Virus preventing running any type of program

[Rudi Cornette]

Hello all,

In utter frustration and as a last hope i turn to YOU.
as off yesterday i have a virus on pc and laptop, after intalling and running a virus scanner it said it was clear. as off this morning i did get a fake virusscanner warning on my screen and im not able to run anything eccept my internet.

running win xp sp 2
unable to run any program to remove malware or virus, on the pc or online

In frustration I even tried to format and reinstall win, but even that doint work ,just doint run any .exe
hope you can help me

regards

[Rudi Cornette]

update

looks like its solved, could you pls have a look at the log file,
ComboFix Beta_09-08-15.07 - RC 08/16/2009 17:21.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2683 [GMT -5:00]
Running from: c:\documents and settings\RC\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\RC\Desktop\CFScript.txt
AV: PC Tools AntiVirus 6.0.0.19 *On-access scanning enabled* (Updated) {832E7172-E406-4bb2-8B19-6D29F2C93A98}

FILE ::
"c:\windows\svchast.exe"
.

((((((((((((((((((((((((( Files Created from 2009-07-16 to 2009-08-16 )))))))))))))))))))))))))))))))
.

2009-08-16 20:34 . 2009-08-16 20:34 -------- d-----w- c:\documents and settings\RC\Application Data\AVG8
2009-08-16 19:47 . 2009-08-16 19:47 -------- d-----w- c:\windows\McAfee.com
2009-08-16 19:09 . 2009-08-16 19:12 -------- d-----w- c:\windows\BDOSCAN8
2009-08-16 18:53 . 2009-08-14 21:21 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-08-16 18:08 . 2009-08-16 18:08 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-16 18:02 . 2009-08-16 18:02 42 ----a-w- c:\program files\Common Files\WindowsUpdate.zip
2009-08-16 15:21 . 2009-08-16 15:21 36352 ----a-w- c:\windows\system32\csbdll.dll
2009-08-16 15:21 . 2009-08-16 17:59 0 ----a-w- c:\windows\system32\drivers\4ea9d2da.sys
2009-08-16 15:21 . 2009-08-16 21:22 75264 --sh--r- c:\windows\mscth32.exe
2009-08-15 00:56 . 2009-08-15 19:19 -------- d-----w- c:\documents and settings\RC\Application Data\BitTorrent
2009-08-15 00:56 . 2009-08-15 00:56 -------- d-----w- c:\program files\BitTorrent
2009-08-15 00:56 . 2009-08-16 18:08 -------- d-----w- c:\program files\AskBarDis
2009-08-14 22:31 . 2009-08-14 22:31 -------- d-----w- c:\documents and settings\RC\Application Data\PC Tools
2009-08-14 22:25 . 2009-08-16 22:13 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-08-14 22:25 . 2009-04-03 16:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-08-14 22:25 . 2008-12-18 17:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-14 22:25 . 2009-08-14 22:25 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-14 22:25 . 2009-02-10 15:13 21904 ----a-w- c:\windows\system32\drivers\AVRec.sys
2009-08-14 22:25 . 2009-02-10 15:13 28560 ----a-w- c:\windows\system32\drivers\AVHook.sys
2009-08-14 22:25 . 2009-02-10 15:13 21904 ----a-w- c:\windows\system32\drivers\AVFilter.sys
2009-08-14 22:25 . 2009-08-16 22:11 -------- d-----w- c:\program files\PC Tools AntiVirus
2009-08-14 22:25 . 2009-08-14 22:31 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\PC Tools
2009-08-14 22:04 . 2009-08-16 21:23 53248 ----a-w- C:\jnvcbaox.exe
2009-08-14 22:04 . 2009-08-16 21:23 91648 ----a-w- C:\yaewfl.exe
2009-08-14 21:21 . 2009-08-16 19:31 -------- d-----w- c:\documents and settings\RC\.housecall6.6
2009-08-14 21:17 . 2009-08-14 21:17 -------- d-----w- c:\windows\Sun
2009-08-14 21:14 . 2009-08-14 21:14 -------- d-----w- c:\program files\Common Files\Java
2009-08-14 21:10 . 2009-08-14 21:16 -------- d-----w- c:\program files\Java
2009-08-14 21:10 . 2009-08-14 21:13 152576 ----a-w- c:\documents and settings\RC\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-14 20:33 . 2009-08-16 21:22 212533 ----a-w- C:\lyusoqm.exe
2009-08-14 20:32 . 2009-08-14 20:32 211048 ----a-w- C:\hflqw.exe
2009-08-14 20:32 . 2009-08-14 20:32 269 ----a-w- c:\documents and settings\RC\hgqcoq.bat
2009-08-12 15:55 . 2009-06-29 16:12 52224 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-12 15:55 . 2009-06-29 16:12 459264 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-08-12 15:55 . 2009-06-29 16:12 268288 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-08-12 15:55 . 2009-06-29 16:12 63488 -c----w- c:\windows\system32\dllcache\icardie.dll
2009-08-12 15:55 . 2009-06-29 16:12 380928 -c----w- c:\windows\system32\dllcache\ieapfltr.dll
2009-08-12 15:55 . 2009-06-29 11:07 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2009-08-12 15:55 . 2009-06-29 08:33 2452872 -c----w- c:\windows\system32\dllcache\ieapfltr.dat
2009-08-12 15:55 . 2009-07-19 13:32 6067200 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-08-12 15:54 . 2007-08-13 23:54 33792 -c--a-w- c:\windows\system32\dllcache\custsat.dll
2009-08-12 14:25 . 2009-08-12 14:27 -------- d-----w- c:\windows\ShellNew
2009-08-05 23:18 . 2009-08-12 03:02 10 ----a-w- c:\windows\popcinfo.dat
2009-08-05 22:37 . 2009-08-05 22:37 -------- d-----w- c:\program files\PopCap Games
2009-08-05 22:37 . 2009-08-05 22:37 -------- d-----w- c:\program files\Zuma Deluxe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-16 21:23 . 2009-08-16 18:02 726 ----a-w- c:\windows\Fonts\aldieofapqceo_setup.tmp
2009-08-16 18:12 . 2009-08-16 18:12 691712 ----a-w- c:\windows\isRS-000.tmp
2009-08-16 18:02 . 2009-08-14 22:04 53248 ----a-w- c:\windows\Fonts\j8j88j.exe
2009-08-15 19:20 . 2009-04-20 04:44 -------- d-----w- c:\documents and settings\RC\Application Data\Skype
2009-08-12 15:53 . 2009-04-04 01:21 19552 ----a-w- c:\documents and settings\RC\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-10 22:56 . 2009-04-04 01:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-10 19:48 . 2009-07-10 19:31 -------- d-----w- c:\documents and settings\RC\Application Data\GetRightToGo
2009-07-10 19:40 . 2009-07-10 19:40 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\PC Drivers HeadQuarters
2009-07-10 13:49 . 2009-07-10 13:49 -------- d-----w- c:\program files\Common Files\Logitech
2009-07-10 13:49 . 2009-07-10 13:49 -------- d-----w- c:\program files\Logitech
2009-07-10 13:49 . 2009-04-04 01:58 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-29 16:12 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 12:00 78336 ------w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-06-02 10:02 . 2009-07-10 22:53 5085184 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2009-05-21 06:01 . 2009-07-10 22:53 17881600 ----a-w- c:\windows\RTHDCPL.EXE
.

