Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


My PC is infected

  • This topic is locked This topic is locked
4 replies to this topic

#1 Ccucu


  • Members
  • 3 posts
  • Local time:08:44 AM

Posted 11 January 2011 - 09:11 AM


My PC have had problems for some time but out of commodity I ignored them.
My antivirus expired some time ago and I have failed to renew it yet.

Yesterday internet stopped working so I decided to check it. I found out several crucial windows services won't start (event viewer service, dhcp service, etc).
My first idea was to run combofix and I did that from safe mode but that didn't fix the problem, so I decided to ask for help.

Here are the logs:


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:03:04, on 11.01.2011
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18999)
Boot mode: Normal

Running processes:
C:\Program Files\Ulead Systems\Ulead Photo Explorer 7.0\Monitor.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
D:\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Users\nataly\Desktop\security tools\HijackThis.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Windows Media Player\wmplayer.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [Ulead Memory Card Detector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 7.0\Monitor.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [HP Software Update] D:\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Bárdi Info (1)] D:\BARDIWIN\BAINFO.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [PMBVolumeWatcher] C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: Agentul Meteor.lnk = C:\MeteorMaximizer\broker.exe
O4 - Startup: Bárdi Info (D__BARDIWIN_).lnk = D:\BARDIWIN\bainfo.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Broken Internet access because of LSP chain gap (#1 in chain of 18 missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-051210-111108) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PMBDeviceInfoProvider - Sony Corporation - C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

End of file - 6293 bytes


DDS (Ver_10-12-12.02) - NTFSx86
Run by nataly at 11:04:11,12 on 11.01.2011
Internet Explorer: 8.0.6001.18999

============== Running Processes ===============

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 7.0\Monitor.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
D:\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Users\nataly\Desktop\security tools\dds.scr
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: N/A: {9cb65206-89c4-402c-ba80-02d8c59f9b1d} - c:\program files\asktbar\srchastt\1.bin\A5SRCHAS.DLL
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Ask Search Assistant BHO: {9cb65201-89c4-402c-ba80-02d8c59f9b1d} - c:\program files\asktbar\srchastt\1.bin\A5SRCHAS.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
BHO: Ask Toolbar BHO: {fe063db1-4ec0-403e-8dd8-394c54984b2c} - c:\program files\asktbar\bar\1.bin\ASKTBAR.DLL
TB: Ask Toolbar: {fe063db9-4ec0-403e-8dd8-394c54984b2c} - c:\program files\asktbar\bar\1.bin\ASKTBAR.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [Ulead Memory Card Detector] c:\program files\ulead systems\ulead photo explorer 7.0\Monitor.exe
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [HP Software Update] d:\hp\hp software update\HPWuSchd2.exe
mRun: [Bárdi Info (1)] d:\bardiwin\BAINFO.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [PMBVolumeWatcher] c:\program files\sony\pmb\PMBVolumeWatcher.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 7.0\avp.exe"
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 7.0\SCIEPlgn.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: portalauto.ro\certificat
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1.0\r3hook.dll,c:\progra~1\kasper~1\kasper~1.0\adialhk.dll c:\progra~1\google\google~2\GOEC62~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\nataly\appdata\roaming\mozilla\firefox\profiles\ndq3wpp5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - component: c:\users\nataly\appdata\roaming\mozilla\firefox\profiles\ndq3wpp5.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - plugin: d:\picasa3\npPicasa3.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Winamp Toolbar: {0b38152b-1b20-484d-a11f-5e04a9b0661f} - %profile%\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}
FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

============= SERVICES / DRIVERS ===============

R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335
R? s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter
R? s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver
R? s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM)
R? s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface
R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache
S? AVP;Kaspersky Internet Security 7.0
S? KLIM6;Kaspersky Anti-Virus NDIS 6 Filter
S? PMBDeviceInfoProvider;PMBDeviceInfoProvider

