Author Topic: I can't open control panel on vista HiJackThis log attached (Read 4416 times)

Derek · « **Reply #10 on:** December 11, 2009, 17:09:44 »

can you go to c:\qoobox & look for ComboFix-quarantined-files.txt and combofix2.txt and attach them here in your next reply please

[attachment deleted by admin]

amanda520 · « **Reply #11 on:** December 11, 2009, 18:56:37 »

I can't find combofix2.txt But here is the first one you asked for.

Thanks

[attachment deleted by admin]

Derek · « **Reply #12 on:** December 11, 2009, 19:20:08 »

OK run gmer again please I need to check something. I suspect you might still have a rootkit

are yoiu getting any diverts when searching using google or yahoo or other search engines, Any pop ups still

amanda520 · « **Reply #13 on:** December 18, 2009, 09:30:18 »

Yes I still get pop ups. Here is the log of gmer:

GMER 1.0.15.15273 - http://www.gmer.net
Rootkit scan 2009-12-18 09:29:03
Windows 6.0.6001 Service Pack 1
Running: gmer.exe; Driver: C:\Users\ACHIAN~1\AppData\Local\Temp\pwryrpow.sys

---- System - GMER 1.0.15 ----

SSDT 88623568 ZwAlertResumeThread
SSDT 88623648 ZwAlertThread
SSDT 88633240 ZwAllocateVirtualMemory
SSDT 88483468 ZwAlpcConnectPort
SSDT 88623078 ZwCreateMutant
SSDT 886333D0 ZwCreateThread
SSDT 886220D0 ZwDebugActiveProcess
SSDT 886330A0 ZwFreeVirtualMemory
SSDT 886233A8 ZwImpersonateAnonymousToken
SSDT 88623488 ZwImpersonateThread
SSDT 88626F50 ZwMapViewOfSection
SSDT 88622810 ZwOpenEvent
SSDT 88633310 ZwOpenProcessToken
SSDT 886223F0 ZwOpenSection
SSDT 88626C90 ZwOpenThreadToken
SSDT 884BA2B8 ZwResumeThread
SSDT 88626BB0 ZwSetContextThread
SSDT 88626D80 ZwSetInformationProcess
SSDT 88626AC0 ZwSetInformationThread
SSDT 886224D0 ZwSuspendProcess
SSDT 88623790 ZwSuspendThread
SSDT 88620828 ZwTerminateProcess
SSDT 886269E0 ZwTerminateThread
SSDT 88626E70 ZwUnmapViewOfSection
SSDT 88633170 ZwWriteVirtualMemory

INT 0x20 \SystemRoot\system32\KeyCrypt.sys (KeyCrypt/ Tencent Technology (Shenzhen) Company Limited) 8A55F0BE
INT 0x51 ? 85793BF8
INT 0x51 ? 85793BF8
INT 0x51 ? 86B82BF8
INT 0x51 ? 85793BF8
INT 0x61 ? 85793BF8
INT 0x61 ? 85793BF8
INT 0x61 ? 85793BF8
INT 0x71 ? 86B82BF8
INT 0x72 ? 86B82BF8
INT 0x82 ? 86B82BF8
INT 0x92 ? 86B82BF8
INT 0x92 ? 86B82BF8
INT 0x92 ? 86B82BF8
INT 0x92 ? 86B82BF8
INT 0xA2 ? 85793BF8
INT 0xB2 ? 85793BF8

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 857981F8
Device \FileSystem\fastfat \FatCdrom 8881C380
Device \FileSystem\udfs \UdfsCdRom 8882A1F8
Device \FileSystem\udfs \UdfsDisk 8882A1F8
Device \Driver\kbdclass \Device\KeyboardClass0 KeyCrypt.sys (KeyCrypt/ Tencent Technology (Shenzhen) Company Limited)
Device \Driver\volmgr \Device\VolMgrControl 857951F8
Device \Driver\netbt \Device\NetBT_Tcpip_{74F4D674-712F-4EC6-8C05-6A3CDE06E1F5} 88586500
Device \Driver\usbuhci \Device\USBPDO-0 869261F8
Device \Driver\usbuhci \Device\USBPDO-1 869261F8
Device \Driver\usbuhci \Device\USBPDO-2 869261F8
Device \Driver\usbehci \Device\USBPDO-3 8692F1F8
Device \Driver\usbuhci \Device\USBPDO-4 869261F8

AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbuhci \Device\USBPDO-5 869261F8
Device \Driver\usbuhci \Device\USBPDO-6 869261F8
Device \Driver\volmgr \Device\HarddiskVolume1 857951F8
Device \Driver\usbehci \Device\USBPDO-7 8692F1F8
Device \Driver\volmgr \Device\HarddiskVolume2 857951F8
Device \Driver\cdrom \Device\CdRom0 86A02500
Device \Driver\USBSTOR \Device\00000072 88C92500
Device \Driver\volmgr \Device\HarddiskVolume3 857951F8
Device \Driver\cdrom \Device\CdRom1 86A02500
Device \Driver\atapi \Device\Ide\IdePort0 857971F8
Device \Driver\atapi \Device\Ide\IdePort1 857971F8
Device \Driver\atapi \Device\Ide\IdePort2 857971F8
Device \Driver\atapi \Device\Ide\IdePort3 857971F8
Device \Driver\atapi \Device\Ide\IdePort4 857971F8
Device \Driver\atapi \Device\Ide\IdePort5 857971F8
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-3 857971F8
Device \Driver\netbt \Device\NetBT_Tcpip_{215DED98-1AB8-48C5-9780-D37BAA262732} 88586500
Device \Driver\netbt \Device\NetBt_Wins_Export 88586500
Device \Driver\Smb \Device\NetbiosSmb 885821F8
Device \Driver\USBSTOR \Device\00000079 88C92500
Device \Driver\PCI_PNP8220 \Device\0000005a sphh.sys
Device \Driver\iScsiPrt \Device\RaidPort0 869471F8

AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbuhci \Device\USBFDO-0 869261F8
Device \Driver\sptd \Device\2756804470 sphh.sys
Device \Driver\usbuhci \Device\USBFDO-1 869261F8
Device \Driver\netbt \Device\NetBT_Tcpip_{298A3363-1236-45F4-893B-F2B7A57CB85F} 88586500
Device \Driver\usbuhci \Device\USBFDO-2 869261F8
Device \Driver\usbehci \Device\USBFDO-3 8692F1F8
Device \Driver\usbuhci \Device\USBFDO-4 869261F8
Device \Driver\usbuhci \Device\USBFDO-5 869261F8
Device \Driver\usbuhci \Device\USBFDO-6 869261F8
Device \Driver\usbehci \Device\USBFDO-7 8692F1F8
Device \Driver\aeszwq9s \Device\Scsi\aeszwq9s1 869381F8
Device \Driver\aeszwq9s \Device\Scsi\aeszwq9s1Port7Path0Target0Lun0 869381F8
Device \FileSystem\fastfat \Fat 8881C380

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Driver\ACPI \GLOBAL??\C2CAD972#4079#4fd3#A68D#AD34CC121074 CDDA8662
Device \FileSystem\cdfs \Cdfs 8A1CC1F8
Device \Driver\ACPI -> \Device\Harddisk0\DR0 CDDA8662
Device -> \Driver\atapi \Device\Harddisk0\DR0 85884618

---- Threads - GMER 1.0.15 ----

Thread System [4:11280] CDDA97FA
---- Processes - GMER 1.0.15 ----

Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\Program Files\Tencent\QQ\QQ.exe [4728] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [5216] 0x35670000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 816044522
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -1909146625
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x40 0x1A 0xB1 0x69 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xEF 0xA5 0x3C 0x94 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x24 0xC5 0x0E 0x66 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x40 0x1A 0xB1 0x69 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xEF 0xA5 0x3C 0x94 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x24 0xC5 0x0E 0x66 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QQ
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QQ@DisplayName QQ?