------- Sigcheck -------

[-] 2006-08-05 23:32 359040 C81D6A930A7805F6DAA0C7902B99037E c:\windows\system32\drivers\tcpip.sys

[-] 2004-11-28 21:36 8704 AB3D62010AF342203FFA60C2D94DBC68 c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 17:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2009-07-31 1935360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"ter8m"="c:\windows\system32\msxm192z.dll" [2004-08-18 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 36975]
"Microsoft Driver Setup"="c:\windows\mscth32.exe" [2009-08-16 75264]
"PCTAVApp"="c:\program files\PC Tools AntiVirus\PCTAV.exe" [2009-02-19 1374096]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-27 1657376]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-05-21 17881600]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\csbdll]
2009-08-16 15:21 36352 ----a-w- c:\windows\system32\csbdll.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

R0 pctcore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [8/14/2009 5:25 PM 130936]
R3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\drivers\LCcfltr.sys [7/10/2009 8:49 AM 14095]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [7/10/2009 5:53 PM 1684736]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.moonlapse.com/index.php?action=forum
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-16 17:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\csbdll.dll
c:\windows\system32\WININET.dll
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
c:\program files\PC Tools AntiVirus\PCTAVHook.dll

- - - - - - - > 'lsass.exe'(776)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
c:\program files\PC Tools AntiVirus\PCTAVHook.dll

- - - - - - - > 'explorer.exe'(3968)
c:\windows\system32\WININET.dll
c:\program files\PC Tools AntiVirus\PCTAVHook.dll
c:\program files\Logitech\iTouch\iTchHk.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\msxm192z.dll
c:\windows\system32\msi.dll

- - - - - - - > 'csrss.exe'(696)
c:\program files\PC Tools AntiVirus\PCTAVHook.dll
.
Completion time: 2009-08-16 17:24
ComboFix-quarantined-files.txt 2009-08-16 22:24
ComboFix2.txt 2009-08-16 22:03

Pre-Run: 136,093,536,256 bytes free
Post-Run: 136,051,712,000 bytes free

168


with regards
Rudi

[Ried]

You posted a mere hour ago and have already gone forward and totally disregarded our forum pre-posting topic, as well as the ComboFix Disclaimer and proceeded to run it on your own.

You are not clean yet. Kindly note the bumping rules, and wait your turn for further instructions.

[Ried]

Hi Rudi, there is a line that concerns me. I'll need to see the first run. Click Start>Run and type in the following bolded text:

C:\Qoobox\ComboFix2.txt

The report should pop open for you. Please post the contents for review.

[Rudi Cornette]

Ried,

says that C:\Qoobox\ComboFix2.txt reffers to a unknow location...

[Ried]

Based on the location Combofix is running from, it should be there.

Navigate to C:\Qoobox Do you see a ComboFix2.txt?

[Rudi Cornette]

yes this is it, but its the same as my sec post I think,




ComboFix Beta_09-08-15.07 - RC 08/16/2009 17:21.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2683 [GMT -5:00]
Running from: c:\documents and settings\RC\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\RC\Desktop\CFScript.txt
AV: PC Tools AntiVirus 6.0.0.19 *On-access scanning enabled* (Updated) {832E7172-E406-4bb2-8B19-6D29F2C93A98}

FILE ::
"c:\windows\svchast.exe"
.