=============== Created Last 30 ================

2011-01-11 08:40:32 -------- dc----w- c:\users\nataly\appdata\local\temp
2011-01-11 08:37:19 -------- dcsh--w- C:\$RECYCLE.BIN
2011-01-11 08:23:21 98816 -c--a-w- c:\windows\sed.exe
2011-01-11 08:23:21 89088 -c--a-w- c:\windows\MBR.exe
2011-01-11 08:23:21 256512 -c--a-w- c:\windows\PEV.exe
2011-01-11 08:23:21 161792 -c--a-w- c:\windows\SWREG.exe
2011-01-05 09:12:32 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{de3328d6-bd87-4b62-961a-0db4e60f90ed}\mpengine.dll
2010-12-15 16:16:11 515584 -c--a-w- c:\program files\windows mail\wab.exe
2010-12-15 16:16:10 66048 -c--a-w- c:\program files\windows mail\wabmig.exe
2010-12-15 16:16:10 33280 -c--a-w- c:\program files\windows mail\wabfind.dll
2010-12-15 16:16:04 2037248 -c--a-w- c:\windows\system32\win32k.sys
2010-12-15 16:15:57 603648 -c--a-w- c:\windows\system32\schedsvc.dll
2010-12-15 16:15:56 357376 -c--a-w- c:\windows\system32\taskschd.dll
2010-12-15 16:15:56 345088 -c--a-w- c:\windows\system32\wmicmiplugin.dll
2010-12-15 16:15:55 270336 -c--a-w- c:\windows\system32\taskcomp.dll
2010-12-15 16:15:55 171520 -c--a-w- c:\windows\system32\taskeng.exe
2010-12-15 16:15:42 81920 -c--a-w- c:\windows\system32\consent.exe
2010-12-15 16:15:35 292352 -c--a-w- c:\windows\system32\atmfd.dll
2010-12-15 16:15:34 34304 -c--a-w- c:\windows\system32\atmlib.dll
2010-12-15 16:15:32 72704 -c--a-w- c:\windows\system32\fontsub.dll
2010-12-15 16:13:51 2048 -c--a-w- c:\windows\system32\tzres.dll
2010-12-15 16:12:54 2409784 -c--a-w- c:\program files\windows mail\OESpamFilter.dat

==================== Find3M ====================

2010-11-02 06:01:54 916480 -c--a-w- c:\windows\system32\wininet.dll
2010-11-02 05:57:41 43520 -c--a-w- c:\windows\system32\licmgr10.dll
2010-11-02 05:57:27 1469440 -c--a-w- c:\windows\system32\inetcpl.cpl
2010-11-02 05:57:11 71680 -c--a-w- c:\windows\system32\iesetup.dll
2010-11-02 05:57:11 109056 -c--a-w- c:\windows\system32\iesysprep.dll
2010-11-02 05:01:31 385024 -c--a-w- c:\windows\system32\html.iec
2010-11-02 04:26:10 133632 -c--a-w- c:\windows\system32\ieUnatt.exe
2010-11-02 04:24:44 1638912 -c--a-w- c:\windows\system32\mshtml.tlb
2010-10-19 08:41:44 222080 -c----w- c:\windows\system32\MpSigStub.exe

============= FINISH: 11:07:35,92 ===============


GMER - http://www.gmer.net
Rootkit scan 2011-01-11 12:17:38
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 MAXTOR_STM3160215A rev.3.AAD
Running: 9hcspvoe.exe; Driver: C:\Users\nataly\AppData\Local\Temp\pxryqpow.sys

---- System - GMER 1.0.15 ----

INT 0x52 ? 93ED1050
INT 0x61 ? 93F0DA50
INT 0x62 ? 931872D0
INT 0x71 ? 93F0DCD0
INT 0x72 ? 93187550
INT 0x82 ? 93187050
INT 0x92 ? 931877D0
INT 0xA2 ? 93F0D550
INT 0xA3 ? 93ED17D0
INT 0xB0 ? 93F0D2D0
INT 0xB1 ? 93187CD0
INT 0xB2 ? 93F0D7D0
INT 0xB3 ? 93ED1CD0

---- Kernel code sections - GMER 1.0.15 ----

? System32\Drivers\spyo.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 9536D46F 5 Bytes JMP 93DAC1D8
? C:\Users\nataly\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe[596] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: 32.dll
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe[596] USER32.dll!GetAppCompatFlags2 + 880 75DB6390 4 Bytes [70, 11, C6, 00]
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe[2908] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: 32.dll
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe[2908] USER32.dll!GetAppCompatFlags2 + 880 75DB6390 4 Bytes [70, 11, BF, 00]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 9310E1F8
Device \FileSystem\fastfat \FatCdrom 92B57500
Device \Driver\volmgr \Device\VolMgrControl 923511F8
Device \Driver\usbuhci \Device\USBPDO-0 93DA41F8
Device \Driver\usbuhci \Device\USBPDO-1 93DA41F8
Device \Driver\usbuhci \Device\USBPDO-2 93DA41F8
Device \Driver\usbuhci \Device\USBPDO-3 93DA41F8
Device \Driver\usbehci \Device\USBPDO-4 93D991F8

AttachedDevice \Driver\tdx \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\volmgr \Device\HarddiskVolume1 923511F8
Device \Driver\cdrom \Device\CdRom0 93E061F8
Device \Driver\volmgr \Device\HarddiskVolume2 923511F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 9310D1F8
Device \Driver\atapi \Device\Ide\IdePort0 9310D1F8
Device \Driver\atapi \Device\Ide\IdePort1 9310D1F8
Device \Driver\atapi \Device\Ide\IdePort2 9310D1F8
Device \Driver\atapi \Device\Ide\IdePort3 9310D1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-2 9310D1F8
Device \Driver\volmgr \Device\HarddiskVolume4 923511F8
Device \Driver\netbt \Device\NetBt_Wins_Export 93F15500
Device \Driver\Smb \Device\NetbiosSmb 942A8500
Device \Driver\iScsiPrt \Device\RaidPort0 93E001F8

AttachedDevice \Driver\tdx \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\USBSTOR \Device\0000005e 92B7A500
Device \Driver\USBSTOR \Device\0000005f 92B7A500
Device \Driver\usbuhci \Device\USBFDO-0 93DA41F8
Device \Driver\usbuhci \Device\USBFDO-1 93DA41F8
Device \Driver\usbuhci \Device\USBFDO-2 93DA41F8
Device \Driver\usbuhci \Device\USBFDO-3 93DA41F8
Device \Driver\usbehci \Device\USBFDO-4 93D991F8
Device \Driver\netbt \Device\NetBT_Tcpip_{72E2EDAE-7EE4-4F30-9DD4-7676ADBB3ECA} 93F15500
Device \FileSystem\fastfat \Fat 92B57500

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\cdfs \Cdfs 92B8F500

---- Threads - GMER 1.0.15 ----

Thread System [4:328] 9431D140
Thread System [4:336] 9431D140
Thread System [4:340] 943635E0
Thread System [4:344] 943635E0
Thread System [4:352] 94365640
Thread System [4:356] 94365640
Thread System [4:360] 94365640
Thread System [4:368] 943635E0
Thread System [4:728] 929F04B0
Thread System [4:1644] 92B69B00
Thread System [4:1668] 92B69B00

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\ControlSet232\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet232\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\

---- EOF - GMER 1.0.15 ----

System info:

OS Version: Microsoft® Windows Vista™ Home Basic , Service Pack 1, 32 bit
Processor: Intel® Pentium® Dual CPU E2140 @ 1.60GHz, x64 Family 6 Model 15 Stepping 13
Processor Count: 2
RAM: 1022 Mb
Graphics Card: ATI Radeon X1050 , 128 Mb
Hard Drives: C: Total - 19999 MB, Free - 1508 MB; D: Total - 132623 MB, Free - 113759 MB;
Motherboard: Gigabyte Technology Co., Ltd., 945GZM-S2, x.x,
Antivirus: Kaspersky Internet Security, Updated: No, On-Demand Scanner: Enabled

Edited by boopme, 11 January 2011 - 01:59 PM.

BC AdBot (Login to Remove)


#2 Ccucu

  • Topic Starter

  • Members
  • 3 posts
  • Local time:08:44 AM

Posted 12 January 2011 - 03:36 AM


Anyone please??

Here is the attach.txt file


While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our MRT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the MRT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Forum Moderator

Attached Files

Edited by Blade Zephon, 12 January 2011 - 05:50 AM.

#3 oneof4


  • Malware Response Team
  • 3,779 posts
  • Gender:Male
  • Location:The Collective
  • Local time:08:44 AM

Posted 17 January 2011 - 09:06 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:

We need to create an OTL Report

  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

We also need a log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning

Best Regards,

Best Regards,

#4 oneof4


  • Malware Response Team
  • 3,779 posts
  • Gender:Male
  • Location:The Collective
  • Local time:08:44 AM

Posted 24 January 2011 - 12:58 PM

Do you still need help?

Best Regards,

#5 Blade


    Strong in the Bleepforce

  • Site Admin
  • 12,789 posts
  • Gender:Male
  • Location:US
  • Local time:08:44 AM

Posted 04 February 2011 - 02:33 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users