| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 98138 | 2009-03-13 01:30:00 | HJT and Outlook Express | NZHawk (4093) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 755944 | 2009-03-13 01:30:00 | Situation: Open Outlook Express, reply to an e-mail, type several lines & OE closes completely Open OE again Reply start typing again OE closes. 3rd try open OE again Reply start typing again, computer shuts down & reboots. A BitDefender scan of the OE mail folders revealed an infection (trojan.dropper.kobcka.ez) and deleted it. Updated BitDefender Anti-Virus Free v10, turned of system restore & deep scan: clean Tried OE again still behaves the same as described above. Not certain where to go from here. I have turned off OE in the control panel, rebooted, turned on OE, tried: no change MalwareBytes: found nothing - clean Does anyone have any suggestions? Here is a HJT file Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:19:47 p.m., on 13/03/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Softwin\BitDefender10\bdmcon.exe C:\Program Files\Softwin\BitDefender10\bdagent.exe C:\WINDOWS\LTMSG.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Executive Software\Diskeeper\DkService.exe C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe C:\Program Files\Softwin\BitDefender10\vsserv.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\New user\Desktop\2 Cleaning Tools\Hijack This\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.actrix.co.nz/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R3 - URLSearchHook: DeviceVM Url Search Hook - {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - C:\WINDOWS\system32\dvmurl.dll O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe" O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7 O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user') O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - www.update.microsoft.com O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe O23 - Service: ES lite Service for program management. (ES lite Service) - Unknown owner - C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe -- End of file - 5669 bytes |
NZHawk (4093) | ||
| 755945 | 2009-03-13 01:40:00 | 1. Run>regsvr32 OLE32.DLL After that, type regsvr32 inetcomm.dll in run 2. Run>msimn /reg Also, tick this entry in your HijackThis log: R3 - URLSearchHook: DeviceVM Url Search Hook - {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - C:\WINDOWS\system32\dvmurl.dll Speedy can remove unneeded entries later. Download Javara and run it, your java is out of data: raproducts.org click remove older versions, then install the latest version Also, this seems like a deep infection, download and run combofix: www.forospyware.com Disable all AV and AntiSPyware first before running combofix. Post the log here when done, use the "code" formatting option to save us from scrolling alot!. Blam |
Blam (54) | ||
| 755946 | 2009-03-13 01:46:00 | Since it looks like this was slipstreamed with Nlite, what (services (if any) etc were removed, before you burned the ISO? You can tick these then tick fix checked Close browsers I dont know what this is / belongs to R3 - URLSearchHook: DeviceVM Url Search Hook - {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - C:\WINDOWS\system32\dvmurl.dll Tick this, if you dont use the language bar O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user') |
Speedy Gonzales (78) | ||
| 755947 | 2009-03-13 02:50:00 | Implemented all suggestions ready to repost log but don't understand how to general a log with "code" formatting. how is this done please. |
NZHawk (4093) | ||
| 755948 | 2009-03-13 04:20:00 | Sorry, I mean CODE tags. Picture attached This text is wrapped in a CODE Tag |
Blam (54) | ||