((((((((((((((((((((((((( Files Created from 2009-07-16 to 2009-08-16 )))))))))))))))))))))))))))))))
.

2009-08-16 20:34 . 2009-08-16 20:34 -------- d-----w- c:\documents and settings\RC\Application Data\AVG8
2009-08-16 19:47 . 2009-08-16 19:47 -------- d-----w- c:\windows\McAfee.com
2009-08-16 19:09 . 2009-08-16 19:12 -------- d-----w- c:\windows\BDOSCAN8
2009-08-16 18:53 . 2009-08-14 21:21 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-08-16 18:08 . 2009-08-16 18:08 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-16 18:02 . 2009-08-16 18:02 42 ----a-w- c:\program files\Common Files\WindowsUpdate.zip
2009-08-16 15:21 . 2009-08-16 15:21 36352 ----a-w- c:\windows\system32\csbdll.dll
2009-08-16 15:21 . 2009-08-16 17:59 0 ----a-w- c:\windows\system32\drivers\4ea9d2da.sys
2009-08-16 15:21 . 2009-08-16 21:22 75264 --sh--r- c:\windows\mscth32.exe
2009-08-15 00:56 . 2009-08-15 19:19 -------- d-----w- c:\documents and settings\RC\Application Data\BitTorrent
2009-08-15 00:56 . 2009-08-15 00:56 -------- d-----w- c:\program files\BitTorrent
2009-08-15 00:56 . 2009-08-16 18:08 -------- d-----w- c:\program files\AskBarDis
2009-08-14 22:31 . 2009-08-14 22:31 -------- d-----w- c:\documents and settings\RC\Application Data\PC Tools
2009-08-14 22:25 . 2009-08-16 22:13 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-08-14 22:25 . 2009-04-03 16:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-08-14 22:25 . 2008-12-18 17:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-14 22:25 . 2009-08-14 22:25 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-14 22:25 . 2009-02-10 15:13 21904 ----a-w- c:\windows\system32\drivers\AVRec.sys
2009-08-14 22:25 . 2009-02-10 15:13 28560 ----a-w- c:\windows\system32\drivers\AVHook.sys
2009-08-14 22:25 . 2009-02-10 15:13 21904 ----a-w- c:\windows\system32\drivers\AVFilter.sys
2009-08-14 22:25 . 2009-08-16 22:11 -------- d-----w- c:\program files\PC Tools AntiVirus
2009-08-14 22:25 . 2009-08-14 22:31 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\PC Tools
2009-08-14 22:04 . 2009-08-16 21:23 53248 ----a-w- C:\jnvcbaox.exe
2009-08-14 22:04 . 2009-08-16 21:23 91648 ----a-w- C:\yaewfl.exe
2009-08-14 21:21 . 2009-08-16 19:31 -------- d-----w- c:\documents and settings\RC\.housecall6.6
2009-08-14 21:17 . 2009-08-14 21:17 -------- d-----w- c:\windows\Sun
2009-08-14 21:14 . 2009-08-14 21:14 -------- d-----w- c:\program files\Common Files\Java
2009-08-14 21:10 . 2009-08-14 21:16 -------- d-----w- c:\program files\Java
2009-08-14 21:10 . 2009-08-14 21:13 152576 ----a-w- c:\documents and settings\RC\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-14 20:33 . 2009-08-16 21:22 212533 ----a-w- C:\lyusoqm.exe
2009-08-14 20:32 . 2009-08-14 20:32 211048 ----a-w- C:\hflqw.exe
2009-08-14 20:32 . 2009-08-14 20:32 269 ----a-w- c:\documents and settings\RC\hgqcoq.bat
2009-08-12 15:55 . 2009-06-29 16:12 52224 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-12 15:55 . 2009-06-29 16:12 459264 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-08-12 15:55 . 2009-06-29 16:12 268288 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-08-12 15:55 . 2009-06-29 16:12 63488 -c----w- c:\windows\system32\dllcache\icardie.dll
2009-08-12 15:55 . 2009-06-29 16:12 380928 -c----w- c:\windows\system32\dllcache\ieapfltr.dll
2009-08-12 15:55 . 2009-06-29 11:07 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2009-08-12 15:55 . 2009-06-29 08:33 2452872 -c----w- c:\windows\system32\dllcache\ieapfltr.dat
2009-08-12 15:55 . 2009-07-19 13:32 6067200 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-08-12 15:54 . 2007-08-13 23:54 33792 -c--a-w- c:\windows\system32\dllcache\custsat.dll
2009-08-12 14:25 . 2009-08-12 14:27 -------- d-----w- c:\windows\ShellNew
2009-08-05 23:18 . 2009-08-12 03:02 10 ----a-w- c:\windows\popcinfo.dat
2009-08-05 22:37 . 2009-08-05 22:37 -------- d-----w- c:\program files\PopCap Games
2009-08-05 22:37 . 2009-08-05 22:37 -------- d-----w- c:\program files\Zuma Deluxe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-16 21:23 . 2009-08-16 18:02 726 ----a-w- c:\windows\Fonts\aldieofapqceo_setup.tmp
2009-08-16 18:12 . 2009-08-16 18:12 691712 ----a-w- c:\windows\isRS-000.tmp
2009-08-16 18:02 . 2009-08-14 22:04 53248 ----a-w- c:\windows\Fonts\j8j88j.exe
2009-08-15 19:20 . 2009-04-20 04:44 -------- d-----w- c:\documents and settings\RC\Application Data\Skype
2009-08-12 15:53 . 2009-04-04 01:21 19552 ----a-w- c:\documents and settings\RC\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-10 22:56 . 2009-04-04 01:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-10 19:48 . 2009-07-10 19:31 -------- d-----w- c:\documents and settings\RC\Application Data\GetRightToGo
2009-07-10 19:40 . 2009-07-10 19:40 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\PC Drivers HeadQuarters
2009-07-10 13:49 . 2009-07-10 13:49 -------- d-----w- c:\program files\Common Files\Logitech
2009-07-10 13:49 . 2009-07-10 13:49 -------- d-----w- c:\program files\Logitech
2009-07-10 13:49 . 2009-04-04 01:58 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-29 16:12 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 12:00 78336 ------w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-06-02 10:02 . 2009-07-10 22:53 5085184 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2009-05-21 06:01 . 2009-07-10 22:53 17881600 ----a-w- c:\windows\RTHDCPL.EXE
.

