Hi jack this - help please

GunJack

ok, reboot into safe mode with networking (keep tapping F8 on boot up for the options), then back to RIK's post #7 for combofix again (might be an idea to download a fresh copy, don't Run from the download box, Save it to desktop, then run it from there). Sounds like something is still lurking which is stopping combofix running correctly..

posh_bird

ok - run in safe mode.....

ComboFix 10-09-01.04 - deb 02/09/2010 22:50:39.6.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.362 [GMT 1:00]
Running from: c:\documents and settings\deb\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\AV7
c:\documents and settings\All Users\Start Menu\AV7\Uninstall.lnk
c:\documents and settings\deb\err.log
c:\documents and settings\josh\err.log
c:\documents and settings\keith\err.log
c:\program files\AV7
c:\program files\Common Files\System\Uninstall
c:\program files\siteicons
c:\program files\siteicons\gdimx\gdimx.exe
c:\windows\system32\winconfig.dll.tmp.tmp

.
((((((((((((((((((((((((( Files Created from 2010-08-02 to 2010-09-02 )))))))))))))))))))))))))))))))
.

2010-09-02 20:22 . 2010-03-01 09:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-09-02 20:22 . 2010-02-16 13:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-09-02 20:22 . 2009-05-11 11:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-09-02 20:22 . 2009-05-11 11:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-09-02 20:22 . 2010-09-02 20:22

---

d

---

w- c:\program files\Avira
2010-09-02 20:22 . 2010-09-02 20:22

---

d

---

w- c:\documents and settings\All Users\Application Data\Avira
2010-08-31 19:04 . 2010-08-31 19:04

---

d

---

w- c:\program files\MSXML 4.0
2010-08-31 18:06 . 2010-02-24 13:11 455680

---

w- c:\windows\system32\dllcache\mrxsmb.sys
2010-08-31 18:06 . 2009-11-21 15:51 471552

---

w- c:\windows\system32\dllcache\aclayers.dll
2010-08-31 18:04 . 2010-06-14 14:31 744448

---

w- c:\windows\system32\dllcache\helpsvc.exe
2010-08-31 18:03 . 2009-10-15 16:28 81920

---

w- c:\windows\system32\dllcache\fontsub.dll
2010-08-31 18:03 . 2009-10-15 16:28 119808

---

w- c:\windows\system32\dllcache\t2embed.dll
2010-08-31 18:03 . 2009-03-06 14:22 284160

---

w- c:\windows\system32\dllcache\pdh.dll
2010-08-31 18:03 . 2009-02-06 10:39 35328

---

w- c:\windows\system32\dllcache\sc.exe
2010-08-31 18:03 . 2009-02-09 12:10 401408

---

w- c:\windows\system32\dllcache\rpcss.dll
2010-08-31 18:03 . 2009-02-06 11:11 110592

---

w- c:\windows\system32\dllcache\services.exe
2010-08-31 18:03 . 2009-02-09 12:10 473600

---

w- c:\windows\system32\dllcache\fastprox.dll
2010-08-31 18:03 . 2009-02-09 12:10 453120

---

w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-08-31 18:03 . 2009-02-06 10:10 227840

---

w- c:\windows\system32\dllcache\wmiprvse.exe
2010-08-31 18:03 . 2009-02-09 12:10 714752

---

w- c:\windows\system32\dllcache\ntdll.dll
2010-08-31 18:03 . 2009-02-09 12:10 617472

---

w- c:\windows\system32\dllcache\advapi32.dll
2010-08-31 18:02 . 2009-06-21 21:44 153088

---

w- c:\windows\system32\dllcache\triedit.dll
2010-08-31 17:49 . 2010-02-12 10:03 293376

---

w- c:\windows\system32\browserchoice.exe
2010-08-31 17:45 . 2010-06-18 13:36 3558912

---

w- c:\windows\system32\dllcache\moviemk.exe
2010-08-31 17:44 . 2008-10-15 16:34 337408

---

w- c:\windows\system32\dllcache\netapi32.dll
2010-08-31 17:43 . 2008-05-03 11:55 2560

---

w- c:\windows\system32\xpsp4res.dll
2010-08-31 17:43 . 2008-04-21 12:08 215552

---

w- c:\windows\system32\dllcache\wordpad.exe
2010-08-31 17:43 . 2009-08-13 15:16 512000

---

w- c:\windows\system32\dllcache\jscript.dll
2010-08-31 16:51 . 2010-08-31 16:51

---

d

---

w- c:\documents and settings\All Users\Application Data\Panda Security
2010-08-31 16:43 . 2010-09-02 20:44

---

d

---

w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-31 16:43 . 2010-08-31 16:47

---

d

---

w- c:\program files\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-02 13:11 . 2009-02-06 13:11

---

d

---

w- c:\program files\Malwarebytes' Anti-Malware
2010-09-02 11:25 . 2005-10-12 01:58

---

d

---

w- c:\program files\Panda Security
2010-09-01 09:27 . 2006-03-24 20:31 33360 ----a-w- c:\documents and settings\deb\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-31 18:46 . 2006-03-22 01:50

---

d

---

w- c:\program files\Common Files\AOL
2010-08-31 18:46 . 2006-03-22 01:50

---

d

---

w- c:\documents and settings\All Users\Application Data\AOL
2010-08-31 18:46 . 2006-03-22 01:50

---

d

---

w- c:\program files\Common Files\aolshare
2010-08-31 18:45 . 2006-04-10 20:27

---

d

---

w- c:\program files\Yahoo!
2010-08-31 17:45 . 2005-10-12 01:44

---

d

---

w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-08-31 16:38 . 2005-10-12 01:46

---

d

---

w- c:\program files\CCleaner
2010-08-14 16:46 . 2010-06-22 16:38 27630760 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUPDATER\msgup1000_1270_us_u1.exe
2010-08-08 11:57 . 2007-03-30 10:26 32200 ----a-w- c:\documents and settings\keith\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-06 14:09 . 2006-03-24 20:54

---

d

---

w- c:\program files\Dl_cats
2010-07-31 17:52 . 2006-03-24 20:30 6216 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-07-31 17:52 . 2006-03-24 20:30 104 --sh--r- c:\windows\system32\6B80B99C35.sys
2010-07-22 12:51 . 2006-03-25 18:39

---

d

---

w- c:\program files\MSN Messenger
2010-07-22 12:50 . 2010-07-22 12:50

---

d

---

w- c:\program files\Microsoft
2010-07-22 12:50 . 2010-07-22 12:49

---

d

---

w- c:\program files\Windows Live
2010-07-22 12:49 . 2010-07-22 12:49

---

d

---

w- c:\program files\Windows Live SkyDrive
2010-06-30 12:31 . 2004-08-10 12:51 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:15 . 2004-08-10 12:51 832512 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:15 . 2004-08-10 12:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:15 . 2004-08-10 12:50 17408 ----a-w- c:\windows\system32\corpol.dll
2010-06-23 13:44 . 2004-08-10 12:51 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2006-03-22 01:14 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-10 12:51 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-15 00:23 . 2010-06-18 14:03 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUPDATER\yupdater.exe
2010-06-14 14:31 . 2004-08-10 13:02 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-10 12:51 1172480 ----a-w- c:\windows\system32\msxml3.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-07-11 223984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2007-01-10 71216]
"RunMotive"="c:\windows\RunMotive.exe" [2003-04-17 36864]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-10-21 430080]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-09-14 73728]
"NapsterShell"="c:\program files\Napster\napster.exe" [2007-01-12 323216]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"TalkTalk"="c:\program files\TalkTalk\bin\sprtcmd.exe" [2007-10-12 202016]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2005-10-12 1020248]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
backup=c:\windows\pss\AOL 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-02-17 19:37 177472 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
2005-08-31 11:06 106496 ----a-w- c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 10:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-09-08 05:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 08:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-15 18:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
2007-05-02 06:08 366400 ----a-w- c:\program files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-03-22 01:50 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2008-07-11 17:06 223984 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Documents and Settings\\josh\\My Documents\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\TalkTalk\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\Common Files\\supportsoft\\bin\\tgsrvc.exe"=
"c:\\Program Files\\TalkTalk\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\TalkTalk\\bin\\sprtcmd.exe"=
"c:\\Program Files\\Samsung\\Samsung PC Studio 3\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung PC Studio 3\\npsvsvr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [12/10/2005 04:01 339984]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [02/09/2010 21:22 135336]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [22/09/2009 14:08 233472]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/10/2005 02:46 135664]
S2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\TalkTalk\bin\sprtsvc.exe [12/10/2007 09:33 202016]
S2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\Common Files\supportsoft\bin\tgsrvc.exe [02/08/2007 14:42 148768]
S2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [12/10/2005 04:01 36368]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [22/09/2009 14:08 36608]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 PAC207;USB PC Cam Plus;c:\windows\system32\drivers\PFC027.sys [24/02/2005 12:29 162176]
S3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [12/10/2005 04:09 50704]
S3 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [12/10/2005 04:10 497008]
S3 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [12/10/2005 04:10 689416]
.
Contents of the 'Scheduled Tasks' folder

2010-08-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2005-10-12 01:46]

2010-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2005-10-12 01:46]
.
.

---

Supplementary Scan

---

.
uStart Page = hxxp://www.mytalktalk.co.uk
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\deb\Application Data\Mozilla\Firefox\Profiles\czvb06w7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://uk.search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc7&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.mytalktalk.co.uk
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc7&p=
FF - component: c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension\components\FFTMUFEHelper.dll
FF - component: c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension\components\FFToolbarComm.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npstrlnk.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
pref(general.useragent.extra.spoenp, SPOENB/1.0);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NPSStartup - (no file)
MSConfigStartUp-dxvid - c:\windows\system32\dxvid.exe
MSConfigStartUp-msnmsgr - c:\program files\MSN Messenger\msnmsgr.exe
AddRemove-dxvid - c:\windows\system32\dxvid.exe
AddRemove-infxp - c:\program files\infxp\infxp\infxp.exe
AddRemove-MS10101 - c:\program files\common files\system\hk9ife.exe
AddRemove-Yahoo! Companion - c:\progra~1\Yahoo!\Common\UNYT_W~1.EXE
AddRemove-Yahoo! Toolbar - c:\progra~1\Yahoo!\Common\UNYT_W~1.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-02 23:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-09-02 23:08:57
ComboFix-quarantined-files.txt 2010-09-02 22:08

Pre-Run: 49,040,543,744 bytes free
Post-Run: 49,296,125,952 bytes free

- - End Of File - - 6C8F1749ECC145712FF17082BBC4AC5A

GunJack

thought as much....that first block of Other Deletions are infected files. You should now be able to reboot normally and run combofix again in normal mode. If not, there are still more to be got. Try again after a normal reboot and let us know how you get on....

posh_bird

ran combofix again as instructed - and got the same blue screen with the same message.....

danthemoneysavingman

this entry looks dubious: c:\windows\system32\6B80B99C35.sys

such randomly-named items are rarely good news

sorry dont help much but there's my $0.02

GunJack

OK, try Dr Web

http://www.freedrweb.com/download+cureit/

download and save to desktop. Double-click to run it. It will start off on a quick scan....stop this and set it off on a full scan. It WILL take a couple or three hours, but is vey thorough.

aliEnRIK

Uninstall TREND MICRO firewall. Its next to useless
Switch on WINDOWS firewall in its place (Or if you need to control ALL connections, use COMODO, but leave that off until the problems sorted)

I cant see anything wrong personally, so ill wait to see what Dr Web finds

thomas01155

Did you disable Spybot search and destroy teatimer before running Combofix in normal mode?

aliEnRIK

thomas01155 wrote: »

Did you disable Spybot search and destroy teatimer before running Combofix in normal mode?

Cant believe I missed that

GunJack

aliEnRIK wrote: »

Cant believe I missed that

you and me both matey

on a more general note, think it's gettin' there