PDA

View Full Version : HJT and Outlook Express



NZHawk
13-03-2009, 02:30 PM
Situation:
Open Outlook Express, reply to an e-mail, type several lines & OE closes completely
Open OE again Reply start typing again OE closes.
3rd try open OE again Reply start typing again, computer shuts down & reboots.
A BitDefender scan of the OE mail folders revealed an infection (trojan.dropper.kobcka.ez) and deleted it.
Updated BitDefender Anti-Virus Free v10, turned of system restore & deep scan: clean
Tried OE again still behaves the same as described above.
Not certain where to go from here.
I have turned off OE in the control panel, rebooted, turned on OE, tried: no change
MalwareBytes: found nothing - clean

Does anyone have any suggestions?

Here is a HJT file
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:19:47 p.m., on 13/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\New user\Desktop\2 Cleaning Tools\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.actrix.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: DeviceVM Url Search Hook - {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - C:\WINDOWS\system32\dvmurl.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235072205218
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ES lite Service for program management. (ES lite Service) - Unknown owner - C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 5669 bytes

Blam
13-03-2009, 02:40 PM
1. Run>regsvr32 OLE32.DLL
After that, type regsvr32 inetcomm.dll in run

2. Run>msimn /reg

Also, tick this entry in your HijackThis log:

R3 - URLSearchHook: DeviceVM Url Search Hook - {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - C:\WINDOWS\system32\dvmurl.dll

Speedy can remove unneeded entries later.

Download Javara and run it, your java is out of data:
http://raproducts.org/javara.html

click remove older versions, then install the latest version

Also, this seems like a deep infection, download and run combofix:
http://www.forospyware.com/sUBs/ComboFix.exe

Disable all AV and AntiSPyware first before running combofix.

Post the log here when done, use the "code" formatting option to save us from scrolling alot!.

Blam

Speedy Gonzales
13-03-2009, 02:46 PM
Since it looks like this was slipstreamed with Nlite, what (services (if any) etc were removed, before you burned the ISO?

You can tick these then tick fix checked

Close browsers

I dont know what this is / belongs to

R3 - URLSearchHook: DeviceVM Url Search Hook - {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - C:\WINDOWS\system32\dvmurl.dll

Tick this, if you dont use the language bar

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')

NZHawk
13-03-2009, 03:50 PM
Implemented all suggestions
ready to repost log but don't understand how to general a log with "code" formatting.
how is this done please.

Blam
13-03-2009, 05:20 PM
Sorry, I mean CODE tags.

Picture attached


This text is wrapped in a CODE Tag

NZHawk
13-03-2009, 05:27 PM
Here is the current HJT

Sorry - I don't seem to have the formatting options that you have:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:45:27 p.m., on 13/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Documents and Settings\New user\Desktop\2 Cleaning Tools\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.actrix.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235072205218
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ES lite Service for program management. (ES lite Service) - Unknown owner - C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 4779 bytes

Blam
13-03-2009, 05:31 PM
Ehhh....Where?:p

NZHawk
14-03-2009, 02:57 PM
I have run the gamut of scans:
- Avast
- Rogue remover
- ComboFix
- Trojan Remover
- Spyware terminator
- Super AntiSpyware
- Malwarebytes

but still when in Outlook Express, typing a reply, after approx 1 minute Outlook Express closed.
Tried another reply and it closed withing 20sec.

am I looking at a reformat?

any suggestions are appreciated.

Pancake
14-03-2009, 03:13 PM
Can you post that Combofix log so I can have a look whats inside.

NZHawk
14-03-2009, 03:15 PM
Thank you
here it is:

ComboFix 09-03-13.01 - New user 2009-03-14 13:46:25.1 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1812 [GMT 13:00]
Running from: c:\documents and settings\New user\Desktop\2 Cleaning Tools\ComboFix.exe
AV: Bitdefender Antivirus *On-access scanning enabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://sunmicro.ht.rd.llnw.net
.
((((((((((((((((((((((((( Files Created from 2009-02-14 to 2009-03-14 )))))))))))))))))))))))))))))))
.