------- Sigcheck -------

[-] 2006-08-05 23:32 359040 C81D6A930A7805F6DAA0C7902B99037E c:\windows\system32\drivers\tcpip.sys

[-] 2004-11-28 21:36 8704 AB3D62010AF342203FFA60C2D94DBC68 c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 17:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2009-07-31 1935360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"ter8m"="c:\windows\system32\msxm192z.dll" [2004-08-18 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 36975]
"Microsoft Driver Setup"="c:\windows\mscth32.exe" [2009-08-16 75264]
"PCTAVApp"="c:\program files\PC Tools AntiVirus\PCTAV.exe" [2009-02-19 1374096]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-27 1657376]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-05-21 17881600]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\csbdll]
2009-08-16 15:21 36352 ----a-w- c:\windows\system32\csbdll.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

R0 pctcore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [8/14/2009 5:25 PM 130936]
R3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\drivers\LCcfltr.sys [7/10/2009 8:49 AM 14095]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [7/10/2009 5:53 PM 1684736]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.moonlapse.com/index.php?action=forum
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-16 17:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\csbdll.dll
c:\windows\system32\WININET.dll
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
c:\program files\PC Tools AntiVirus\PCTAVHook.dll

- - - - - - - > 'lsass.exe'(776)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
c:\program files\PC Tools AntiVirus\PCTAVHook.dll

- - - - - - - > 'explorer.exe'(3968)
c:\windows\system32\WININET.dll
c:\program files\PC Tools AntiVirus\PCTAVHook.dll
c:\program files\Logitech\iTouch\iTchHk.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\msxm192z.dll
c:\windows\system32\msi.dll

- - - - - - - > 'csrss.exe'(696)
c:\program files\PC Tools AntiVirus\PCTAVHook.dll
.
Completion time: 2009-08-16 17:24
ComboFix-quarantined-files.txt 2009-08-16 22:24
ComboFix2.txt 2009-08-16 22:03

Pre-Run: 136,093,536,256 bytes free
Post-Run: 136,051,712,000 bytes free

168

[Ried]

Did you rename any of the ComboFix.txt logs? What is the name of the ComboFix report that is directly on C:\

[Rudi Cornette]

did not rename anything, only thing I have direct on c: is the txt file ComboFix
and a folder ComboFix with the nircmdB applicatin, thats all. its only stuff a search reveals.

[Ried]

Is there a C:\Qoobox\Quarantine\Combofix-quarantined-files.txt

If so, would you please attach that report?

[Rudi Cornette]

nope i doint have anything else than what i posted before

[Ried]

Hmmm, okay, let's do this..

Open Notepad and copy/paste the contents inside the quote box below, into Notepad.

Quote:

PEV -l "%systemdrive%\sfcfiles.*" >log.txt
start notepad log.txt

Save this as look.bat Choose to "Save type as - All Files"
It should look like this:

Double click on look.bat & allow it to run. Then post the log which it produces

[Rudi Cornette]

done, it runs and opens notepad, but its blank?!

[Ried]

Even if there weren't any present on the system somewhere, it still would have shown something like

Entries: 0 (0)
Directories: 0 Files:
Bytes: 0 Blocks: 0

====================================

Let's move on for the moment...


Delete your existing ComboFix.exe and download a fresh copy from here

Please save it directly to your desktop, not a folder on the desktop.


Disable your onboard AV and double click the freshly downloaded Combofix to run it. Post the C:\ComboFix.txt when it has finished.

[Rudi Cornette]

new log



ComboFix Beta_09-08-16.01 - RC 08/17/2009 21:50.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2410 [GMT -5:00]
Running from: c:\documents and settings\RC\Desktop\ComboFix.exe
AV: PC Tools AntiVirus 6.0.0.19 *On-access scanning enabled* (Outdated) {832E7172-E406-4bb2-8B19-6D29F2C93A98}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Desktop\PC Tools AntiVirus.lnk
c:\documents and settings\RC\Application Data\Microsoft\Internet Explorer\Quick Launch\PC Tools AntiVirus.lnk

.
((((((((((((((((((((((((( Files Created from 2009-07-18 to 2009-08-18 )))))))))))))))))))))))))))))))
.