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QQ@UninstallString D:\MyGames\Tencent\QQGAME\Uninstall.EXE
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\QQ
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\QQ@SlowInfoCache 0x28 0x02 0x00 0x00 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\QQ@Changed 0
Reg HKCU\Software\Microsoft\Windows Live\Communications Clients\Shared\1195089590\Groups@vQ 0

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Derek · « **Reply #14 on:** December 18, 2009, 09:53:59 »

Delete any existing version of ComboFix you have sitting on your desktop

Please read and follow all these instructions very carefully

Download ComboFix from Here to your Desktop.
Note: This is a beta version of combofix and might be unstable but tests done so far have proved it woprks well

**Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer**
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus and anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again after combofix has finished

--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running

Double click on combofix.exe & follow the prompts.

If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

amanda520 · « **Reply #15 on:** December 18, 2009, 11:06:15 »

Here is the combofix log:

ComboFix 09-12-17.01 - A CHIANG 8/2009 Fri 10:42:50.4.8 - x86

?: c:\users\A CHIANG\Desktop\KittyFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((((((((((((((((

)))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Cursors\aero_link.cur

.
((((((((((((((((((((((((((((((((((((((( ??/?? )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TESSAFE
-------\Service_TesSafe

((((((((((((((((((((((((( 2009-11-18 ? 2009-12-18

?? )))))))))))))))))))))))))))))))
.

2009-12-18 10:49 . 2009-12-18 10:54   --------   d-----w-   c:\users\A CHIANG\AppData\Local\temp
2009-12-18 10:49 . 2009-12-18 10:49   --------   d-----w-   c:\users\Public\AppData\Local\temp
2009-12-18 10:49 . 2009-12-18 10:49   --------   d-----w-   c:\users\Default\AppData\Local\temp
2009-12-16 12:24 . 2008-02-26 17:17   493568   ----a-w-   c:\windows\system32\drivers\netr73.sys
2009-12-16 12:23 . 2009-12-16 12:23   --------   d-----w-   c:\program files\RALINK
2009-12-14 10:49 . 2009-12-14 10:49   --------   d-----w-   c:\users\A CHIANG\AppData\Roaming\Gaupol
2009-12-14 10:49 . 2009-12-14 10:50   --------   d-----w-   c:\users\A CHIANG\AppData\Roaming\gtk-2.0
2009-12-14 10:48 . 2009-12-14 10:49   --------   d-----w-   c:\program files\Gaupol
2009-12-13 03:24 . 2009-12-13 03:25   --------   d-----w-   c:\program files\Common Files\DivX Shared
2009-12-12 16:19 . 2009-12-12 16:19   8854   ----a-r-   c:\users\A CHIANG\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\Uninstall_Project64__9559F7CA5E344237A2D9D856464AD727.exe
2009-12-12 16:19 . 2009-12-12 16:19   40960   ----a-r-   c:\users\A CHIANG\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2009-12-12 16:19 . 2009-12-12 16:19   40960   ----a-r-   c:\users\A CHIANG\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2009-12-11 20:17 . 2009-12-18 04:03   --------   d-----w-   c:\users\A CHIANG\AppData\Roaming\vlc
2009-12-11 17:05 . 2009-12-11 17:05   --------   d-----w-   c:\program files\GiPo@Utilities
2009-12-11 17:05 . 2009-12-11 17:05   --------   d-----w-   c:\program files\Common Files\Gibinsoft Shared
2009-12-11 09:46 . 2009-12-09 09:00   2747440   ----a-w-   c:\programdata\Symantec\Definitions\VirusDefs\20091210.041\CCERASER.DLL
2009-12-11 09:46 . 2009-10-11 08:00   259440   ----a-w-   c:\programdata\Symantec\Definitions\VirusDefs\20091210.041\ECMSVR32.DLL
2009-12-11 09:46 . 2009-09-17 08:00   84912   ----a-w-   c:\programdata\Symantec\Definitions\VirusDefs\20091210.041\NAVENG.SYS
2009-12-11 09:46 . 2009-09-17 08:00   371248   ----a-w-   c:\programdata\Symantec\Definitions\VirusDefs\20091210.041\EECTRL.SYS
2009-12-11 09:46 . 2009-09-17 08:00   177520   ----a-w-   c:\programdata\Symantec\Definitions\VirusDefs\20091210.041\NAVENG32.DLL
2009-12-11 09:46 . 2009-09-17 08:00   1647984   ----a-w-   c:\programdata\Symantec\Definitions\VirusDefs\20091210.041\NAVEX32A.DLL
2009-12-11 09:46 . 2009-09-17 08:00   1323568   ----a-w-   c:\programdata\Symantec\Definitions\VirusDefs\20091210.041\NAVEX15.SYS
2009-12-11 09:46 . 2009-09-17 08:00   102448   ----a-w-   c:\programdata\Symantec\Definitions\VirusDefs\20091210.041\ERASER.SYS
2009-12-11 01:40 . 2009-12-09 09:00   2747440   ----a-w-   c:\programdata\Symantec\Definitions\VirusDefs\20091210.023\CCERASER.DLL
2009-12-11 01:40 . 2009-10-11 08:00   259440   ----a-w-   c:\programdata\Symantec\Definitions\VirusDefs\20091210.023\ECMSVR32.DLL
2009-12-11 01:40 . 2009-09-17 08:00   84912   ----a-w-   c:\programdata\Symantec\Definitions\VirusDefs\20091210.023\NAVENG.SYS
2009-12-11 01:40 . 2009-09-17 08:00   371248   ----a-w-   c:\programdata\Symantec\Definitions\VirusDefs\20091210.023\EECTRL.SYS
2009-12-11 01:40 . 2009-09-17 08:00   177520   ----a-w-   c:\programdata\Symantec\Definitions\VirusDefs\20091210.023\NAVENG32.DLL
2009-12-11 01:40 . 2009-09-17 08:00   1647984   ----a-w-   c:\programdata\Symantec\Definitions\VirusDefs\20091210.023\NAVEX32A.DLL
2009-12-11 01:40 . 2009-09-17 08:00   1323568   ----a-w-   c:\programdata\Symantec\Definitions\VirusDefs\20091210.023\NAVEX15.SYS
2009-12-11 01:40 . 2009-09-17 08:00   102448   ----a-w-   c:\programdata\Symantec\Definitions\VirusDefs\20091210.023\ERASER.SYS
2009-12-10 17:07 . 2009-12-10 17:07   4844295   ----a-w-   c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-10 17:07 . 2009-12-10 17:07   --------   d-----w-   c:\users\A CHIANG\AppData\Roaming\Malwarebytes
2009-12-10 17:06 . 2009-12-03 16:13   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-12-10 17:06 . 2009-12-03 16:14   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-10 17:06 . 2009-12-10 17:08   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2009-12-10 17:06 . 2009-12-10 17:06   --------   d-----w-   c:\programdata\Malwarebytes
2009-12-09 04:37 . 2009-12-09 04:37   31048   ----a-w-   c:\users\A CHIANG\AppData\Roaming\SafeBase\_temp\SelfUpdate.exe
2009-12-09 04:36 . 2009-12-09 04:36   --------   d-----w-   c:\users\A CHIANG\AppData\Roaming\SafeBase
2009-12-08 01:15 . 2009-12-08 01:15   --------   d-----w-   c:\programdata\WindowsSearch
2009-12-07 22:23 . 2009-05-18 14:17   26600   ----a-w-   c:\windows\system32\drivers\GEARAspiWDM.sys
2009-12-07 22:23 . 2008-04-17 13:12   107368   ----a-w-   c:\windows\system32\GEARAspi.dll
2009-12-07 22:22 . 2009-12-07 22:22   --------   d-----w-   c:\program files\iPod
2009-12-07 22:22 . 2009-12-07 22:23   --------   d-----w-   c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-07 22:22 . 2009-12-07 22:23   --------   d-----w-   c:\program files\iTunes
2009-12-07 22:21 . 2009-12-07 22:21   --------   d-----w-   c:\program files\QuickTime
2009-12-07 21:47 . 2009-12-07 21:47   79144   ----a-w-   c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-12-07 18:51 . 2009-12-07 18:51   439816   ----a-w-   c:\users\A CHIANG\AppData\Roaming\Real\Update\setup3.09\setup.exe
2009-12-07 17:31 . 2009-12-07 17:40   532   ----a-w-   c:\windows\eReg.dat
2009-12-07 12:41 . 2009-10-29 09:41   2048   ----a-w-   c:\windows\system32\tzres.dll
2009-12-07 12:41 . 2009-09-04 17:29   453456   ----a-w-   c:\windows\system32\d3dx10_42.dll
2009-12-07 12:41 . 2009-09-04 17:29   1892184   ----a-w-   c:\windows\system32\D3DX9_42.dll
2009-12-07 12:30 . 2009-12-07 12:30   --------   d-----w-   c:\program files\Trend Micro
2009-12-01 05:19 . 2009-11-20 03:02   268664   ----a-w-   c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20091120.002\SymIDSco.sys
2009-12-01 05:19 . 2009-11-20 03:02   732536   ----a-w-   c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20091120.002\Scxpx86.dll
2009-12-01 05:19 . 2009-11-20 03:02   286768   ----a-w-   c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20091120.002\IDSvix86.sys
2009-12-01 05:19 . 2009-11-20 03:02   173432   ----a-w-   c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20091120.002\SymIDSI.dll
2009-12-01 05:19 . 2009-11-20 03:02   685432   ----a-w-   c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20091120.002\IDSxpx86.dll
2009-12-01 05:19 . 2009-11-20 03:02   396336   ----a-w-   c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20091120.002\IDSviA64.sys
2009-12-01 05:19 . 2009-01-02 22:18   157120   ----a-w-   c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20091120.002\IDS9xx86.dll
2009-11-25 08:10 . 2009-08-10 11:01   1399296   ----a-w-   c:\windows\system32\msxml6.dll
2009-11-25 08:10 . 2009-08-10 11:00   1257472   ----a-w-   c:\windows\system32\msxml3.dll
2009-11-25 00:57 . 2009-11-25 00:57   --------   d-----w-   c:\users\A CHIANG\AppData\Roaming\QQMusicUpdate
2009-11-20 03:02 . 2009-11-20 03:02   268664   ----a-w-   c:\programdata\Symantec\Definitions\SymcData\ipsdefs\BinHub\symidsco.sys
2009-11-20 03:02 . 2009-11-20 03:02   732536   ----a-w-   c:\programdata\Symantec\Definitions\SymcData\ipsdefs\BinHub\scxpx86.dll
2009-11-20 03:02 . 2009-11-20 03:02   286768   ----a-w-   c:\programdata\Symantec\Definitions\SymcData\ipsdefs\BinHub\IDSvix86.sys
2009-11-20 03:02 . 2009-11-20 03:02   173432   ----a-w-   c:\programdata\Symantec\Definitions\SymcData\ipsdefs\BinHub\SymIDSI.dll
2009-11-20 03:02 . 2009-11-20 03:02   685432   ----a-w-   c:\programdata\Symantec\Definitions\SymcData\ipsdefs\BinHub\idsxpx86.dll
2009-11-20 03:02 . 2009-11-20 03:02   396336   ----a-w-   c:\programdata\Symantec\Definitions\SymcData\ipsdefs\BinHub\IDSvia64.sys

.
((((((((((((((((((((((((((((((((((((((((

?? ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-18 10:50 . 2009-02-02 08:40   12   ----a-w-   c:\windows\bthservsdp.dat
2009-12-17 23:04 . 2009-01-25 01:16   --------   d-----w-   c:\users\A CHIANG\AppData\Roaming\uTorrent
2009-12-17 17:09 . 2009-01-26 12:04   --------   d-----w-   c:\users\A CHIANG\AppData\Roaming\dvdcss
2009-12-17 09:43 . 2009-10-11 15:37   158256   ----a-w-   c:\windows\system32\TesSafe.sys
2009-12-16 12:23 . 2008-07-31 10:46   --------   d--h--w-   c:\program files\InstallShield Installation Information
2009-12-13 08:29 . 2009-01-21 11:37   --------   d-----w-   c:\users\A CHIANG\AppData\Roaming\Apple Computer
2009-12-13 03:25 . 2009-02-09 21:59   --------   d-----w-   c:\program files\DivX
2009-12-07 23:14 . 2009-01-21 11:31   --------   d-----w-   c:\programdata\Apple
2009-12-07 22:22 . 2009-01-25 13:03   --------   d-----w-   c:\program files\Common Files\Apple
2009-12-07 22:22 . 2009-01-25 13:04   --------   d-----w-   c:\programdata\Apple Computer
2009-12-07 15:39 . 2009-01-17 13:34   1356   ----a-w-   c:\users\A CHIANG\AppData\Local\d3d9caps.dat
2009-11-25 00:57 . 2009-01-24 21:31   --------   d-----w-   c:\users\A CHIANG\AppData\Roaming\Tencent
2009-11-25 00:56 . 2009-02-14 03:18   --------   d-----w-   c:\programdata\Tencent
2009-11-16 03:38 . 2006-11-02 11:18   --------   d-----w-   c:\program files\Windows Mail
2009-11-16 03:28 . 2009-02-22 20:05   --------   d-----w-   c:\programdata\Microsoft Help
2009-11-16 03:28 . 2009-02-22 20:17   1680064   ----a-w-   c:\programdata\Microsoft\VisualStudio\9.0\1033\ResourceCache.dll
2009-11-16 03:25 . 2009-02-22 20:21   --------   d-----w-   c:\program files\Microsoft SQL Server
2009-11-16 03:12 . 2009-02-22 20:17   18368   ----a-w-   c:\programdata\Microsoft\VSA\9.0\1033\ResourceCache.dll
2009-11-14 13:43 . 2009-11-14 13:43   --------   d-----w-   c:\programdata\BioWare
2009-11-14 13:42 . 2009-01-17 13:43   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2009-11-14 13:42 . 2009-01-17 13:43   --------   d-----w-   c:\program files\AGEIA Technologies
2009-11-14 13:24 . 2009-11-14 13:24   --------   d-----w-   c:\program files\Microsoft Office Outlook Connector
2009-11-14 13:23 . 2009-01-25 11:36   --------   d-----w-   c:\program files\Windows Live
2009-11-14 13:22 . 2009-02-22 20:20   --------   d-----w-   c:\program files\Microsoft SQL Server Compact Edition
2009-11-14 13:20 . 2009-01-25 11:37   --------   d-----w-   c:\program files\Microsoft
2009-11-14 00:47 . 2009-11-14 00:47   90112   ----a-w-   c:\windows\system32\dpl100.dll
2009-11-14 00:47 . 2009-11-14 00:47   856064   ----a-w-   c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47 . 2009-11-14 00:47   856064   ----a-w-   c:\windows\system32\divx_xx07.dll
2009-11-14 00:47 . 2009-11-14 00:47   847872   ----a-w-   c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47 . 2009-11-14 00:47   843776   ----a-w-   c:\windows\system32\divx_xx16.dll
2009-11-14 00:47 . 2009-11-14 00:47   839680   ----a-w-   c:\windows\system32\divx_xx11.dll
2009-11-14 00:47 . 2009-11-14 00:47   696320   ----a-w-   c:\windows\system32\DivX.dll
2009-11-12 18:58 . 2009-11-12 18:58   --------   d-----w-   c:\program files\Refworks
2009-11-06 10:59 . 2009-11-06 10:59   15406728   ----a-w-   c:\windows\system32\xlive.dll
2009-11-06 10:59 . 2009-11-06 10:59   13642888   ----a-w-   c:\windows\system32\xlivefnt.dll
2009-11-02 22:48 . 2009-01-25 01:51   --------   d-----w-   c:\program files\Common Files\Steam
2009-11-02 18:05 . 2009-11-02 18:05   167064   ----a-w-   c:\windows\system32\xliveinstall.dll
2009-11-02 18:05 . 2009-11-02 18:05   71832   ----a-w-   c:\windows\system32\xliveinstallhost.exe
2009-10-29 22:29 . 2009-01-20 15:33   --------   d-----w-   c:\programdata\Nero
2009-10-29 22:29 . 2009-01-20 15:33   --------   d-----w-   c:\program files\Common Files\Nero
2009-10-16 23:23 . 2009-01-24 21:31   31048   ------r-   c:\users\A CHIANG\AppData\Roaming\Tencent\QQ\SafeBase\selfupdate.exe
2009-10-13 00:21 . 2009-10-13 00:21   10134   ----a-r-   c:\users\A CHIANG\AppData\Roaming\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-10-11 15:37 . 2009-10-11 15:37   15952   ----a-w-   c:\windows\system32\TesDrvPt.sys
2009-09-30 13:58 . 2008-02-18 19:38   9576   ----a-w-   c:\programdata\Symantec\LiveUpdate\LuRegManifests\Static\CCMSLLUM.DLL
2009-03-31 21:47 . 2009-01-25 11:07   324976   ----a-w-   c:\program files\mozilla firefox\components\coFFPlgn.dll
.

(((((((((((((((((((((((((((((((((((((

?? ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*??*

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="d:\games\steam.exe" [2009-10-25 1217808]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-21 185896]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]

c:\users\A CHIANG\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
??QQ.lnk - c:\program files\Tencent\QQ\QQ.exe [2009-7-1 1988008]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2009-12-16 1560576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R0 QKeyService;QKeyServiceDisplay;c:\windows\System32\KeyCrypt.sys [10/11/2009 3:38 PM 11648]
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20091120.002\IDSvix86.sys [12/1/2009 5:19 AM 286768]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/18/2008 7:37 PM 149352]
R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\RALINK\Common\RalinkRegistryWriter.exe [12/16/2009 12:24 PM 54272]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/13/2009 11:04 AM 102448]
R3 netr73;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\System32\drivers\netr73.sys [12/16/2009 12:24 PM 493568]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [2/19/2009 11:31 AM 41008]
S3 COH_Mon;COH_Mon;c:\windows\System32\drivers\COH_Mon.sys [1/13/2008 2:32 AM 23888]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;d:\games\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe [11/10/2009 3:16 AM 25832]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\Lavalys\EVEREST Home Edition\kerneld.wnt [8/18/2005 7168]
S3 TesDrvPt;TesDrvPt;c:\windows\System32\TesDrvPt.sys [10/11/2009 3:37 PM 15952]
S4 sptd;sptd;c:\windows\System32\drivers\sptd.sys [1/25/2009 12:33 AM 717296]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs   REG_MULTI_SZ     BthServ
WindowsMobile   REG_MULTI_SZ     wcescomm rapimgr
LocalServiceRestricted   REG_MULTI_SZ     WcesComm RapiMgr
.
-------

?? -------
.
uStart Page = hxxp://ffo.qq.com/index.shtml?ADTAG=GameClient.Link.LK.lk02
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: ???QQ?? - c:\program files\Tencent\QQ\AddEmotion.htm
FF - ProfilePath - c:\users\A CHIANG\AppData\Roaming\Mozilla\Firefox\Profiles\bnaoykgm.default\
FF - prefs.js: browser.startup.homepage - www.facebook.com
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
.
-------

? -------
.
txtfile=c:\windows\notepad.exe %1
.
- - - - ORPHANS REMOVED - - - -

AddRemove-QQó??· - d:\mygames\Tencent\QQGAME\Uninstall.EXE

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-18 10:54
Windows 6.0.6001 Service Pack 1 NTFS

??