2009-03-14 12:55 . 2009-03-14 12:55 <DIR> d-------- c:\program files\Alwil Software
2009-03-13 14:58 . 2009-03-13 14:58 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-13 14:21 . 2009-03-13 14:21 <DIR> d-------- c:\documents and settings\New user\Application Data\Malwarebytes
2009-03-13 14:21 . 2009-03-13 14:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-13 12:17 . 2009-03-13 14:39 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-13 11:45 . 2009-03-13 14:39 <DIR> d-------- c:\documents and settings\New user\Application Data\Simply Super Software
2009-03-13 11:45 . 2006-05-25 15:52 162,304 --a------ c:\windows\system32\ztvunrar36.dll
2009-03-13 11:45 . 2003-02-02 20:06 153,088 --a------ c:\windows\system32\UNRAR3.dll
2009-03-13 11:45 . 2005-08-26 01:50 77,312 --a------ c:\windows\system32\ztvunace26.dll
2009-03-13 11:45 . 2002-03-06 01:00 75,264 --a------ c:\windows\system32\unacev2.dll
2009-03-13 11:45 . 2006-06-19 13:01 69,632 --a------ c:\windows\system32\ztvcabinet.dll
2009-02-20 13:07 . 2009-02-20 13:07 0 --a------ c:\windows\nsreg.dat
2009-02-20 13:06 . 2009-02-20 13:06 <DIR> d-------- c:\documents and settings\New user\Application Data\OpenOffice.org
2009-02-20 13:02 . 2009-02-20 13:02 <DIR> d-------- c:\program files\OpenOffice.org 3
2009-02-20 13:02 . 2009-02-20 13:02 <DIR> d-------- c:\program files\JRE
2009-02-20 12:25 . 2009-02-20 12:25 <DIR> d-------- c:\documents and settings\New user\Application Data\Auslogics
2009-02-20 11:57 . 2009-02-20 11:57 <DIR> d-------- c:\documents and settings\New user\Application Data\Symantec
2009-02-20 11:53 . 2009-02-20 11:53 131 --a------ c:\windows\CRC.INI
2009-02-20 11:47 . 2009-02-20 11:47 <DIR> d-------- c:\program files\COMODO
2009-02-20 10:22 . 2009-02-20 10:22 <DIR> d-------- c:\program files\Windows Media Connect 2
2009-02-20 10:22 . 2008-04-14 05:42 221,184 --a------ c:\windows\system32\wmpns.dll
2009-02-20 10:21 . 2009-02-20 10:21 <DIR> d-------- c:\windows\system32\LogFiles
2009-02-20 10:21 . 2009-02-20 10:21 <DIR> d-------- c:\windows\system32\drivers\UMDF
2009-02-20 10:17 . 2009-02-20 10:17 <DIR> d-------- c:\program files\MSXML 4.0
2009-02-20 10:15 . 2008-12-21 12:15 6,066,688 -----c--- c:\windows\system32\dllcache\ieframe.dll
2009-02-20 10:15 . 2007-04-17 22:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2009-02-20 10:15 . 2007-03-08 18:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2009-02-20 10:15 . 2008-12-21 12:15 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2009-02-20 10:15 . 2008-12-21 12:15 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2009-02-20 10:15 . 2008-12-21 12:15 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2009-02-20 10:15 . 2008-12-21 12:15 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2009-02-20 10:15 . 2008-12-21 12:15 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2009-02-20 10:15 . 2008-12-19 22:10 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 10:14 . 2008-10-25 00:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-02-20 10:13 . 2008-08-14 23:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-20 10:13 . 2008-08-14 23:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-20 10:13 . 2008-08-14 22:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-20 10:13 . 2008-08-14 22:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-20 10:12 . 2008-06-14 00:05 272,128 --------- c:\windows\system32\drivers\bthport.sys
2009-02-20 10:12 . 2008-06-14 00:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-02-20 08:39 . 2009-03-13 14:37 <DIR> d--h----- c:\windows\$hf_mig$
2009-02-20 08:39 . 2006-09-25 17:58 23,856 --a------ c:\windows\system32\spupdsvc.exe
2009-02-20 08:37 . 2008-10-16 14:09 43,544 --a------ c:\windows\system32\wups2.dll
2009-02-20 08:37 . 2008-10-16 14:09 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2009-02-20 08:37 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuaucpl.cpl.mui
2009-02-20 08:37 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2009-02-20 08:37 . 2008-10-16 14:07 18,456 --a------ c:\windows\system32\wuaueng.dll.mui
2009-02-20 08:30 . 2009-02-20 08:30 2,422 --a------ c:\windows\system32\wpa.bak
2009-02-20 08:25 . 2009-02-20 08:25 <DIR> d-------- c:\documents and settings\New user\Application Data\CyberLink
2009-02-20 08:24 . 2009-02-20 08:24 <DIR> d-------- c:\program files\CyberLink
2009-02-20 08:24 . 2009-02-20 08:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\CyberLink
2009-02-19 15:45 . 2009-02-19 15:45 <DIR> d-------- c:\documents and settings\New user\Application Data\Bitdefender
2009-02-19 15:16 . 2009-02-19 15:16 <DIR> d-------- c:\documents and settings\New user\Application Data\Foxit
2009-02-19 13:30 . 2009-02-19 13:30 <DIR> d-------- c:\documents and settings\New user\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-03-14 00:41 81,984 ----a-w c:\windows\system32\bdod.bin
2009-03-14 00:28 16,608 ----a-w c:\windows\gdrv.sys
2009-03-13 01:58 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-03-13 01:12 --------- d-----w c:\program files\Java
2009-02-19 19:24 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-19 19:24 --------- d-----w c:\program files\Common Files\InstallShield
2009-02-19 03:15 --------- d-----w c:\program files\Common Files\Nero
2009-02-19 03:14 --------- d-----w c:\program files\Nero
2009-02-19 03:14 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2009-02-19 02:44 --------- d-----w c:\program files\Softwin
2009-02-19 02:44 --------- d-----w c:\program files\Common Files\Softwin
2009-02-19 02:44 --------- d-----w c:\documents and settings\All Users\Application Data\BitDefender
2009-02-19 02:18 --------- d-----w c:\program files\QuickTime
2009-02-19 02:18 --------- d-----w c:\program files\Apple Software Update
2009-02-19 02:18 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-19 02:18 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-02-19 02:16 --------- d-----w c:\program files\Foxit Software
2009-02-19 02:16 --------- d-----w c:\program files\AskBarDis
2009-02-19 02:16 --------- d-----w c:\program files\7-Zip
2009-02-19 02:12 --------- d-----w c:\program files\Executive Software
2009-02-19 00:30 --------- d-----w c:\program files\Realtek
2009-02-19 00:29 315,392 ----a-w c:\windows\HideWin.exe
2009-02-19 00:27 --------- d-----w c:\program files\Intel
2009-02-19 00:26 --------- d-----w c:\program files\Gigabyte
2009-02-19 00:26 --------- d-----w c:\program files\Browser Configuration Utility
2009-02-18 23:10 --------- d-----w c:\program files\microsoft frontpage
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 12:58 333192 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"BDMCon"="c:\program files\Softwin\BitDefender10\bdmcon.exe" [2007-04-02 290816]
"BDAgent"="c:\program files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 69632]
"LTMSG"="LTMSG.exe" [2003-07-14 c:\windows\ltmsg.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-12-21 c:\windows\system32\advpack.dll]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

