Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Maybe infected laptop, please help!

  • This topic is locked This topic is locked
7 replies to this topic

#1 PcWiz1080


  • Members
  • 6 posts
  • Local time:07:39 AM

Posted 25 March 2010 - 12:07 PM

Hi, good peoples thumbup.gif I am from Croatia I dont know much English. What I have to do check my status of laptop, someone on the other forums for weeks waiting for someone to answer.

Be good, fast, and I recommend your forum to all I promise thumbup2.gif


Here's the DDS and GMER logs.


DDS (Ver_10-03-17.01) - NTFSx86
Run by pezo at 21:16:46,30 on źet 03/25/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.1250.385.1033.18.1014.318 [GMT 1:00]

============== Running Processes ===============

C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\System32\svchost.exe -k swprv

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GR469A~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GRA32A~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GR469A~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\pezo\appdata\roaming\mozilla\firefox\profiles\nvpi31w4.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2010-2-22 133512]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2010-2-22 810120]
R2 epfwwfp;epfwwfp;c:\windows\system32\drivers\epfwwfp.sys [2010-2-22 41312]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-3-22 236368]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-3-22 19160]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-3-1 139776]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 LcAgent;LC Remote Agent;c:\windows\temp\lcagent.exe --> c:\windows\temp\lcagent.exe [?]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-12 1334568]

=============== Created Last 30 ================

2010-03-25 18:37:43 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-03-25 18:37:22 0 d-----w- c:\program files\SUPERAntiSpyware
2010-03-25 18:24:02 0 d-----w- c:\program files\NSIS
2010-03-23 11:58:18 56 ---ha-w- c:\programdata\ezsidmv.dat
2010-03-23 09:22:57 0 d-----w- c:\users\pezo\3-23-2010
2010-03-22 09:18:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-22 09:18:45 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-22 09:18:43 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-12 22:32:24 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-03-12 22:29:49 0 d-----w- c:\programdata\ESET
2010-03-12 22:29:49 0 d-----w- c:\program files\ESET
2010-03-12 10:16:10 0 d-----w- c:\users\pezo\appdata\roaming\IObit
2010-03-12 09:01:59 0 d-----w- c:\windows\system32\Wat
2010-03-12 08:30:45 0 d---a-w- c:\programdata\TEMP
2010-03-10 10:51:37 0 d-----w- c:\programdata\Trymedia
2010-03-09 19:31:42 0 d-----w- c:\program files\QS
2010-03-09 19:31:38 0 d-----w- c:\users\pezo\appdata\roaming\TeamViewer
2010-03-09 19:31:27 0 d-----w- c:\users\pezo\temp
2010-02-28 18:32:09 0 d-----w- c:\program files\FileHippo.com
2010-02-27 09:13:34 203576 ----a-w- c:\windows\system32\richtx32.ocx
2010-02-27 09:13:34 140288 ----a-w- c:\windows\system32\comdlg32.ocx
2010-02-27 09:13:33 124688 ----a-w- c:\windows\system32\mswinsck.ocx
2010-02-24 08:19:37 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-02-24 08:19:36 417792 ----a-w- c:\windows\system32\msdri.dll
2010-02-24 08:19:36 204288 ----a-w- c:\windows\system32\MSNP.ax
2010-02-24 08:19:35 465408 ----a-w- c:\windows\system32\psisdecd.dll
2010-02-24 08:19:31 2048 ----a-w- c:\windows\system32\tzres.dll

==================== Find3M ====================

2010-02-24 09:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-22 15:51:14 41312 ----a-w- c:\windows\system32\drivers\epfwwfp.sys
2010-02-22 15:51:04 32584 ----a-w- c:\windows\system32\drivers\epfwndis.sys
2010-02-22 15:50:56 134488 ----a-w- c:\windows\system32\drivers\epfw.sys
2010-02-22 15:50:06 114984 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2010-02-22 15:47:22 133512 ----a-w- c:\windows\system32\drivers\eamonm.sys
2010-02-17 15:09:38 33848 ----a-w- c:\windows\system32\drivers\nchssvad.sys
2010-01-28 19:00:40 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2010-01-20 20:41:12 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-18 23:29:31 85504 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-18 23:29:31 85504 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-18 23:29:31 365568 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-18 23:29:30 369152 ----a-w- c:\windows\system32\secproc.dll
2010-01-18 23:28:33 324608 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-18 23:28:33 277504 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-18 23:28:30 320512 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-18 23:28:30 280064 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 21:17:05,38 ===============

And i attached Attach.txt at the end.

