriptionKeyboard virus problem, Types "/..,nffffffffffffff...." EmptyRe: Keyboard virus problem, Types "/..,nffffffffffffff...."

more_horiz
HeY! Big Grin
Uhmm no the f key is not pressed down....


DDS (Ver_09-02-01.01) - NTFSx86
Run by lina at 15:22:55.07 on Wed 04/03/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.64.1033.18.2038.1306 [GMT 13:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated)
AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe -k nfr
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
"C:\WINDOWS\system32\svchost.exe"
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\lina\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\osk.exe
C:\WINDOWS\system32\MSSWCHX.EXE
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
F:\dds.com

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://en.nz.acer.yahoo.com/
uInternet Settings,ProxyOverride = *.local;
uInternet Settings,ProxyServer = http=localhost:7070
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Catcher Class: {adecbed6-0366-4377-a739-e69dfba04663} - c:\program files\moyea\flv downloader\MoyeaCth.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {90222687-F593-4738-B738-FBEE9C7B26DF} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
uRun: [nfr] rundll32.exe nfr.dll,ServiceMain /pid=10180
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [PLFSetL] c:\windows\PLFSetL.exe
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [RunNarrator] Narrator.exe
IE: ???????? Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: ????????? Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: ???????????? PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: ???????????? PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: ??????????? PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: ??? Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: ???????? Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: ?????? PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} - hxxp://www.bebo.com/files/BeboUploader.5.1.4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://sdlc-esd.sun.com/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?AuthParam=1231413641_f4e499bb88f34c6cabca471483eb9699&GroupName=JSC&FilePath=/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab&File=jinstall-6u11-windows-i586-jc.cab&BHost=javadl.sun.com
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AWinNotifyVitaKey MC3000 - c:\program files\acer\bio-protection fingerprint solution\WinNotify.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lina\applic~1\mozilla\firefox\profiles\80rloauh.default\
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7070
FF - prefs.js: network.proxy.type - 1

============= SERVICES / DRIVERS ===============

R?2 nfr;nfr;c:\windows\system32\svchost.exe -k nfr [2004-8-4 14336]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\microsoft small business\business contact manager\BcmSqlStartupSvc.exe [2008-1-11 30312]
R2 EpmPsd;Acer EPM Power Scheme Driver;c:\windows\system32\drivers\epm-psd.sys [2004-7-20 4096]
R2 EpmShd;Acer EPM System Hardware Driver;c:\windows\system32\drivers\epm-shd.sys [2005-4-8 78208]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
S2 ccosm;Contrl Center of Storm Media;c:\program files\stormii\stormliv.exe /asservice --> c:\program files\stormii\stormliv.exe [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [?]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-11-5 33752]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2006-4-15 28933976]
S3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20080427.009\naveng.sys --> c:\progra~1\common~1\symant~1\virusd~1\20080427.009\NAVENG.SYS [?]
S3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20080427.009\navex15.sys --> c:\progra~1\common~1\symant~1\virusd~1\20080427.009\NAVEX15.SYS [?]
S3 npkycryp;npkycryp;\??\c:\windows\system32\npkycryp.sys --> c:\windows\system32\npkycryp.sys [?]
S4 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon --> c:\program files\common files\symantec shared\ccSvcHst.exe [?]
S4 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon --> c:\program files\common files\symantec shared\ccSvcHst.exe [?]
S4 Symantec Core LC;Symantec Core LC;"c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe" --> c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [?]

============== File Associations ===============

chm.file="hh.exe" %1
txtfile=c:\windows\notepad.exe %1

=============== Created Last 30 ================

2009-03-04 15:16 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-03-04 15:15 --d----- c:\program files\SUPERAntiSpyware
2009-03-04 15:15 --d----- c:\docume~1\lina\applic~1\SUPERAntiSpyware.com
2009-03-04 15:15 --d----- c:\program files\common files\Wise Installation Wizard
2009-03-04 14:57 --d----- c:\docume~1\lina\applic~1\IObit
2009-03-04 14:57 --d----- c:\program files\IObit
2009-03-03 21:59 161,792 a------- c:\windows\SWREG.exe
2009-03-03 21:59 98,816 a------- c:\windows\sed.exe
2009-02-24 15:37 0 a------- c:\windows\system32\nfr.gpref
2009-02-24 15:35 0 a------- c:\windows\system32\nfr.assembly
2009-02-23 18:53 10,752 a------- c:\windows\system32\nfr.dll
2009-02-20 16:03 0 a------- c:\windows\system32\drivers\nfr.dll.gpref
2009-02-18 17:14 0 a------- c:\windows\system32\drivers\nfr.dll.assembly
2009-02-18 17:14 16,900 a------- c:\windows\system32\drivers\nfr.dll
2009-02-18 16:13 26,112 a------- c:\windows\system32\stu2.exe
2009-02-04 20:58 --d----- c:\program files\iPod
2009-02-04 20:58 --d----- c:\program files\iTunes
2009-02-04 20:58 --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-04 20:56 32,000 a------- c:\windows\system32\drivers\usbaapl.sys