| 755949 | 2009-03-13 04:27:00 | Here is the current HJT Sorry - I don't seem to have the formatting options that you have: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:45:27 p.m., on 13/03/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Softwin\BitDefender10\bdmcon.exe C:\Program Files\Softwin\BitDefender10\bdagent.exe C:\WINDOWS\LTMSG.exe C:\Program Files\Executive Software\Diskeeper\DkService.exe C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe C:\Program Files\Softwin\BitDefender10\vsserv.exe C:\Documents and Settings\New user\Desktop\2 Cleaning Tools\Hijack This\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.actrix.co.nz/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe" O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7 O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user') O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - www.update.microsoft.com O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe O23 - Service: ES lite Service for program management. (ES lite Service) - Unknown owner - C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe -- End of file - 4779 bytes |
NZHawk (4093) | ||
| 755950 | 2009-03-13 04:31:00 | Ehhh....Where?:p | Blam (54) | ||
| 755951 | 2009-03-14 01:57:00 | I have run the gamut of scans: - Avast - Rogue remover - ComboFix - Trojan Remover - Spyware terminator - Super AntiSpyware - Malwarebytes but still when in Outlook Express, typing a reply, after approx 1 minute Outlook Express closed. Tried another reply and it closed withing 20sec. am I looking at a reformat? any suggestions are appreciated. |
NZHawk (4093) | ||
| 755952 | 2009-03-14 02:13:00 | Can you post that Combofix log so I can have a look whats inside. | Pancake (6359) | ||
| 755953 | 2009-03-14 02:15:00 | Thank you here it is: ComboFix 09-03-13 . 01 - New user 2009-03-14 13:46:25 . 1 - NTFSx86 MINIMAL Microsoft Windows XP Home Edition 5 . 1 . 2600 . 3 . 1252 . 1 . 1033 . 18 . 2037 . 1812 [GMT 13:00] Running from: c:\documents and settings\New user\Desktop\2 Cleaning Tools\ComboFix . exe AV: Bitdefender Antivirus *On-access scanning enabled* (Updated) WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0 . dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1 . dat ----- BITS: Possible infected sites ----- hxxp://sunmicro . ht . rd . llnw . net . ((((((((((((((((((((((((( Files Created from 2009-02-14 to 2009-03-14 ))))))))))))))))))))))))))))))) . 2009-03-14 12:55 . 2009-03-14 12:55 <DIR> d-------- c:\program files\Alwil Software 2009-03-13 14:58 . 2009-03-13 14:58 73,728 --a------ c:\windows\system32\javacpl . cpl 2009-03-13 14:21 . 2009-03-13 14:21 <DIR> d-------- c:\documents and settings\New user\Application Data\Malwarebytes 2009-03-13 14:21 . 2009-03-13 14:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-03-13 12:17 . 2009-03-13 14:39 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP 2009-03-13 11:45 . 2009-03-13 14:39 <DIR> d-------- c:\documents and settings\New user\Application Data\Simply Super Software 2009-03-13 11:45 . 2006-05-25 15:52 162,304 --a------ c:\windows\system32\ztvunrar36 . dll 2009-03-13 11:45 . 2003-02-02 20:06 153,088 --a------ c:\windows\system32\UNRAR3 . dll 2009-03-13 11:45 . 2005-08-26 01:50 77,312 --a------ c:\windows\system32\ztvunace26 . dll 2009-03-13 11:45 . 2002-03-06 01:00 75,264 --a------ c:\windows\system32\unacev2 . dll 2009-03-13 11:45 . 2006-06-19 13:01 69,632 --a------ c:\windows\system32\ztvcabinet . dll 2009-02-20 13:07 . 2009-02-20 13:07 0 --a------ c:\windows\nsreg . dat 2009-02-20 13:06 . 2009-02-20 13:06 <DIR> d-------- c:\documents and settings\New user\Application Data\OpenOffice . org 2009-02-20 13:02 . 2009-02-20 13:02 <DIR> d-------- c:\program files\OpenOffice . org 3 2009-02-20 13:02 . 2009-02-20 13:02 <DIR> d-------- c:\program files\JRE 2009-02-20 12:25 . 2009-02-20 12:25 <DIR> d-------- c:\documents and settings\New user\Application Data\Auslogics 2009-02-20 11:57 . 