S2 ES lite Service;ES lite Service for program management.;c:\program files\Gigabyte\EasySaver\essvr.exe [2009-02-19 80392]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.actrix.co.nz/
FF - ProfilePath - c:\documents and settings\New user\Application Data\Mozilla\Firefox\Profiles\v5ufl5fh.default\
FF - prefs.js: browser.startup.homepage - www.actrix.co.nz
.

************************************************** ************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-14 13:47:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2009-03-14 13:48:09
ComboFix-quarantined-files.txt 2009-03-14 00:48:07

Pre-Run: 78,110,416,896 bytes free
Post-Run: 78,120,910,848 bytes free

156

Pancake
14-03-2009, 03:40 PM
I have been all through that and it is clear of malware.There is a repair for OE here but they recommend you use Live mail instead.Strange!!!

http://support.microsoft.com/default.aspx?scid=kb;EN-US;318378

NZHawk
14-03-2009, 03:44 PM
Saw that in my earlier research.
what do you think about IE8 install?

Speedy Gonzales
14-03-2009, 03:58 PM
I would wait for IE 8 final. It maybe due 20 March this year

NZHawk
14-03-2009, 04:00 PM
Thank you to everyone's help with this.
I am calling it a day and will try the repairs later.

Thanks again. :)

Pancake
14-03-2009, 04:02 PM
Here is another repair site...

http://www.theeldergeek.com/repair_reinstall_ie_and_oe_6.htm

Blam
14-03-2009, 05:38 PM
Have you tried repairing system files?

Run>sfc /scannow