2009-08-16 22:45 . 2009-08-16 22:45 -------- d-----w- c:\program files\SpywareBlaster
2009-08-16 22:41 . 2009-08-16 22:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-16 22:41 . 2009-08-16 22:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-16 20:34 . 2009-08-16 20:34 -------- d-----w- c:\documents and settings\RC\Application Data\AVG8
2009-08-16 19:47 . 2009-08-16 19:47 -------- d-----w- c:\windows\McAfee.com
2009-08-16 19:09 . 2009-08-16 19:12 -------- d-----w- c:\windows\BDOSCAN8
2009-08-16 18:53 . 2009-08-14 21:21 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-08-16 18:08 . 2009-08-16 18:08 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-16 18:02 . 2009-08-16 18:02 42 ----a-w- c:\program files\Common Files\WindowsUpdate.zip
2009-08-16 15:21 . 2009-08-16 15:21 36352 ----a-w- c:\windows\system32\csbdll.dll
2009-08-16 15:21 . 2009-08-16 17:59 0 ----a-w- c:\windows\system32\drivers\4ea9d2da.sys
2009-08-16 15:21 . 2009-08-16 21:22 75264 --sh--r- c:\windows\mscth32.exe
2009-08-15 00:56 . 2009-08-15 19:19 -------- d-----w- c:\documents and settings\RC\Application Data\BitTorrent
2009-08-15 00:56 . 2009-08-15 00:56 -------- d-----w- c:\program files\BitTorrent
2009-08-15 00:56 . 2009-08-16 18:08 -------- d-----w- c:\program files\AskBarDis
2009-08-14 22:31 . 2009-08-14 22:31 -------- d-----w- c:\documents and settings\RC\Application Data\PC Tools
2009-08-14 22:25 . 2009-08-18 02:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-14 22:25 . 2009-04-03 16:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-08-14 22:25 . 2008-12-18 17:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-14 22:25 . 2009-08-14 22:25 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-14 22:25 . 2009-02-10 15:13 21904 ----a-w- c:\windows\system32\drivers\AVRec.sys
2009-08-14 22:25 . 2009-02-10 15:13 28560 ----a-w- c:\windows\system32\drivers\AVHook.sys
2009-08-14 22:25 . 2009-02-10 15:13 21904 ----a-w- c:\windows\system32\drivers\AVFilter.sys
2009-08-14 22:25 . 2009-08-17 16:31 -------- d-----w- c:\program files\PC Tools AntiVirus
2009-08-14 22:25 . 2009-08-14 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-08-14 22:04 . 2009-08-16 21:23 53248 ----a-w- C:\jnvcbaox.exe
2009-08-14 22:04 . 2009-08-16 21:23 91648 ----a-w- C:\yaewfl.exe
2009-08-14 21:21 . 2009-08-16 19:31 -------- d-----w- c:\documents and settings\RC\.housecall6.6
2009-08-14 21:17 . 2009-08-14 21:17 -------- d-----w- c:\windows\Sun
2009-08-14 21:14 . 2009-08-14 21:14 -------- d-----w- c:\program files\Common Files\Java
2009-08-14 21:10 . 2009-08-14 21:16 -------- d-----w- c:\program files\Java
2009-08-14 21:10 . 2009-08-14 21:13 152576 ----a-w- c:\documents and settings\RC\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-14 20:33 . 2009-08-16 21:22 212533 ----a-w- C:\lyusoqm.exe
2009-08-14 20:32 . 2009-08-14 20:32 211048 ----a-w- C:\hflqw.exe
2009-08-14 20:32 . 2009-08-14 20:32 269 ----a-w- c:\documents and settings\RC\hgqcoq.bat
2009-08-12 15:55 . 2009-06-29 16:12 52224 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-12 15:55 . 2009-06-29 16:12 459264 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-08-12 15:55 . 2009-06-29 16:12 268288 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-08-12 15:55 . 2009-06-29 16:12 63488 -c----w- c:\windows\system32\dllcache\icardie.dll
2009-08-12 15:55 . 2009-06-29 16:12 380928 -c----w- c:\windows\system32\dllcache\ieapfltr.dll
2009-08-12 15:55 . 2009-06-29 11:07 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2009-08-12 15:55 . 2009-06-29 08:33 2452872 -c----w- c:\windows\system32\dllcache\ieapfltr.dat
2009-08-12 15:55 . 2009-07-19 13:32 6067200 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-08-12 15:54 . 2007-08-13 23:54 33792 -c--a-w- c:\windows\system32\dllcache\custsat.dll
2009-08-12 14:25 . 2009-08-12 14:27 -------- d-----w- c:\windows\ShellNew
2009-08-05 23:18 . 2009-08-17 22:53 10 ----a-w- c:\windows\popcinfo.dat
2009-08-05 22:37 . 2009-08-05 22:37 -------- d-----w- c:\program files\PopCap Games
2009-08-05 22:37 . 2009-08-05 22:37 -------- d-----w- c:\program files\Zuma Deluxe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-18 02:47 . 2009-04-20 04:44 -------- d-----w- c:\documents and settings\RC\Application Data\Skype
2009-08-16 21:23 . 2009-08-16 18:02 726 ----a-w- c:\windows\Fonts\aldieofapqceo_setup.tmp
2009-08-16 18:02 . 2009-08-14 22:04 53248 ----a-w- c:\windows\Fonts\j8j88j.exe
2009-08-12 15:53 . 2009-04-04 01:21 19552 ----a-w- c:\documents and settings\RC\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-10 22:56 . 2009-04-04 01:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-10 19:48 . 2009-07-10 19:31 -------- d-----w- c:\documents and settings\RC\Application Data\GetRightToGo
2009-07-10 19:40 . 2009-07-10 19:40 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-07-10 13:49 . 2009-07-10 13:49 -------- d-----w- c:\program files\Common Files\Logitech
2009-07-10 13:49 . 2009-07-10 13:49 -------- d-----w- c:\program files\Logitech
2009-07-10 13:49 . 2009-04-04 01:58 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-29 16:12 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 12:00 78336 ------w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-06-02 10:02 . 2009-07-10 22:53 5085184 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2009-05-21 06:01 . 2009-07-10 22:53 17881600 ----a-w- c:\windows\RTHDCPL.EXE
.