?

: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85540618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8a1a2322
\Driver\ACPI -> acpi.sys @ 0x80698d4c
\Driver\atapi -> ataport.SYS @ 0x807a79a8
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\c:\program files\Lavalys\EVEREST Home Edition\kerneld.wnt"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-691425603-4024494106-2681200341-1000\Software\Microsoft\Internet Explorer\MenuExt\??0RQ*Q*h?`]
@Allowed: (Read) (RestrictedCode)
@="c:\\Program Files\\Tencent\\QQ\\AddEmotion.htm"
"contexts"=dword:00000002

[HKEY_USERS\S-1-5-21-691425603-4024494106-2681200341-1000\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Q*Q*?1u{^?]
@Allowed: (Read) (RestrictedCode)
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,00,00,00,00,00,00,00,01,fc,83,
e9,92,4a,ca,01,0e,00,00,00,44,00,3a,00,5c,00,4d,00,79,00,20,00,47,00,61,00,\
"Changed"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Q*Q*2*0*0*8*ck_Hr\Components\SectionQQ]
"Installed"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Q*Q*?1u{^?]
"DisplayName"="QQ?

"
"UninstallString"="d:\\MYGAME~1\\QQFFO\\UNWISE.EXE d:\\MYGAME~1\\QQFFO\\INSTALL.LOG"

[HKEY_LOCAL_MACHINE\SOFTWARE\Tencent\Q*Q*?1u{^?\SYS]
"path"="d:\\MYGAME~1\\QQFFO"
"PathRoot"="d:\\MYGAME~1\\QQFFO"
"install"="d:\\MYGAME~1\\QQFFO\\qqffo.exe"
.
---------------------

?? ---------------------

- - - - - - - > 'Explorer.exe'(5280)
c:\windows\system32\ieframe.dll
c:\windows\system32\NetworkExplorer.dll
c:\program files\Common Files\Symantec Shared\AppCore\AppMgr32.dll
.
------------------------

------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\system32\conime.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Tencent\QQ\TXPlatform.exe
.
**************************************************************************
.

?: 2009-12-18 10:59:51 -

?
ComboFix-quarantined-files.txt 2009-12-18 10:59
ComboFix2.txt 2009-12-11 11:41

Pre-Run: 7,903,223,808 bytes free
Post-Run: 8,087,343,104 bytes free

- - End Of File - - BB35E48DF5C303D93DA095DF7D9705E1

amanda520 · « **Reply #16 on:** December 18, 2009, 11:06:44 »

I am still getting pop up. Just got one posting the last message...

Derek · « **Reply #17 on:** December 18, 2009, 12:04:42 »

all I can see that might be casuing it is tencent which appears to cause all sorts of problems

uninstall it & see if things imnprove

amanda520 · « **Reply #18 on:** December 18, 2009, 16:42:24 »

That is a Chinese instant messenger, I have had it for over a year on this computer, and on other computers too. Unlikely to be the one causing trouble considering this computer is the only one with pop ups.

Derek · « **Reply #19 on:** December 18, 2009, 17:42:54 »

see what these show

* Run Kaspersky online virus scan Kaspersky Online Scanner.

After the updates have downloaded, click on the "Scan Settings" button.
select the (b)"Spyware, Adware, Dialers and other potentially dangerous programs" for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

Note: Kavscan is a scanner only & won't fix anything but will normally find the most infected files so it's report gives us a good place to work from

If that won't run then
Run an online antivirus check from one of the following sites
http://www.pandasoftware.com/activescan/
http://www.bitdefender.com/scan8/ie.html

The Spykiller

News:

Sponsored Adverts

Sponsored Ads

Welcome to The Spykiller

INSTRUCTIONS - Read This Before Posting For Malware Removal Help