==================== Find3M ====================

2009-02-18 16:13 8,704 a------- c:\windows\system32\userinit.exe
2009-01-09 00:12 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-21 12:15 826,368 a------- c:\windows\system32\wininet.dll
2008-11-16 22:53 17,293 a------- c:\docume~1\lina\applic~1\aqosab.dll
2008-11-16 22:53 17,240 a------- c:\docume~1\lina\applic~1\dysu.vbs
2008-11-16 22:53 15,024 a------- c:\docume~1\alluse~1\applic~1\qemucyjib.reg
2008-11-16 22:53 12,609 a------- c:\docume~1\alluse~1\applic~1\ezigydej.vbs
2008-11-16 22:53 11,956 a------- c:\docume~1\alluse~1\applic~1\arelukoqeq.bat
2008-11-16 22:53 10,556 a------- c:\program files\common files\apol._dl
2008-11-16 22:53 10,489 a------- c:\program files\common files\awybe._sy
2008-11-16 22:53 10,369 a------- c:\docume~1\lina\applic~1\ohub.exe
2008-12-02 11:27 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008120220081203\index.dat

============= FINISH: 15:23:50.34 ===============

descriptionKeyboard virus problem, Types "/..,nffffffffffffff...." EmptyRe: Keyboard virus problem, Types "/..,nffffffffffffff...."

more_horiz

  • Download combofix from here
    Link 1
    Link 2
  • Please disable your local AV (Anti-virus) See HERE for how to disable your AV. (AVG8 and Norton Internet Security)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    Keyboard virus problem, Types "/..,nffffffffffffff...." Rcauto10

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes

    Keyboard virus problem, Types "/..,nffffffffffffff...." Whatne10

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptionKeyboard virus problem, Types "/..,nffffffffffffff...." EmptyRe: Keyboard virus problem, Types "/..,nffffffffffffff...."

more_horiz
ComboFix 09-03-02.01 - lina 2009-03-04 16:41:01.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1524 [GMT 13:00]
Running from: c:\documents and settings\lina\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated)
AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://auf-jeder.com
.
((((((((((((((((((((((((( Files Created from 2009-02-04 to 2009-03-04 )))))))))))))))))))))))))))))))
.

2009-03-04 15:16 . 2009-03-04 15:16 d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-04 15:15 . 2009-03-04 15:16 d-------- c:\program files\SUPERAntiSpyware
2009-03-04 15:15 . 2009-03-04 15:15 d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-04 15:15 . 2009-03-04 15:15 d-------- c:\documents and settings\lina\Application Data\SUPERAntiSpyware.com
2009-03-04 14:57 . 2009-03-04 14:57 d-------- c:\program files\IObit
2009-03-04 14:57 . 2009-03-04 14:57 d-------- c:\documents and settings\lina\Application Data\IObit
2009-02-24 15:37 . 2009-02-24 15:37 0 --a------ c:\windows\system32\nfr.gpref
2009-02-24 15:35 . 2009-02-24 15:35 0 --a------ c:\windows\system32\nfr.assembly
2009-02-20 16:03 . 2009-02-20 16:03 0 --a------ c:\windows\system32\drivers\nfr.dll.gpref
2009-02-18 17:14 . 2009-02-18 17:14 0 --a------ c:\windows\system32\drivers\nfr.dll.assembly
2009-02-18 16:13 . 2008-04-14 13:12 26,112 --a------ c:\windows\system32\stu2.exe
2009-02-04 20:58 . 2009-02-04 20:58 d-------- c:\program files\iTunes
2009-02-04 20:58 . 2009-02-04 20:58 d-------- c:\program files\iPod
2009-02-04 20:58 . 2009-02-04 20:58 d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-04 20:56 . 2009-02-04 20:56 d-------- c:\program files\Common Files\Apple
2009-02-04 20:56 . 2009-02-04 20:56 d-------- c:\program files\Apple Software Update
2009-02-04 20:56 . 2008-11-07 14:23 32,000 --a------ c:\windows\system32\drivers\usbaapl.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-03 07:56 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-18 03:13 8,704 ----a-w c:\windows\system32\userinit.exe
2009-02-13 07:58 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-04 07:58 --------- d-----w c:\program files\Bonjour
2009-01-08 11:12 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-01-08 11:12 --------- d-----w c:\program files\Java
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2008-11-16 09:53 17,293 ----a-w c:\documents and settings\lina\Application Data\aqosab.dll
2008-11-16 09:53 17,240 ----a-w c:\documents and settings\lina\Application Data\dysu.vbs
2008-11-16 09:53 15,024 ----a-w c:\documents and settings\All Users\Application Data\qemucyjib.reg
2008-11-16 09:53 12,609 ----a-w c:\documents and settings\All Users\Application Data\ezigydej.vbs
2008-11-16 09:53 11,956 ----a-w c:\documents and settings\All Users\Application Data\arelukoqeq.bat
2008-11-16 09:53 10,556 ----a-w c:\program files\Common Files\apol._dl
2008-11-16 09:53 10,489 ----a-w c:\program files\Common Files\awybe._sy
2008-11-16 09:53 10,369 ----a-w c:\documents and settings\lina\Application Data\ohub.exe
2007-06-01 21:14 4,683,144 ----a-w c:\documents and settings\i386\KB933566.EXE
2007-05-21 20:42 558,984 ----a-w c:\documents and settings\i386\KB935840.EXE
2007-05-21 19:42 802,696 ----a-w c:\documents and settings\i386\KB935839.EXE
2007-05-19 01:12 1,600,392 ----a-w c:\documents and settings\i386\KB929123.EXE
2007-05-05 00:42 1,266,056 ----a-w c:\documents and settings\i386\KB927891.EXE
2007-04-17 20:06 4,684,168 ----a-w c:\documents and settings\i386\KB931768.EXE
2007-04-16 23:38 795,528 ----a-w c:\documents and settings\i386\KB930916.EXE
2007-04-02 08:02 719,240 ----a-w c:\documents and settings\i386\KB935448.exe
2007-03-22 21:04 2,297,224 ----a-w c:\documents and settings\i386\KB931784.EXE
2007-03-21 10:54 561,544 ----a-w c:\documents and settings\i386\KB931261.EXE
2007-03-21 02:37 575,880 ----a-w c:\documents and settings\i386\KB932168.EXE
2007-02-07 01:27 2,292,536 ----a-w c:\documents and settings\i386\KB929338.EXE
2007-02-06 01:29 963,464 ----a-w c:\documents and settings\i386\KB928470.EXE
2006-06-14 09:00 82,944 ----a-w c:\documents and settings\i386\wdmaud.sys
2006-06-14 08:47 6,400 ----a-w c:\documents and settings\i386\splitter.sys
2006-06-14 08:47 172,416 ----a-w c:\documents and settings\i386\kmixer.sys
2006-05-05 09:41 453,120 ----a-w c:\documents and settings\i386\mrxsmb.sys
2006-04-26 09:55 583,480 ----a-w c:\documents and settings\i386\KB918005.exe
2006-03-17 00:33 262,784 ----a-w c:\documents and settings\i386\http.sys
2006-02-24 20:00 5,010,672 ----a-w c:\documents and settings\i386\KB912945.EXE
2006-02-15 00:22 142,464 ----a-w c:\documents and settings\i386\aec.sys
2005-11-04 05:05 512,752 ----a-w c:\documents and settings\i386\KB909667.exe
2005-10-12 18:00 2,583,280 ----a-w c:\documents and settings\i386\KB896256.exe
2005-03-02 00:59 2,179,328 ----a-w c:\documents and settings\i386\ntoskrnl.exe
2005-03-02 00:57 2,135,552 ----a-w c:\documents and settings\i386\ntkrnlmp.exe
2005-03-02 00:34 2,056,832 ----a-w c:\documents and settings\i386\ntkrnlpa.exe
2005-03-02 00:34 2,015,232 ----a-w c:\documents and settings\i386\ntkrpamp.exe
2004-12-21 20:33 6,144 ----a-w c:\documents and settings\TEM\NTIDrvr.sys
2004-10-07 01:20 352,488 ----a-w c:\documents and settings\i386\Q885855.exe
2002-11-13 17:12 32,256 ----a-w c:\documents and settings\TEM\addfilter.exe
2008-12-01 22:27 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008120220081203\index.dat
.