------- Sigcheck -------

[-] 2006-08-05 23:32 359040 C81D6A930A7805F6DAA0C7902B99037E c:\windows\system32\drivers\tcpip.sys

[-] 2004-11-28 21:36 8704 AB3D62010AF342203FFA60C2D94DBC68 c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 17:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2009-07-31 1935360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-06-30 2836376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"ter8m"="c:\windows\system32\msxm192z.dll" [2004-08-18 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 36975]
"Microsoft Driver Setup"="c:\windows\mscth32.exe" [2009-08-16 75264]
"PCTAVApp"="c:\program files\PC Tools AntiVirus\PCTAV.exe" [2009-02-19 1374096]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-27 1657376]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-05-21 17881600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\csbdll]
2009-08-16 15:21 36352 ----a-w- c:\windows\system32\csbdll.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 pctcore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [8/14/2009 5:25 PM 130936]
R3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\drivers\LCcfltr.sys [7/10/2009 8:49 AM 14095]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [7/10/2009 5:53 PM 1684736]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.moonlapse.com/index.php?action=forum
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-17 21:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\windows\system32\csbdll.dll
c:\windows\system32\WININET.dll
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
c:\program files\PC Tools AntiVirus\PCTAVHook.dll

- - - - - - - > 'lsass.exe'(784)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
c:\program files\PC Tools AntiVirus\PCTAVHook.dll

- - - - - - - > 'csrss.exe'(700)
c:\program files\PC Tools AntiVirus\PCTAVHook.dll
.
Completion time: 2009-08-18 21:54
ComboFix-quarantined-files.txt 2009-08-18 02:54

Pre-Run: 136,143,265,792 bytes free
Post-Run: 136,154,959,872 bytes free

165

[Ried]

Hi Rudi,

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


It's IMPORTANT to carry out the instructions in the sequence listed below.


***************************************************

Open notepad and copy/paste the text in the code box below into it:

Quote:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/405362-virus-preventing-running-any-type-program.html#post2298497

Collect::
c:\windows\system32\csbdll.dll
c:\windows\mscth32.exe
C:\jnvcbaox.exe
C:\yaewfl.exe
C:\lyusoqm.exe
C:\hflqw.exe
c:\WINDOWS\Fonts\aldieofapqceo_setup.tmp
c:\WINDOWS\Fonts\j8j88j.exe
c:\windows\system32\msxm192z.dll

File::
c:\documents and settings\RC\hgqcoq.bat
c:\windows\system32\drivers\4ea9d2da.sys

SRPeek::
C:\WINDOWS\system32\sfcfiles.dll

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

Please return with the C:\ComboFix.txt for further review.

How is the system behaving?

[Rudi Cornette]

Ried,

did what you sugested, when i draged the txt file onto combofix, it asked me to run combofix, clicked yes.
I never saw the message box with the combofix log?!
but here is the log, pc runs like before

ComboFix Beta_09-08-16.01 - RC 08/17/2009 22:34.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2394 [GMT -5:00]
Running from: c:\documents and settings\RC\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\RC\Desktop\CFScript.txt
AV: PC Tools AntiVirus 6.0.0.19 *On-access scanning enabled* (Outdated) {832E7172-E406-4bb2-8B19-6D29F2C93A98}

FILE ::
"c:\documents and settings\RC\hgqcoq.bat"
"c:\windows\system32\drivers\4ea9d2da.sys"

file zipped: C:\hflqw.exe
file zipped: C:\jnvcbaox.exe
file zipped: C:\lyusoqm.exe
file zipped: c:\windows\Fonts\aldieofapqceo_setup.tmp
file zipped: c:\windows\Fonts\j8j88j.exe
file zipped: c:\windows\mscth32.exe
file zipped: c:\windows\system32\csbdll.dll
file zipped: c:\windows\system32\msxm192z.dll
file zipped: C:\yaewfl.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\RC\hgqcoq.bat
C:\hflqw.exe
C:\jnvcbaox.exe
C:\lyusoqm.exe
c:\windows\Fonts\aldieofapqceo_setup.tmp
c:\windows\Fonts\j8j88j.exe
c:\windows\mscth32.exe
c:\windows\system32\csbdll.dll
c:\windows\system32\drivers\4ea9d2da.sys
c:\windows\system32\msxm192z.dll
C:\yaewfl.exe

.
((((((((((((((((((((((((( Files Created from 2009-07-18 to 2009-08-18 )))))))))))))))))))))))))))))))
.