2009-02-20 11:57 <DIR> d-------- c:\documents and settings\New user\Application Data\Symantec 2009-02-20 11:53 . 2009-02-20 11:53 131 --a------ c:\windows\CRC . INI 2009-02-20 11:47 . 2009-02-20 11:47 <DIR> d-------- c:\program files\COMODO 2009-02-20 10:22 . 2009-02-20 10:22 <DIR> d-------- c:\program files\Windows Media Connect 2 2009-02-20 10:22 . 2008-04-14 05:42 221,184 --a------ c:\windows\system32\wmpns . dll 2009-02-20 10:21 . 2009-02-20 10:21 <DIR> d-------- c:\windows\system32\LogFiles 2009-02-20 10:21 . 2009-02-20 10:21 <DIR> d-------- c:\windows\system32\drivers\UMDF 2009-02-20 10:17 . 2009-02-20 10:17 <DIR> d-------- c:\program files\MSXML 4 . 0 2009-02-20 10:15 . 2008-12-21 12:15 6,066,688 -----c--- c:\windows\system32\dllcache\ieframe . dll 2009-02-20 10:15 . 2007-04-17 22:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr . dat 2009-02-20 10:15 . 2007-03-08 18:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe . dll . mui 2009-02-20 10:15 . 2008-12-21 12:15 459,264 -----c--- c:\windows\system32\dllcache\msfeeds . dll 2009-02-20 10:15 . 2008-12-21 12:15 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr . dll 2009-02-20 10:15 . 2008-12-21 12:15 267,776 -----c--- c:\windows\system32\dllcache\iertutil . dll 2009-02-20 10:15 . 2008-12-21 12:15 63,488 -----c--- c:\windows\system32\dllcache\icardie . dll 2009-02-20 10:15 . 2008-12-21 12:15 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs . dll 2009-02-20 10:15 . 2008-12-19 22:10 13,824 -----c--- c:\windows\system32\dllcache\ieudinit . exe 2009-02-20 10:14 . 2008-10-25 00:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb . sys 2009-02-20 10:13 . 2008-08-14 23:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl . exe 2009-02-20 10:13 . 2008-08-14 23:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp . exe 2009-02-20 10:13 . 2008-08-14 22:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa . exe 2009-02-20 10:13 . 2008-08-14 22:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp . exe 2009-02-20 10:12 . 2008-06-14 00:05 272,128 --------- c:\windows\system32\drivers\bthport . sys 2009-02-20 10:12 . 2008-06-14 00:05 272,128 -----c--- c:\windows\system32\dllcache\bthport . sys 2009-02-20 08:39 . 2009-03-13 14:37 <DIR> d--h----- c:\windows\$hf_mig$ 2009-02-20 08:39 . 2006-09-25 17:58 23,856 --a------ c:\windows\system32\spupdsvc . exe 2009-02-20 08:37 . 2008-10-16 14:09 43,544 --a------ c:\windows\system32\wups2 . dll 2009-02-20 08:37 . 2008-10-16 14:09 31,768 --a------ c:\windows\system32\wucltui . dll . mui 2009-02-20 08:37 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuaucpl . cpl . mui 2009-02-20 08:37 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi . dll . mui 2009-02-20 08:37 . 2008-10-16 14:07 18,456 --a------ c:\windows\system32\wuaueng . dll . mui 2009-02-20 08:30 . 2009-02-20 08:30 2,422 --a------ c:\windows\system32\wpa . bak 2009-02-20 08:25 . 2009-02-20 08:25 <DIR> d-------- c:\documents and settings\New user\Application Data\CyberLink 2009-02-20 08:24 . 2009-02-20 08:24 <DIR> d-------- c:\program files\CyberLink 2009-02-20 08:24 . 2009-02-20 08:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\CyberLink 2009-02-19 15:45 . 2009-02-19 15:45 <DIR> d-------- c:\documents and settings\New user\Application Data\Bitdefender 2009-02-19 15:16 . 2009-02-19 15:16 <DIR> d-------- c:\documents and settings\New user\Application Data\Foxit 2009-02-19 13:30 . 2009-02-19 13:30 <DIR> d-------- c:\documents and settings\New user\Application Data\InstallShield . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2009-03-14 00:41 81,984 ----a-w c:\windows\system32\bdod . bin 2009-03-14 00:28 16,608 ----a-w c:\windows\gdrv . sys 2009-03-13 01:58 410,984 ----a-w c:\windows\system32\deploytk . dll 2009-03-13 01:12 --------- d-----w c:\program files\Java 2009-02-19 19:24 --------- d--h--w c:\program files\InstallShield Installation Information 2009-02-19 19:24 --------- d-----w c:\program files\Common Files\InstallShield 2009-02-19 03:15 --------- d-----w c:\program files\Common Files\Nero 2009-02-19 03:14 --------- d-----w c:\program files\Nero 2009-02-19 03:14 --------- d-----w c:\documents and settings\All Users\Application Data\Nero 2009-02-19 02:44 --------- d-----w c:\program files\Softwin 2009-02-19 02:44 --------- d-----w c:\program files\Common Files\Softwin 2009-02-19 02:44 --------- d-----w c:\documents and settings\All Users\Application Data\BitDefender 2009-02-19 02:18 --------- d-----w c:\program files\QuickTime 2009-02-19 02:18 --------- d-----w c:\program files\Apple Software Update 2009-02-19 02:18 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer 2009-02-19 02:18 --------- d-----w c:\documents and settings\All Users\Application Data\Apple 2009-02-19 02:16 --------- d-----w c:\program files\Foxit Software 2009-02-19 02:16 --------- d-----w c:\program files\AskBarDis 2009-02-19 02:16 --------- d-----w c:\program files\7-Zip 2009-02-19 02:12 --------- d-----w c:\program files\Executive Software 2009-02-19 00:30 --------- d-----w c:\program files\Realtek 2009-02-19 00:29 315,392 ----a-w c:\windows\HideWin . exe 2009-02-19 00:27 --------- d-----w c:\program files\Intel 2009-02-19 00:26 --------- d-----w c:\program files\Gigabyte 2009-02-19 00:26 --------- d-----w c:\program files\Browser Configuration Utility 2009-02-18 23:10 --------- d-----w c:\program files\microsoft frontpage 2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet . dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}] 2008-11-18 12:58 333192 --a------ c:\program files\AskBarDis\bar\bin\askBar . dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar . dll" [2008-11-18 333192] [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar . dll" [2008-11-18 333192] [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "ctfmon . exe"="c:\windows\system32\ctfmon . exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "BDMCon"="c:\program files\Softwin\BitDefender10\bdmcon . exe" [2007-04-02 290816] "BDAgent"="c:\program files\Softwin\BitDefender10\bdagent . exe" [2007-03-26 69632] "LTMSG"="LTMSG . exe" [2003-07-14 c:\windows\ltmsg . exe] [HKEY_USERS\ . DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce] "nltide_3"="advpack . dll" [2008-12-21 c:\windows\system32\advpack . dll] [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) "NoResolveTrack"= 1 (0x1) [HKEY_USERS\ . default\software\microsoft\windows\cur rentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) "NoResolveTrack"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag . exe"= "%windir%\\system32\\sessmgr . exe"= S2 ES lite Service;ES lite Service for program management . ;c:\program files\Gigabyte\EasySaver\essvr . exe [2009-02-19 80392] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www . actrix . co . nz/ FF - ProfilePath - c:\documents and settings\New user\Application Data\Mozilla\Firefox\Profiles\v5ufl5fh . default\ FF - prefs . js: browser . startup . homepage - www . actrix . co . nz . ************************************************** ************************ catchme 0 . 3 . 1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www . gmer . net Rootkit scan 2009-03-14 13:47:18 Windows 5 . 1 . 2600 Service Pack 3 NTFS scanning hidden processes . . . scanning hidden autostart entries . . . scanning hidden files . . . scan completed successfully hidden files: 0 ************************************************** ************************ . Completion time: 2009-03-14 13:48:09 ComboFix-quarantined-files . txt 2009-03-14 00:48:07 Pre-Run: 78,110,416,896 bytes free Post-Run: 78,120,910,848 bytes free 156 |
NZHawk (4093) | ||
| 1 2 | |||||