------- Sigcheck -------

2004-08-04 18:00 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-14 13:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe
2009-02-18 16:13 8704 62592e700aaa4fe32483c7640f5472ad c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((( snapshot@2009-03-03_22.01.13.84 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 07:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-03-04 02:16:05 18,944 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2009-03-04 02:16:05 65,024 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2000-08-30 19:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-30 19:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2008-12-15 04:59:45 1,653,480 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-03 09:20:39 1,653,544 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-04 03:25:12 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_148.dat
.

descriptionKeyboard virus problem, Types "/..,nffffffffffffff...." EmptyRe: Keyboard virus problem, Types "/..,nffffffffffffff...."

more_horiz
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-11-05 171448]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-17 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-14 142104]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-06-13 174872]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-14 162584]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2007-08-01 53248]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-14 138008]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2008-03-04 999424]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2008-03-04 1101824]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-09 136600]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"RTHDCPL"="RTHDCPL.EXE" [2007-08-01 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 c:\windows\system32\narrator.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AWinNotifyVitaKey MC3000]
2008-04-19 14:38 2869760 c:\program files\Acer\Bio-Protection fingerprint solution\WinNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Tencent\\QQ\\QQ.exe"=
"c:\\Program Files\\Tencent\\QQ\\QQUpdateCenter.exe"=
"c:\\Program Files\\Tencent\\QQ\\QQPet\\QQPetAgent.exe"=
"c:\\Program Files\\Tencent\\QQGame\\QQGameDl.exe"=
"c:\\Program Files\\Tencent\\QQ\\Qzone\\Qzone.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP"= 80:TCP:nfr
"7070:TCP"= 7070:TCP:nfr

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
R2 EpmPsd;Acer EPM Power Scheme Driver;c:\windows\system32\drivers\epm-psd.sys [2004-07-20 4096]
R2 EpmShd;Acer EPM System Hardware Driver;c:\windows\system32\drivers\epm-shd.sys [2005-04-08 78208]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
S2 ccosm;Contrl Center of Storm Media;c:\program files\StormII\stormliv.exe /asservice --> c:\program files\StormII\stormliv.exe [?]
S2 nfr;nfr;c:\windows\System32\svchost.exe -k nfr [2004-08-04 14336]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-11-05 33752]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2006-04-15 28933976]
S3 npkycryp;npkycryp;\??\c:\windows\system32\npkycryp.sys --> c:\windows\system32\npkycryp.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nfr REG_MULTI_SZ nfr