2009-08-16 22:45 . 2009-08-16 22:45 -------- d-----w- c:\program files\SpywareBlaster
2009-08-16 22:41 . 2009-08-16 22:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-16 22:41 . 2009-08-16 22:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-16 20:34 . 2009-08-16 20:34 -------- d-----w- c:\documents and settings\RC\Application Data\AVG8
2009-08-16 19:47 . 2009-08-16 19:47 -------- d-----w- c:\windows\McAfee.com
2009-08-16 19:09 . 2009-08-16 19:12 -------- d-----w- c:\windows\BDOSCAN8
2009-08-16 18:53 . 2009-08-14 21:21 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-08-16 18:08 . 2009-08-16 18:08 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-16 18:02 . 2009-08-16 18:02 42 ----a-w- c:\program files\Common Files\WindowsUpdate.zip
2009-08-15 00:56 . 2009-08-15 19:19 -------- d-----w- c:\documents and settings\RC\Application Data\BitTorrent
2009-08-15 00:56 . 2009-08-15 00:56 -------- d-----w- c:\program files\BitTorrent
2009-08-15 00:56 . 2009-08-16 18:08 -------- d-----w- c:\program files\AskBarDis
2009-08-14 22:31 . 2009-08-14 22:31 -------- d-----w- c:\documents and settings\RC\Application Data\PC Tools
2009-08-14 22:25 . 2009-08-18 03:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-14 22:25 . 2009-04-03 16:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-08-14 22:25 . 2008-12-18 17:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-14 22:25 . 2009-08-14 22:25 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-14 22:25 . 2009-02-10 15:13 21904 ----a-w- c:\windows\system32\drivers\AVRec.sys
2009-08-14 22:25 . 2009-02-10 15:13 28560 ----a-w- c:\windows\system32\drivers\AVHook.sys
2009-08-14 22:25 . 2009-02-10 15:13 21904 ----a-w- c:\windows\system32\drivers\AVFilter.sys
2009-08-14 22:25 . 2009-08-18 03:37 -------- d-----w- c:\program files\PC Tools AntiVirus
2009-08-14 22:25 . 2009-08-14 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-08-14 21:21 . 2009-08-16 19:31 -------- d-----w- c:\documents and settings\RC\.housecall6.6
2009-08-14 21:17 . 2009-08-14 21:17 -------- d-----w- c:\windows\Sun
2009-08-14 21:14 . 2009-08-14 21:14 -------- d-----w- c:\program files\Common Files\Java
2009-08-14 21:10 . 2009-08-14 21:16 -------- d-----w- c:\program files\Java
2009-08-14 21:10 . 2009-08-14 21:13 152576 ----a-w- c:\documents and settings\RC\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-12 15:55 . 2009-06-29 16:12 52224 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-12 15:55 . 2009-06-29 16:12 459264 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-08-12 15:55 . 2009-06-29 16:12 268288 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-08-12 15:55 . 2009-06-29 16:12 63488 -c----w- c:\windows\system32\dllcache\icardie.dll
2009-08-12 15:55 . 2009-06-29 16:12 380928 -c----w- c:\windows\system32\dllcache\ieapfltr.dll
2009-08-12 15:55 . 2009-06-29 11:07 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2009-08-12 15:55 . 2009-06-29 08:33 2452872 -c----w- c:\windows\system32\dllcache\ieapfltr.dat
2009-08-12 15:55 . 2009-07-19 13:32 6067200 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-08-12 15:54 . 2007-08-13 23:54 33792 -c--a-w- c:\windows\system32\dllcache\custsat.dll
2009-08-12 14:25 . 2009-08-12 14:27 -------- d-----w- c:\windows\ShellNew
2009-08-05 23:18 . 2009-08-17 22:53 10 ----a-w- c:\windows\popcinfo.dat
2009-08-05 22:37 . 2009-08-05 22:37 -------- d-----w- c:\program files\PopCap Games
2009-08-05 22:37 . 2009-08-05 22:37 -------- d-----w- c:\program files\Zuma Deluxe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-18 02:47 . 2009-04-20 04:44 -------- d-----w- c:\documents and settings\RC\Application Data\Skype
2009-08-12 15:53 . 2009-04-04 01:21 19552 ----a-w- c:\documents and settings\RC\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-10 22:56 . 2009-04-04 01:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-10 19:48 . 2009-07-10 19:31 -------- d-----w- c:\documents and settings\RC\Application Data\GetRightToGo
2009-07-10 19:40 . 2009-07-10 19:40 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-07-10 13:49 . 2009-07-10 13:49 -------- d-----w- c:\program files\Common Files\Logitech
2009-07-10 13:49 . 2009-07-10 13:49 -------- d-----w- c:\program files\Logitech
2009-07-10 13:49 . 2009-04-04 01:58 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-29 16:12 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 12:00 78336 ------w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-06-02 10:02 . 2009-07-10 22:53 5085184 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2009-05-21 06:01 . 2009-07-10 22:53 17881600 ----a-w- c:\windows\RTHDCPL.EXE
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
------- Sigcheck -------

[-] 2006-08-05 23:32 359040 C81D6A930A7805F6DAA0C7902B99037E c:\windows\system32\drivers\tcpip.sys

[-] 2004-11-28 21:36 8704 AB3D62010AF342203FFA60C2D94DBC68 c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 17:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2009-07-31 1935360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-06-30 2836376]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 36975]
"PCTAVApp"="c:\program files\PC Tools AntiVirus\PCTAV.exe" [2009-02-19 1374096]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-27 1657376]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-05-21 17881600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 pctcore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [8/14/2009 5:25 PM 130936]
R3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\drivers\LCcfltr.sys [7/10/2009 8:49 AM 14095]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [7/10/2009 5:53 PM 1684736]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-ter8m - c:\windows\system32\msxm192z.dll
HKLM-Run-Microsoft Driver Setup - c:\windows\mscth32.exe
Notify-csbdll - csbdll.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.moonlapse.com/index.php?action=forum
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-17 22:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\program files\PC Tools AntiVirus\PCTAVHook.dll

- - - - - - - > 'lsass.exe'(780)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
c:\program files\PC Tools AntiVirus\PCTAVHook.dll

- - - - - - - > 'explorer.exe'(1308)
c:\windows\system32\WININET.dll
c:\program files\PC Tools AntiVirus\PCTAVHook.dll
c:\program files\Logitech\iTouch\iTchHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll

- - - - - - - > 'csrss.exe'(700)
c:\program files\PC Tools AntiVirus\PCTAVHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\program files\PC Tools AntiVirus\PCTAVSvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-08-18 22:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-18 03:39
ComboFix2.txt 2009-08-18 02:54

Pre-Run: 136,162,054,144 bytes free
Post-Run: 136,129,597,440 bytes free

195


regards

[Ried]

Glad to hear that. :)

Navigate to your C: drive. You should see a CF-Submit.htm. Double click that and the upload should begin.

If you do not see a CF-Submit.htm...

Click Start>Run and copy/paste the following bolded text into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

A report should pop open for you. Please post the contents in your next reply.

[Rudi Cornette]

as you asked,

2009-08-18 03:38:38 . 2009-08-18 03:38:38 640 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Notify-csbdll.reg.dat
2009-08-18 03:38:32 . 2009-08-18 03:38:32 133 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Microsoft Driver Setup.reg.dat
2009-08-18 03:38:31 . 2009-08-18 03:38:31 142 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-ter8m.reg.dat
2009-08-18 03:33:56 . 2009-08-18 03:33:57 587,477 ----a-w- C:\Qoobox\Quarantine\[4]-Submit_2009-08-17_22.33.47.zip
2009-08-18 02:52:20 . 2009-08-18 03:35:21 4,923 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-08-18 02:49:54 . 2009-08-18 03:32:30 102 ----a-w- C:\Qoobox\Quarantine\catchme.log
2009-08-16 22:52:50 . 2009-08-16 22:52:50 661 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Desktop\PC Tools AntiVirus.lnk.vir
2009-08-16 22:52:50 . 2009-08-16 22:52:50 679 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\RC\Application Data\Microsoft\Internet Explorer\Quick Launch\PC Tools AntiVirus.lnk.vir
2009-08-16 18:02:23 . 2009-08-16 21:23:07 726 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Fonts\aldieofapqceo_setup.tmp.vir
2009-08-16 15:21:53 . 2009-08-18 03:33:55 36,352 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\csbdll.dll.vir
2009-08-16 15:21:42 . 2009-08-16 17:59:45 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4ea9d2da.sys.vir
2009-08-16 15:21:28 . 2009-08-16 21:22:43 75,264 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\mscth32.exe.vir
2009-08-14 22:04:49 . 2009-08-18 03:33:50 53,248 ----a-w- C:\Qoobox\Quarantine\C\jnvcbaox.exe.vir
2009-08-14 22:04:49 . 2009-08-18 03:33:53 53,248 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Fonts\j8j88j.exe.vir
2009-08-14 22:04:22 . 2009-08-18 03:33:57 91,648 ----a-w- C:\Qoobox\Quarantine\C\yaewfl.exe.vir
2009-08-14 20:33:20 . 2009-08-18 03:33:51 212,533 ----a-w- C:\Qoobox\Quarantine\C\lyusoqm.exe.vir
2009-08-14 20:32:05 . 2009-08-18 03:33:49 211,048 ----a-w- C:\Qoobox\Quarantine\C\hflqw.exe.vir
2009-08-14 20:32:00 . 2009-08-14 20:32:00 269 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\RC\hgqcoq.bat.vir
2004-08-18 01:00:00 . 2009-08-18 03:33:56 61,440 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\msxm192z.dll.vir

[Ried]

Thanks.

Please visit this site and copy paste the following bolded text into the 'browse to file to submit' box:

C:\Qoobox\Quarantine\[4]-Submit_2009-08-17_22.33.47.zip

Click 'Send File'

Please let me know when that has been completed.