GMER log

GMER - http://www.gmer.net
Rootkit scan 2010-03-25 21:33:24
Windows 6.1.7600
Running: lo4pzqs1.exe; Driver: C:\Users\pezo\AppData\Local\Temp\kxldapog.sys

---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C24AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C24104
INT 0x61 ? 92CB4558
INT 0x71 ? 92CB47D8
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C243F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C0C634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C0C898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C241DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C24958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C246F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C24F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C251A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 82C845C9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CA9052 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? System32\Drivers\spnl.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 8C68ECA0 5 Bytes JMP 85A2D4E0
.text peauth.sys 95008C9D 28 Bytes [9E, 35, 30, 7E, F7, FB, 53, ...]
.text peauth.sys 95008CC1 28 Bytes [9E, 35, 30, 7E, F7, FB, 53, ...]
? C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1640] kernel32.dll!SetUnhandledExceptionFilter 76613162 4 Bytes [C2, 04, 00, 00]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [87096042] \SystemRoot\System32\Drivers\spnl.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [870966D6] \SystemRoot\System32\Drivers\spnl.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [87096800] \SystemRoot\System32\Drivers\spnl.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8709613E] \SystemRoot\System32\Drivers\spnl.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 847611F8

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

Device \Driver\volmgr \Device\VolMgrControl 8475C1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{94CBBF97-4295-444A-845A-89A7D5AC6009} 858171F8
Device \Driver\usbuhci \Device\USBPDO-0 859FC1F8
Device \Driver\usbuhci \Device\USBPDO-1 859FC1F8
Device \Driver\ACPI_HAL \Device\00000053 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
Device \Driver\usbehci \Device\USBPDO-2 85A21500
Device \Driver\usbuhci \Device\USBPDO-3 859FC1F8
Device \Driver\usbuhci \Device\USBPDO-4 859FC1F8
Device \Driver\usbuhci \Device\USBPDO-5 859FC1F8
Device \Driver\usbehci \Device\USBPDO-6 85A21500
Device \Driver\volmgr \Device\HarddiskVolume1 8475C1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\NetBT \Device\NetBT_Tcpip_{DDA78DE3-9A4D-4A5B-9482-45182EB29149} 858171F8
Device \Driver\volmgr \Device\HarddiskVolume2 8475C1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\cdrom \Device\CdRom0 857B01F8
Device \Driver\volmgr \Device\HarddiskVolume3 8475C1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 8475E1F8
Device \Driver\atapi \Device\Ide\IdePort0 8475E1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-4 8475E1F8
Device \Driver\atapi \Device\Ide\IdePort1 8475E1F8
Device \Driver\atapi \Device\Ide\IdePort2 8475E1F8
Device \Driver\atapi \Device\Ide\IdePort3 8475E1F8
Device \Driver\atapi \Device\Ide\IdePort4 8475E1F8
Device \Driver\msahci \Device\Ide\PciIde1Channel0 8475F1F8
Device \Driver\msahci \Device\Ide\PciIde1Channel1 8475F1F8
Device \Driver\msahci \Device\Ide\PciIde1Channel2 8475F1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 858171F8
Device \Driver\usbuhci \Device\USBFDO-0 859FC1F8
Device \Driver\usbuhci \Device\USBFDO-1 859FC1F8
Device \Driver\usbehci \Device\USBFDO-2 85A21500
Device \Driver\usbuhci \Device\USBFDO-3 859FC1F8
Device \Driver\usbuhci \Device\USBFDO-4 859FC1F8
Device \Driver\usbuhci \Device\USBFDO-5 859FC1F8
Device \Driver\usbehci \Device\USBFDO-6 85A21500
---- Processes - GMER 1.0.15 ----

Library C:\Program (*** hidden *** ) @ C:\Windows\Explorer.EXE [2708] 0x03110000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)

---- EOF - GMER 1.0.15 ----

And this key was red colour
Library C:\Program (*** hidden *** ) @ C:\Windows\Explorer.EXE [2708] 0x03110000

Thanks very very very much in advance! thumbup.gif

Merged posts. ~ OB

Attached Files

Edited by Orange Blossom, 25 March 2010 - 10:45 PM.

BC AdBot (Login to Remove)


#2 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:05:39 AM

Posted 28 March 2010 - 12:08 PM


Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 PcWiz1080

  • Topic Starter

  • Members
  • 6 posts
  • Local time:07:39 AM

Posted 29 March 2010 - 01:34 PM

Thanky ou for coming thumbup.gif

I am there, sure dance.gif

Sorry I have made a little changes, if need be I will post again no problem

Edited by PcWiz1080, 29 March 2010 - 01:35 PM.

#4 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:05:39 AM

Posted 29 March 2010 - 06:56 PM


Can you let me know what symptoms you are having with the computer.

Posted Image
m0le is a proud member of UNITE

#5 PcWiz1080

  • Topic Starter

  • Members
  • 6 posts
  • Local time:07:39 AM

Posted 30 March 2010 - 06:19 AM

My are symptoms are a not much slowly laptop.

Thanky you for helping thumbup.gif

#6 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:05:39 AM

Posted 30 March 2010 - 04:44 PM

I asked because the logs you gave me are clean.

If it's just slow then it could be nothing to do with an infection.

We can do a quick scan to see if anything comes up first though.

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found there will be no option to export the text file as no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#7 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:05:39 AM

Posted 02 April 2010 - 07:41 PM


I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.


Posted Image
m0le is a proud member of UNITE

#8 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:05:39 AM

Posted 03 April 2010 - 07:56 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users