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{131897da-d724-11dd-9afb-0013e8af1dcd}]
\Shell\AutoRun\command - lgrncie.bat
\Shell\explore\Command - lgrncie.bat
\Shell\open\Command - lgrncie.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f7076a3-b0a5-11dd-9ac2-0013e8af1dcd}]
\Shell\AutoRun\command - G:\PMB_P.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c26f83be-7320-11dd-9a7c-0013e8af1dcd}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ee2f421b-74af-11dd-9a7f-0013e8af1dcd}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-04-27 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - lina.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe []

2009-02-04 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe []

2009-02-04 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe []

2009-03-04 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-02-13 18:15]

2009-03-04 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\ [2009-03-04 14:57]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-nfr - nfr.dll


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://en.nz.acer.yahoo.com/
uInternet Settings,ProxyOverride = *.local;
uInternet Settings,ProxyServer = http=localhost:7070
IE: ???????? Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: ????????? Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: ???????????? PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: ???????????? PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: ??????????? PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: ??? Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: ???????? Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: ?????? PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
FF - ProfilePath - c:\documents and settings\lina\Application Data\Mozilla\Firefox\Profiles\80rloauh.default\
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7070
FF - prefs.js: network.proxy.type - 1
.
.
------- File Associations -------
.
chm.file="hh.exe" %1
txtfile=c:\windows\notepad.exe %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-04 16:42:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-155772267-545420903-2524767943-1008\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Q*Q*8nb]
"Order"=hex:08,00,00,00,02,00,00,00,00,01,00,00,01,00,00,00,02,00,00,00,76,00,
00,00,00,00,00,00,68,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,56,00,36,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Sb*_ *C*C*l*e*a*n*e*r*.*.*.*\command]
@="c:\\Program Files\\CCleaner\\ccleaner.exe"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Q*Q*8nb]
@DACL=(02 0013)
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,8e,6a,70,
8a,8a,c6,c8,01,02,00,00,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,\
"Changed"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\àeLeQ*Q*°‹LrhV]
@DACL=(02 0013)
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,80,1e,00,00,00,00,00,00,f8,d9,
f8,7e,45,c9,01,00,00,00,00,44,00,3a,00,5c,00,74,00,6f,00,6f,00,6c,00,73,00,\
"Changed"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\Q*Q*8nb]
"DisplayName"="QQ??"
"UninstallString"="c:\\Program Files\\Tencent\\QQGame\\Uninstall.EXE"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\àeLeQ*Q*°‹LrhV]
"DisplayName"="??QQ??? 2.30"
"UninstallString"="d:\\tools\\??QQ???\\uninst.exe"
"DisplayIcon"="d:\\tools\\??QQ???\\QQJPQ.exe"
"DisplayVersion"="2.30"
"URLInfoAbout"="http://www.wdjpq.com"
"Publisher"="?????"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(988)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Acer\Bio-Protection fingerprint solution\WinNotify.dll
c:\program files\Acer\Bio-Protection fingerprint solution\CustomRes.dll
.
Completion time: 2009-03-04 16:43:24
ComboFix-quarantined-files.txt 2009-03-04 03:43:22
ComboFix2.txt 2009-03-03 10:05:18
ComboFix3.txt 2009-03-03 09:29:45
ComboFix4.txt 2009-03-03 09:14:31
ComboFix5.txt 2009-03-04 03:40:45

Pre-Run: 13,494,538,240 bytes free
Post-Run: 13,478,789,120 bytes free

289 --- E O F --- 2009-03-03 04:17:48

descriptionKeyboard virus problem, Types "/..,nffffffffffffff...." EmptyRe: Keyboard virus problem, Types "/..,nffffffffffffff...."

more_horiz
Hello.

I asked that your AV be disabled before running Combofix because it will intefere
See HERE for how to disable your AV. (AVG8 and Norton Internet Security)
Please allow Combofix to install the recovery console too.

I have to ask, did you install QQ games?

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
nfr

File::
c:\windows\system32\nfr.gpref
c:\windows\system32\nfr.assembly
c:\windows\system32\drivers\nfr.dll.gpref
c:\windows\system32\drivers\nfr.dll.assembly
c:\documents and settings\lina\Application Data\aqosab.dll
c:\documents and settings\lina\Application Data\dysu.vbs
c:\documents and settings\All Users\Application Data\qemucyjib.reg
c:\documents and settings\All Users\Application Data\ezigydej.vbs
c:\documents and settings\All Users\Application Data\arelukoqeq.bat
c:\program files\Common Files\apol._dl
c:\program files\Common Files\awybe._sy
c:\documents and settings\lina\Application Data\ohub.exe

FCOPY::
c:\windows\ServicePackFiles\i386\userinit.exe | c:\windows\system32\userinit.exe

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP"=-
"7070:TCP"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{131897da-d724-11dd-9afb-0013e8af1dcd}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f7076a3-b0a5-11dd-9ac2-0013e8af1dcd}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ee2f421b-74af-11dd-9a7f-0013e8af1dcd}]


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
Keyboard virus problem, Types "/..,nffffffffffffff...." Sfxdaw

This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

descriptionKeyboard virus problem, Types "/..,nffffffffffffff...." EmptyRe: Keyboard virus problem, Types "/..,nffffffffffffff...."

more_horiz
Yeah i think i do have QQ games...

And by the way, you told me to disable the norton and AVG sercurtiy things..
But on my task bar...it doesnt show up...
And i did a file search in my computer, Yes there are files for AVG8 etc..But i dont seem to find the program which i can open and disable it...
I think its not running on the computer =/...Im not sure

I did what you told me, The combofix and the notepad thing
The virus is still there.
I will post the combo log soon, when i get my USB

descriptionKeyboard virus problem, Types "/..,nffffffffffffff...." EmptyRe: Keyboard virus problem, Types "/..,nffffffffffffff...."

more_horiz
Okay.
We'll uninstall them and remove this because it's renamed your userinit and dropped it's own. I need to see the Combofix log before we go any further.

descriptionKeyboard virus problem, Types "/..,nffffffffffffff...." EmptyRe: Keyboard virus problem, Types "/..,nffffffffffffff...."

more_horiz
ComboFix 09-03-04.01 - lina 2009-03-05 17:45:53.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1503 [GMT 13:00]
Running from: c:\documents and settings\lina\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\lina\Desktop\CFscript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated)
AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*
* Created a new restore point

FILE ::
c:\documents and settings\All Users\Application Data\arelukoqeq.bat
c:\documents and settings\All Users\Application Data\ezigydej.vbs
c:\documents and settings\All Users\Application Data\qemucyjib.reg
c:\documents and settings\lina\Application Data\aqosab.dll
c:\documents and settings\lina\Application Data\dysu.vbs
c:\documents and settings\lina\Application Data\ohub.exe
c:\program files\Common Files\apol._dl
c:\program files\Common Files\awybe._sy
c:\windows\system32\drivers\nfr.dll.assembly
c:\windows\system32\drivers\nfr.dll.gpref
c:\windows\system32\nfr.assembly
c:\windows\system32\nfr.gpref
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\arelukoqeq.bat
c:\documents and settings\All Users\Application Data\ezigydej.vbs
c:\documents and settings\All Users\Application Data\qemucyjib.reg
c:\documents and settings\lina\Application Data\aqosab.dll
c:\documents and settings\lina\Application Data\dysu.vbs
c:\documents and settings\lina\Application Data\ohub.exe
c:\program files\Common Files\apol._dl
c:\program files\Common Files\awybe._sy
c:\windows\system32\drivers\nfr.dll.assembly
c:\windows\system32\drivers\nfr.dll.gpref
c:\windows\system32\nfr.assembly
c:\windows\system32\nfr.gpref

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\userinit.exe --> c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NFR
-------\Service_nfr


((((((((((((((((((((((((( Files Created from 2009-02-05 to 2009-03-05 )))))))))))))))))))))))))))))))
.

2009-03-04 15:16 . 2009-03-04 15:16 d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-04 15:15 . 2009-03-04 15:16 d-------- c:\program files\SUPERAntiSpyware
2009-03-04 15:15 . 2009-03-04 15:15 d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-04 15:15 . 2009-03-04 15:15 d-------- c:\documents and settings\lina\Application Data\SUPERAntiSpyware.com
2009-03-04 14:57 . 2009-03-04 14:57 d-------- c:\program files\IObit
2009-03-04 14:57 . 2009-03-04 14:57 d-------- c:\documents and settings\lina\Application Data\IObit
2009-02-18 16:13 . 2008-04-14 13:12 26,112 --a------ c:\windows\system32\stu2.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-03 07:56 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-13 07:58 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-04 07:58 --------- d-----w c:\program files\iTunes
2009-02-04 07:58 --------- d-----w c:\program files\iPod
2009-02-04 07:58 --------- d-----w c:\program files\Bonjour
2009-02-04 07:58 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-04 07:56 --------- d-----w c:\program files\Common Files\Apple
2009-02-04 07:56 --------- d-----w c:\program files\Apple Software Update
2009-01-08 11:12 --------- d-----w c:\program files\Java
2007-06-01 21:14 4,683,144 ----a-w c:\documents and settings\i386\KB933566.EXE
2007-05-21 20:42 558,984 ----a-w c:\documents and settings\i386\KB935840.EXE
2007-05-21 19:42 802,696 ----a-w c:\documents and settings\i386\KB935839.EXE
2007-05-19 01:12 1,600,392 ----a-w c:\documents and settings\i386\KB929123.EXE
2007-05-05 00:42 1,266,056 ----a-w c:\documents and settings\i386\KB927891.EXE
2007-04-17 20:06 4,684,168 ----a-w c:\documents and settings\i386\KB931768.EXE
2007-04-16 23:38 795,528 ----a-w c:\documents and settings\i386\KB930916.EXE
2007-04-02 08:02 719,240 ----a-w c:\documents and settings\i386\KB935448.exe
2007-03-22 21:04 2,297,224 ----a-w c:\documents and settings\i386\KB931784.EXE
2007-03-21 10:54 561,544 ----a-w c:\documents and settings\i386\KB931261.EXE
2007-03-21 02:37 575,880 ----a-w c:\documents and settings\i386\KB932168.EXE
2007-02-07 01:27 2,292,536 ----a-w c:\documents and settings\i386\KB929338.EXE
2007-02-06 01:29 963,464 ----a-w c:\documents and settings\i386\KB928470.EXE
2006-06-14 09:00 82,944 ----a-w c:\documents and settings\i386\wdmaud.sys
2006-06-14 08:47 6,400 ----a-w c:\documents and settings\i386\splitter.sys
2006-06-14 08:47 172,416 ----a-w c:\documents and settings\i386\kmixer.sys
2006-05-05 09:41 453,120 ----a-w c:\documents and settings\i386\mrxsmb.sys
2006-04-26 09:55 583,480 ----a-w c:\documents and settings\i386\KB918005.exe
2006-03-17 00:33 262,784 ----a-w c:\documents and settings\i386\http.sys
2006-02-24 20:00 5,010,672 ----a-w c:\documents and settings\i386\KB912945.EXE
2006-02-15 00:22 142,464 ----a-w c:\documents and settings\i386\aec.sys
2005-11-04 05:05 512,752 ----a-w c:\documents and settings\i386\KB909667.exe
2005-10-12 18:00 2,583,280 ----a-w c:\documents and settings\i386\KB896256.exe
2005-03-02 00:59 2,179,328 ----a-w c:\documents and settings\i386\ntoskrnl.exe
2005-03-02 00:57 2,135,552 ----a-w c:\documents and settings\i386\ntkrnlmp.exe
2005-03-02 00:34 2,056,832 ----a-w c:\documents and settings\i386\ntkrnlpa.exe
2005-03-02 00:34 2,015,232 ----a-w c:\documents and settings\i386\ntkrpamp.exe
2004-12-21 20:33 6,144 ----a-w c:\documents and settings\TEM\NTIDrvr.sys
2004-10-07 01:20 352,488 ----a-w c:\documents and settings\i386\Q885855.exe
2002-11-13 17:12 32,256 ----a-w c:\documents and settings\TEM\addfilter.exe
2008-12-01 22:27 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008120220081203\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-03-03_22.01.13.84 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 07:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-03-04 02:16:05 18,944 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2009-03-04 02:16:05 65,024 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2000-08-30 19:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-30 19:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
+ 2008-04-14 00:12:38 26,112 -c--a-w c:\windows\system32\dllcache\userinit.exe
- 2008-12-15 04:59:45 1,653,480 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-03 09:20:39 1,653,544 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-05 04:48:32 16,384 ----atw c:\windows\temp\Perflib_Perfdata_1c4.dat

descriptionKeyboard virus problem, Types "/..,nffffffffffffff...." EmptyRe: Keyboard virus problem, Types "/..,nffffffffffffff...."

more_horiz
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-11-05 171448]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-17 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-14 142104]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-06-13 174872]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-14 162584]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2007-08-01 53248]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-14 138008]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2008-03-04 999424]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2008-03-04 1101824]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-09 136600]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"RTHDCPL"="RTHDCPL.EXE" [2007-08-01 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 c:\windows\system32\narrator.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AWinNotifyVitaKey MC3000]
2008-04-19 14:38 2869760 c:\program files\Acer\Bio-Protection fingerprint solution\WinNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Tencent\\QQ\\QQ.exe"=
"c:\\Program Files\\Tencent\\QQ\\QQUpdateCenter.exe"=
"c:\\Program Files\\Tencent\\QQ\\QQPet\\QQPetAgent.exe"=
"c:\\Program Files\\Tencent\\QQGame\\QQGameDl.exe"=
"c:\\Program Files\\Tencent\\QQ\\Qzone\\Qzone.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
R2 EpmPsd;Acer EPM Power Scheme Driver;c:\windows\system32\drivers\epm-psd.sys [2004-07-20 4096]
R2 EpmShd;Acer EPM System Hardware Driver;c:\windows\system32\drivers\epm-shd.sys [2005-04-08 78208]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
S2 ccosm;Contrl Center of Storm Media;c:\program files\StormII\stormliv.exe /asservice --> c:\program files\StormII\stormliv.exe [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-11-05 33752]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2006-04-15 28933976]
S3 npkycryp;npkycryp;\??\c:\windows\system32\npkycryp.sys --> c:\windows\system32\npkycryp.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nfr REG_MULTI_SZ nfr

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c26f83be-7320-11dd-9a7c-0013e8af1dcd}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-02-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-04-27 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - lina.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe []

2009-02-04 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe []

2009-02-04 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe []

2009-03-04 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-02-13 18:15]

2009-03-04 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\ [2009-03-04 14:57]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://en.nz.acer.yahoo.com/
uInternet Settings,ProxyOverride = *.local;
uInternet Settings,ProxyServer = http=localhost:7070
IE: ???????? Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: ????????? Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: ???????????? PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: ???????????? PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: ??????????? PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: ??? Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: ???????? Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: ?????? PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
FF - ProfilePath - c:\documents and settings\lina\Application Data\Mozilla\Firefox\Profiles\80rloauh.default\
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7070
FF - prefs.js: network.proxy.type - 1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-05 17:49:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-155772267-545420903-2524767943-1008\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Q*Q*8nb]
"Order"=hex:08,00,00,00,02,00,00,00,00,01,00,00,01,00,00,00,02,00,00,00,76,00,
00,00,00,00,00,00,68,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,56,00,36,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Sb*_ *C*C*l*e*a*n*e*r*.*.*.*\command]
@="c:\\Program Files\\CCleaner\\ccleaner.exe"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Q*Q*8nb]
@DACL=(02 0013)
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,8e,6a,70,
8a,8a,c6,c8,01,02,00,00,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,\
"Changed"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\àeLeQ*Q*°‹LrhV]
@DACL=(02 0013)
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,80,1e,00,00,00,00,00,00,f8,d9,
f8,7e,45,c9,01,00,00,00,00,44,00,3a,00,5c,00,74,00,6f,00,6f,00,6c,00,73,00,\
"Changed"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\Q*Q*8nb]
"DisplayName"="QQ??"
"UninstallString"="c:\\Program Files\\Tencent\\QQGame\\Uninstall.EXE"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\àeLeQ*Q*°‹LrhV]
"DisplayName"="??QQ??? 2.30"
"UninstallString"="d:\\tools\\??QQ???\\uninst.exe"
"DisplayIcon"="d:\\tools\\??QQ???\\QQJPQ.exe"
"DisplayVersion"="2.30"
"URLInfoAbout"="http://www.wdjpq.com"
"Publisher"="?????"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(988)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Acer\Bio-Protection fingerprint solution\WinNotify.dll
c:\program files\Acer\Bio-Protection fingerprint solution\CustomRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\docume~1\lina\LOCALS~1\temp\RtkBtMnt.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-03-05 17:51:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-05 04:51:20
ComboFix2.txt 2009-03-04 03:43:25
ComboFix3.txt 2009-03-03 10:05:18
ComboFix4.txt 2009-03-03 09:29:45
ComboFix5.txt 2009-03-05 04:43:48

Pre-Run: 13,433,253,888 bytes free
Post-Run: 13,416,087,552 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

307 --- E O F --- 2009-03-03 04:17:48

descriptionKeyboard virus problem, Types "/..,nffffffffffffff...." EmptyRe: Keyboard virus problem, Types "/..,nffffffffffffff...."

more_horiz
Hello.
I want to get a registry export of a key.

  • Now open a new notepad file.
  • Input this into the notepad file:

    regedit /e C:\look.txt "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost"
    start notepad C:\look.txt


  • Save this as look.bat, save it to your desktop.
  • Double click look.bat to run it.
  • Copy and paste the report back here.

descriptionKeyboard virus problem, Types "/..,nffffffffffffff...." EmptyRe: Keyboard virus problem, Types "/..,nffffffffffffff...."

more_horiz
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"HTTPFilter"=hex(7):48,00,54,00,54,00,50,00,46,00,69,00,6c,00,74,00,65,00,72,\
00,00,00,00,00
"LocalService"=hex(7):41,00,6c,00,65,00,72,00,74,00,65,00,72,00,00,00,57,00,65,\
00,62,00,43,00,6c,00,69,00,65,00,6e,00,74,00,00,00,4c,00,6d,00,48,00,6f,00,\
73,00,74,00,73,00,00,00,52,00,65,00,6d,00,6f,00,74,00,65,00,52,00,65,00,67,\
00,69,00,73,00,74,00,72,00,79,00,00,00,75,00,70,00,6e,00,70,00,68,00,6f,00,\
73,00,74,00,00,00,53,00,53,00,44,00,50,00,53,00,52,00,56,00,00,00,00,00
"NetworkService"=hex(7):44,00,6e,00,73,00,43,00,61,00,63,00,68,00,65,00,00,00,\
00,00
"netsvcs"=hex(7):36,00,74,00,6f,00,34,00,00,00,41,00,70,00,70,00,4d,00,67,00,\
6d,00,74,00,00,00,41,00,75,00,64,00,69,00,6f,00,53,00,72,00,76,00,00,00,42,\
00,72,00,6f,00,77,00,73,00,65,00,72,00,00,00,43,00,72,00,79,00,70,00,74,00,\
53,00,76,00,63,00,00,00,44,00,4d,00,53,00,65,00,72,00,76,00,65,00,72,00,00,\
00,44,00,48,00,43,00,50,00,00,00,45,00,52,00,53,00,76,00,63,00,00,00,45,00,\
76,00,65,00,6e,00,74,00,53,00,79,00,73,00,74,00,65,00,6d,00,00,00,46,00,61,\
00,73,00,74,00,55,00,73,00,65,00,72,00,53,00,77,00,69,00,74,00,63,00,68,00,\
69,00,6e,00,67,00,43,00,6f,00,6d,00,70,00,61,00,74,00,69,00,62,00,69,00,6c,\
00,69,00,74,00,79,00,00,00,48,00,69,00,64,00,53,00,65,00,72,00,76,00,00,00,\
49,00,61,00,73,00,00,00,49,00,70,00,72,00,69,00,70,00,00,00,49,00,72,00,6d,\
00,6f,00,6e,00,00,00,4c,00,61,00,6e,00,6d,00,61,00,6e,00,53,00,65,00,72,00,\
76,00,65,00,72,00,00,00,4c,00,61,00,6e,00,6d,00,61,00,6e,00,57,00,6f,00,72,\
00,6b,00,73,00,74,00,61,00,74,00,69,00,6f,00,6e,00,00,00,4d,00,65,00,73,00,\
73,00,65,00,6e,00,67,00,65,00,72,00,00,00,4e,00,65,00,74,00,6d,00,61,00,6e,\
00,00,00,4e,00,6c,00,61,00,00,00,4e,00,74,00,6d,00,73,00,73,00,76,00,63,00,\
00,00,4e,00,57,00,43,00,57,00,6f,00,72,00,6b,00,73,00,74,00,61,00,74,00,69,\
00,6f,00,6e,00,00,00,4e,00,77,00,73,00,61,00,70,00,61,00,67,00,65,00,6e,00,\
74,00,00,00,52,00,61,00,73,00,61,00,75,00,74,00,6f,00,00,00,52,00,61,00,73,\
00,6d,00,61,00,6e,00,00,00,52,00,65,00,6d,00,6f,00,74,00,65,00,61,00,63,00,\
63,00,65,00,73,00,73,00,00,00,53,00,63,00,68,00,65,00,64,00,75,00,6c,00,65,\
00,00,00,53,00,65,00,63,00,6c,00,6f,00,67,00,6f,00,6e,00,00,00,53,00,45,00,\
4e,00,53,00,00,00,53,00,68,00,61,00,72,00,65,00,64,00,61,00,63,00,63,00,65,\
00,73,00,73,00,00,00,53,00,52,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,\
00,00,54,00,61,00,70,00,69,00,73,00,72,00,76,00,00,00,54,00,68,00,65,00,6d,\
00,65,00,73,00,00,00,54,00,72,00,6b,00,57,00,6b,00,73,00,00,00,57,00,33,00,\
32,00,54,00,69,00,6d,00,65,00,00,00,57,00,5a,00,43,00,53,00,56,00,43,00,00,\
00,57,00,6d,00,69,00,00,00,57,00,6d,00,64,00,6d,00,50,00,6d,00,53,00,70,00,\
00,00,77,00,69,00,6e,00,6d,00,67,00,6d,00,74,00,00,00,77,00,73,00,63,00,73,\
00,76,00,63,00,00,00,78,00,6d,00,6c,00,70,00,72,00,6f,00,76,00,00,00,42,00,\
49,00,54,00,53,00,00,00,77,00,75,00,61,00,75,00,73,00,65,00,72,00,76,00,00,\
00,53,00,68,00,65,00,6c,00,6c,00,48,00,57,00,44,00,65,00,74,00,65,00,63,00,\
74,00,69,00,6f,00,6e,00,00,00,68,00,65,00,6c,00,70,00,73,00,76,00,63,00,00,\
00,57,00,6d,00,64,00,6d,00,50,00,6d,00,53,00,4e,00,00,00,6e,00,61,00,70,00,\
61,00,67,00,65,00,6e,00,74,00,00,00,68,00,6b,00,6d,00,73,00,76,00,63,00,00,\
00,00,00
"DcomLaunch"=hex(7):44,00,63,00,6f,00,6d,00,4c,00,61,00,75,00,6e,00,63,00,68,\
00,00,00,54,00,65,00,72,00,6d,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,\
00,00,00,00
"rpcss"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00
"imgsvc"=hex(7):53,00,74,00,69,00,53,00,76,00,63,00,00,00,00,00
"termsvcs"=hex(7):54,00,65,00,72,00,6d,00,53,00,65,00,72,00,76,00,69,00,63,00,\
65,00,00,00,00,00
"bthsvcs"=hex(7):42,00,74,00,68,00,53,00,65,00,72,00,76,00,00,00,00,00
"eapsvcs"=hex(7):65,00,61,00,70,00,68,00,6f,00,73,00,74,00,00,00,00,00
"dot3svc"=hex(7):64,00,6f,00,74,00,33,00,73,00,76,00,63,00,00,00,00,00
"nfr"=hex(7):6e,00,66,00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\DComLaunch]
"CoInitializeSecurityParam"=dword:00000001
"DefaultRpcStackSize"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\dot3svc]
"AuthenticationCapabilities"=dword:00003020
"CoInitializeSecurityParam"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\eapsvcs]
"AuthenticationCapabilities"=dword:00003020
"CoInitializeSecurityParam"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\HTTPFilter]
"CoInitializeSecurityParam"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\LocalService]
"CoInitializeSecurityParam"=dword:00000001
"AuthenticationCapabilities"=dword:00002000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\netsvcs]
"CoInitializeSecurityParam"=dword:00000001
"AuthenticationCapabilities"=dword:00003020

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\PCHealth]
"CoInitializeSecurityParam"=dword:00000002
"AuthenticationCapabilities"=dword:00000040

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\termsvcs]
"CoInitializeSecurityParam"=dword:00000001
"DefaultRpcStackSize"=dword:00000008

descriptionKeyboard virus problem, Types "/..,nffffffffffffff...." EmptyRe: Keyboard virus problem, Types "/..,nffffffffffffff...."

more_horiz
Now open a new notepad file.
Input this into the notepad file:

KILLALL::

File::
c:\windows\system32\npkycryp.sys

Driver::
npkycryp

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"nfr"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
Keyboard virus problem, Types "/..,nffffffffffffff...." Sfxdaw

This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

descriptionKeyboard virus problem, Types "/..,nffffffffffffff...." EmptyRe: Keyboard virus problem, Types "/..,nffffffffffffff...."

more_horiz
The problem is still there > < ...
Will send you a log file in a few hours, off to work ^^

descriptionKeyboard virus problem, Types "/..,nffffffffffffff...." EmptyRe: Keyboard virus problem, Types "/..,nffffffffffffff...."

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum