Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help
Worm.Win32.booster...locked out of property manager Worm.Win32.booster...locked out of property manager
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help.

Reply
 
Thread Tools
Old 06-05-2008, 08:29 AM   #1 (permalink)
Registered User
 
Join Date: Jun 2008
Posts: 5
OS: XP servie pack 2 i think


Worm.Win32.booster...locked out of property manager
Recently when I was trying to watch a video I unknowingly downloaded the Worm.Win32.Booster which was disguised in an ActiveX application. The message "Windows has dectected an Interet attack attempt... Somebody's trying to infect your PC with spyware or harmful viruses. Run full system scan now to protect your PC from Internet" kept popping up. I additionally was locked out of my task manager and display properties manager by the "administrator" even though I am the administrator. In the start menu I also do not have my applications folder, control panels, command prompt, or the my computer menu.

I ran a bunch of different virus and spyware scans and I think I was able to get rid of most of the spyware. I also was able to regain control of my task manager; however when I tried ending the files that i read to be accociated with the worm (winlogon.exe, csrss.exe, smss.exe, services.exe, lsass.exe) the message "This is a critical system processs. Task Manager cannot end this program." appeared. Therefore I was hopping that I could get some guidance on repairing this problem.

hijackthis....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27: VIRUS ALERT!, on 6/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 4745 bytes



Panda Scan...

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-06-05 10:52:29
PROTECTIONS: 2
MALWARE: 0
SUSPECTS: 8
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Spyware Doctor with AntiVirus 5.5.1.2 Yes Yes
Norton 360 2007 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================
SUSPECTS
Sent Location W
;===================================================================================================================================================================================
No C:\WINDOWS\SoftwareDistribution\Download\9d8d11b4843c08ba3b14540db008a873\spmsg.dll W
No C:\WINDOWS\SoftwareDistribution\Download\9d8d11b4843c08ba3b14540db008a873\spuninst.exe W
No C:\WINDOWS\SoftwareDistribution\Download\9d8d11b4843c08ba3b14540db008a873\sp2gdr\agentdpv.dll W
No C:\WINDOWS\SoftwareDistribution\Download\9d8d11b4843c08ba3b14540db008a873\sp2qfe\agentdpv.dll W
No C:\WINDOWS\SoftwareDistribution\Download\9d8d11b4843c08ba3b14540db008a873\sp2qfe\xpsp3res.dll W
No C:\WINDOWS\SoftwareDistribution\Download\9d8d11b4843c08ba3b14540db008a873\update\spcustom.dll W
No C:\WINDOWS\SoftwareDistribution\Download\9d8d11b4843c08ba3b14540db008a873\update\update.exe W
No C:\WINDOWS\SoftwareDistribution\Download\9d8d11b4843c08ba3b14540db008a873\update\updspapi.dll W
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description W
;===================================================================================================================================================================================
184380 MEDIUM MS08-002 W
184379 MEDIUM MS08-001 W
182048 HIGH MS07-069 W
182046 HIGH MS07-067 W
182043 HIGH MS07-064 W
179553 HIGH MS07-061 W
176382 HIGH MS07-057 W
176383 HIGH MS07-058 W
170911 HIGH MS07-050 W
170907 HIGH MS07-046 W
170906 HIGH MS07-045 W
170904 HIGH MS07-043 W
164915 HIGH MS07-035 W
164913 HIGH MS07-033 W
164911 HIGH MS07-031 W
160623 HIGH MS07-027 W
157262 HIGH MS07-022 W
157261 HIGH MS07-021 W
157260 HIGH MS07-020 W
157259 HIGH MS07-019 W
156477 HIGH MS07-017 W
150253 HIGH MS07-016 W
150249 HIGH MS07-013 W
150248 HIGH MS07-012 W
150247 HIGH MS07-011 W
150243 HIGH MS07-008 W
150242 HIGH MS07-007 W
150241 MEDIUM MS07-006 W
141034 HIGH MS06-076 W
141033 MEDIUM MS06-075 W
141030 HIGH MS06-072 W
137571 HIGH MS06-070 W
137568 HIGH MS06-067 W
133387 MEDIUM MS06-065 W
133386 MEDIUM MS06-064 W
133385 MEDIUM MS06-063 W
133379 HIGH MS06-057 W
131654 HIGH MS06-055 W
129977 MEDIUM MS06-053 W
129976 MEDIUM MS06-052 W
126093 HIGH MS06-051 W
126092 MEDIUM MS06-050 W
126087 HIGH MS06-046 W
126086 MEDIUM MS06-045 W
126083 HIGH MS06-042 W
126082 HIGH MS06-041 W
126081 HIGH MS06-040 W
123421 HIGH MS06-036 W
123420 HIGH MS06-035 W
120825 MEDIUM MS06-032 W
120823 MEDIUM MS06-030 W
120818 HIGH MS06-025 W
120815 HIGH MS06-022 W
120814 HIGH MS06-021 W
117384 MEDIUM MS06-018 W
114666 HIGH MS06-015 W
114664 HIGH MS06-013 W
108744 MEDIUM MS06-008 W
108743 MEDIUM MS06-007 W
108742 MEDIUM MS06-006 W
104567 HIGH MS06-002 W
104237 HIGH MS06-001 W
96574 HIGH MS05-053 W
93395 HIGH MS05-051 W
93394 HIGH MS05-050 W
93454 MEDIUM MS05-049 W
;===================================================================================================================================================================================



Deckard's System Scanner v20071014.68
Run by Derren on 2008-06-05 10:58:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
6: 2008-06-05 15:59:07 UTC - RP6 - Deckard's System Scanner Restore Point
5: 2008-06-05 05:46:49 UTC - RP5 - Software Distribution Service 3.0
4: 2008-06-05 05:19:14 UTC - RP4 - Installed Ad-Aware
3: 2008-06-04 22:48:33 UTC - RP3 - Removed Ad-Aware
2: 2008-06-04 10:38:29 UTC - RP2 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-06-04 04:48:17 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Derren.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00: VIRUS ALERT!, on 6/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\Derren\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Derren.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 4724 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080604-102616-218 O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
backup-20080604-102616-251 O2 - BHO: QXK Olive - {61B97503-AC8C-49D3-B549-34C0EC92128D} - C:\WINDOWS\boqnrwdmdev.dll
backup-20080604-102616-284 O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
backup-20080604-102616-353 O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
backup-20080604-102616-367 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
backup-20080604-102616-485 O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
backup-20080604-102616-684 O3 - Toolbar: atfxqogp - {910EF077-8B76-4A3C-B201-A5CAABA866F8} - C:\WINDOWS\atfxqogp.dll
backup-20080604-102616-897 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
backup-20080604-102617-859 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
backup-20080604-102618-872 O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm
backup-20080604-103517-427 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.viewpoint.com/landing/v38a.html
backup-20080604-103517-468 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
backup-20080604-103826-224 O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\508\G2AWinLogon.dll
backup-20080604-104521-737 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
backup-20080604-111434-491 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
backup-20080604-111434-701 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
backup-20080604-111434-828 O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20080604-111459-337 O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
backup-20080604-112104-259 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
backup-20080604-112104-437 O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
backup-20080604-112105-182 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
backup-20080604-112105-208 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20080604-112105-218 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
backup-20080604-112105-417 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20080604-112105-474 O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
backup-20080604-112105-720 O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
backup-20080604-112105-983 O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
backup-20080604-112237-549 O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\508\g2aservice.exe
backup-20080604-112703-648 O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
backup-20080604-112703-653 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
backup-20080604-112703-811 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
backup-20080604-112703-863 O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
backup-20080604-112944-451 O23 - Service: OpcEnum - Unknown owner - C:\WINDOWS\system32\OpcEnum.exe (file missing)
backup-20080604-113043-469 O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe
backup-20080604-113818-717 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
backup-20080604-164339-416 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
backup-20080604-164339-523 O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
backup-20080604-165906-146 O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
backup-20080604-165906-429 O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
backup-20080604-165906-490 O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
backup-20080604-165906-637 O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
backup-20080604-165906-668 O4 - HKLM\..\Run: [lphcl15j0eg9t] C:\WINDOWS\system32\lphcl15j0eg9t.exe
backup-20080604-165906-757 O4 - HKCU\..\Run: [LxrAutorun] C:\Documents and Settings\Derren\Local Settings\Application Data\Lexar Media\LxrAutorun.exe
backup-20080604-165906-916 O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
backup-20080604-165906-956 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
backup-20080604-165907-134 O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
backup-20080604-165907-197 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
backup-20080604-165907-203 O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20080604-165907-294 O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
backup-20080604-165907-358 O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe
backup-20080604-165907-376 O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
backup-20080604-165907-437 O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
backup-20080604-165907-453 O21 - SSODL: vregfwlx - {55DA5A8F-16B8-447A-A20C-851C9D5CA082} - C:\WINDOWS\vregfwlx.dll
backup-20080604-165907-478 O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
backup-20080604-165907-629 O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
backup-20080604-165907-651 O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
backup-20080604-165907-657 O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
backup-20080604-165907-679 O21 - SSODL: vltdfabw - {51C40E62-2B1C-4D86-9155-6EF790F7097A} - C:\WINDOWS\vltdfabw.dll
backup-20080604-165907-704 O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
backup-20080604-165907-707 O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
backup-20080604-165907-830 O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm
backup-20080604-165907-935 O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
backup-20080604-235431-380 F2 - REG:system.ini: Shell=
backup-20080604-235431-787 R3 - Default URLSearchHook is missing

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 cvintdrv - c:\windows\system32\drivers\cvintdrv.sys
R2 LxrSII1d (Secure II Driver) - c:\windows\system32\drivers\lxrsii1d.sys

S3 CamDrL (Logitech QuickCam Pro 3000(CamDrl)) - c:\windows\system32\drivers\camdrl.sys (file missing)
S3 LVUSBSta (Logitech USB Monitor Filter) - c:\windows\system32\drivers\lvusbsta.sys (file missing)
S3 tbhsd (Tunebite High-Speed Dubbing) - c:\windows\system32\drivers\tbhsd.sys <Not Verified; RapidSolution Software AG; Tunebite High-Speed Dubbing>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 LxrSII1s (Lexar Secure II) - lxrsii1s.exe

S3 hpqwmi (HP WMI Interface) - c:\program files\hpq\shared\hpqwmi.exe <Not Verified; Hewlett-Packard Development Company, L.P.; hpqwmi Module>
S4 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
S4 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
S4 OpcEnum - c:\windows\system32\opcenum.exe (file missing)
S4 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-04 20:42:18 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-05-05 and 2008-06-05 -----------------------------

2008-06-05 00:14:50 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-04 21:43:17 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-06-04 21:41:35 0 d-------- C:\Program Files\Common Files\PC Tools
2008-06-04 20:08:46 0 d-------- C:\WINDOWS\system32\NtmsData
2008-06-04 18:21:28 0 d-------- C:\!KillBox
2008-06-04 17:58:54 0 d-------- C:\Documents and Settings\Derren\Application Data\Grisoft
2008-06-04 17:52:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-06-04 17:49:38 0 d-------- C:\Documents and Settings\Derren\Application Data\Lavasoft
2008-06-04 17:49:11 0 d-------- C:\Program Files\Lavasoft
2008-06-04 12:39:48 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-04 12:39:21 0 d-------- C:\Program Files\Spyware Doctor
2008-06-04 12:39:21 0 d-------- C:\Documents and Settings\Derren\Application Data\PC Tools
2008-06-04 12:36:32 0 d-------- C:\Program Files\Panda Security
2008-06-04 00:52:00 0 d-------- C:\Documents and Settings\Derren\Application Data\TmpRecentIcons
2008-06-03 23:43:59 262144 --a------ C:\WINDOWS\vregfwlx.dll
2008-06-03 23:43:59 307200 --a------ C:\WINDOWS\vltdfabw.dll
2008-06-03 23:43:59 163840 --a------ C:\WINDOWS\esbq.exe
2008-06-03 23:43:53 52736 --a------ C:\WINDOWS\system32\blphcl15j0eg9t.scr <Not Verified; Peter's Productions; Bugs!>
2008-05-25 00:27:34 0 d-------- C:\WINDOWS\nview
2008-05-24 23:39:05 32356 -----n--- C:\WINDOWS\system32\pusbfd1.sys <Not Verified; Phoenix Technologies K.K.; USB FDD DRIVER>
2008-05-24 23:38:46 0 d-------- C:\Documents and Settings\Derren\Application Data\Sonic
2008-05-24 23:35:54 0 d-------- C:\Program Files\Common Files\muvee Technologies
2008-05-24 23:35:52 0 d-------- C:\Program Files\muvee Technologies
2008-05-24 23:35:39 0 d-------- C:\Documents and Settings\All Users\Application Data\muvee Technologies
2008-05-24 23:34:56 0 d-------- C:\Program Files\Zone.com
2008-05-24 23:31:55 0 d-------- C:\Program Files\InterVideo
2008-05-24 23:22:31 0 d-------- C:\WINDOWS\tiinst
2008-05-24 23:20:43 30208 --a------ C:\WINDOWS\system32\wdmioctl.dll <Not Verified; Analog Devices Inc.; Analog Devices Inc. wdmioctl>
2008-05-24 23:20:43 1285632 --a------ C:\WINDOWS\system32\SMMedia.dll <Not Verified; Analog Devices; SoundMAX Integrated Digital Audio>
2008-05-24 23:20:41 978944 --a------ C:\WINDOWS\SynthCoreA.Dll <Not Verified; Analog Devices, Inc.; SoundMAX Wavetable>
2008-05-24 23:20:41 380928 --a------ C:\WINDOWS\SynCor.exe <Not Verified; Analog Devices, Inc.; SynthCore>
2008-05-24 23:20:39 45056 --a------ C:\WINDOWS\system32\SynthCore11Resources.dll <Not Verified; Analog Devices, Inc.; Analog Devices, Inc. SynthCore11Resources>
2008-05-24 23:20:39 40820 --a------ C:\WINDOWS\system32\Syncor11.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>
2008-05-24 23:20:39 49152 --a------ C:\WINDOWS\system32\S11thk32.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>
2008-05-24 23:20:38 765952 --a------ C:\WINDOWS\system\crlds3d.dll <Not Verified; Sensaura Ltd; Sensaura 3DPA>
2008-05-24 23:20:37 0 d-------- C:\WINDOWS\VirtualEar
2008-05-24 23:20:34 49152 --a------ C:\WINDOWS\system32\DSndUp.exe <Not Verified; Analog Devices Inc.; adi DSndUp>
2008-05-24 23:20:34 45056 --a------ C:\WINDOWS\system32\CleanUp.exe <Not Verified; adi; adi CleanUp>
2008-05-24 23:20:34 0 d-------- C:\Program Files\Analog Devices
2008-05-24 23:19:54 0 d-------- C:\SYSTEM.SAV
2008-05-22 01:30:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-22 01:21:20 0 d-------- C:\Program Files\Trend Micro
2008-05-22 00:42:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft


-- Find3M Report ---------------------------------------------------------------

2008-06-05 09:22:20 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-05 00:14:50 0 d-------- C:\Program Files\Common Files
2008-05-30 23:15:38 0 d-------- C:\Program Files\Symantec
2008-05-25 00:35:24 0 d-------- C:\Program Files\Java
2008-05-25 00:29:05 0 d-------- C:\Program Files\HPQ
2008-05-25 00:23:18 44 --a----c- C:\WINDOWS\system32\msssc.dll
2008-05-24 23:59:23 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-24 23:59:23 0 d-------- C:\Program Files\Hewlett-Packard
2008-05-24 23:36:10 50 --a------ C:\AUTOEXEC.BAT
2008-05-19 23:46:16 0 d-------- C:\Program Files\UltimateBet
2008-04-22 09:24:31 0 d-------- C:\Program Files\Safari
2008-04-22 09:22:18 0 d-------- C:\Program Files\Apple Software Update
2008-04-08 14:22:55 0 d-------- C:\Documents and Settings\Derren\Application Data\Apple Computer
2008-04-08 11:16:24 0 d-------- C:\Program Files\iTunes
2008-04-08 11:16:11 0 d-------- C:\Program Files\iPod
2008-04-08 11:12:41 0 d-------- C:\Program Files\QuickTime
2008-04-06 20:22:22 0 d-------- C:\Program Files\HP


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/08/2007 16:24: VIRUS ALERT!]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 22:16: VIRUS ALERT!]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [04/10/2008 15:14: VIRUS ALERT!]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [07/17/2007 20:54: VIRUS ALERT!]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 04:25: VIRUS ALERT!]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 07:00: VIRUS ALERT!]
"@"="" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=1 (0x1)
"DisableTaskMgr"=0 (0x0)
"NoDispCPL"=1 (0x1)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"=0 (0x0)
"StartMenuLogoff"=1 (0x1)
"NoStartMenuMorePrograms"=1 (0x1)
"NoSetFolders"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
C:\Program Files\Apoint2K\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
C:\Program Files\Napster\napster.exe /systray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

*Newly Created Service* - COMHOST
*Newly Created Service* - RKPAVPROC



-- End of Deckard's System Scanner: finished at 2008-06-05 11:02:01 ------------
Attached Files
File Type: txt extra.txt (17.8 KB, 0 views)
dbrunnerpsu is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 06-08-2008, 06:56 AM   #2 (permalink)
Registered User
 
Join Date: Jun 2008
Posts: 5
OS: XP servie pack 2 i think


Re: Worm.Win32.booster...locked out of property manager
BUMP this thread
dbrunnerpsu is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 06-08-2008, 08:04 AM   #3 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 18,704
OS: WinXP and Win98se


Re: Worm.Win32.booster...locked out of property manager
Hello dbrunnerpsu and welcome,


This will require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  2. Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.
__________________

Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Keep this site free for all. Please consider, donating

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 06-09-2008, 09:01 AM   #4 (permalink)
Registered User
 
Join Date: Jun 2008
Posts: 5
OS: XP servie pack 2 i think


Re: Worm.Win32.booster...locked out of property manager
Thank you, I have now have all my files and folders back in the start menu. Here is the logs you asked for...

ComboFix 08-06-08.8 - Derren 2008-06-09 11:53:35.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.212 [GMT -5:00]
Running from: C:\Documents and Settings\Derren\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Derren\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\esbq.exe
C:\WINDOWS\system32\msssc.dll
C:\WINDOWS\vltdfabw.dll
C:\WINDOWS\vregfwlx.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-09 to 2008-06-09 )))))))))))))))))))))))))))))))
.

2008-06-07 20:04 . 2008-06-07 20:04 <DIR> d-------- C:\Program Files\Uniblue
2008-06-07 20:04 . 2008-06-07 20:04 <DIR> d-------- C:\Documents and Settings\Derren\Application Data\Uniblue
2008-06-05 10:58 . 2008-06-05 10:58 <DIR> d-------- C:\Deckard
2008-06-05 00:14 . 2008-06-05 00:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-04 21:43 . 2008-06-04 21:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-06-04 21:43 . 2008-06-04 21:41 159,880 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-06-04 21:41 . 2008-06-04 21:42 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-06-04 20:08 . 2008-06-04 20:09 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-06-04 18:21 . 2008-06-04 18:21 <DIR> d-------- C:\!KillBox
2008-06-04 17:58 . 2008-06-04 17:58 <DIR> d-------- C:\Documents and Settings\Derren\Application Data\Grisoft
2008-06-04 17:53 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-06-04 17:52 . 2008-06-04 17:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-06-04 17:49 . 2008-06-05 00:20 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-04 17:49 . 2008-06-05 00:20 <DIR> d-------- C:\Documents and Settings\Derren\Application Data\Lavasoft
2008-06-04 17:41 . 2008-06-04 18:35 <DIR> d-------- C:\Program Files\CleanUp!
2008-06-04 12:39 . 2008-06-09 11:38 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-06-04 12:39 . 2008-06-04 12:39 <DIR> d-------- C:\Documents and Settings\Derren\Application Data\PC Tools
2008-06-04 12:39 . 2008-06-09 11:38 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-04 12:39 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-06-04 12:39 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-06-04 12:39 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-06-04 12:39 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-06-04 12:36 . 2008-06-04 12:36 <DIR> d-------- C:\Program Files\Panda Security
2008-06-03 23:43 . 2008-06-03 23:46 90,838 --a------ C:\WINDOWS\system32\phcl15j0eg9t.bmp
2008-06-03 23:43 . 2008-06-03 23:46 52,736 --a------ C:\WINDOWS\system32\blphcl15j0eg9t.scr
2008-05-25 00:24 . 2008-05-25 00:24 79 --a------ C:\WINDOWS\system32\NVU001.nvu
2008-05-24 23:39 . 2002-10-15 10:13 32,356 --------- C:\WINDOWS\system32\pusbfd1.sys
2008-05-24 23:39 . 2002-10-15 10:13 26,629 --------- C:\WINDOWS\system32\pusbfd2.vxd
2008-05-24 23:39 . 2008-05-25 00:35 1,659 -rahs---- C:\WINDOWS\system32\drivers\103C_HP_NTBK_Pavilion zv5200 (DP523AV)_YN_0Pavi_QCND4520SNR_EU_46_I08A0_SCompal_V32.30_BF.30_T041021_WXH2_L409_M512_J100_7AMD_8Athlon 64_90.8_#080524_N10EC8139_(DP523AV)_XMOBILE_CN10_Z10DE00D9_2F.30_G10DE0179.MRK
2008-05-24 23:38 . 2008-05-24 23:38 <DIR> d-------- C:\Documents and Settings\Derren\Application Data\Sonic
2008-05-24 23:37 . 2008-05-24 23:37 108,544 --------- C:\WINDOWS\system32\pxcpyi64.exe
2008-05-24 23:37 . 2008-05-24 23:37 103,936 --------- C:\WINDOWS\system32\pxinsi64.exe
2008-05-24 23:36 . 2004-04-14 08:36 7,432 --a------ C:\WINDOWS\system32\drivers\eabfiltr.sys
2008-05-24 23:36 . 2003-06-06 12:46 5,220 --a------ C:\WINDOWS\system32\drivers\EabUsb.sys
2008-05-24 23:35 . 2008-05-24 23:35 <DIR> d-------- C:\Program Files\muvee Technologies
2008-05-24 23:35 . 2008-05-24 23:36 <DIR> d-------- C:\Program Files\Common Files\muvee Technologies
2008-05-24 23:35 . 2008-05-24 23:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\muvee Technologies
2008-05-24 23:34 . 2008-05-24 23:34 <DIR> d-------- C:\Program Files\Zone.com
2008-05-24 23:34 . 2004-08-12 10:26 15,669 --a------ C:\WINDOWS\system32\oeminfo.ini
2008-05-24 23:31 . 2008-06-03 09:50 <DIR> d-------- C:\Program Files\InterVideo
2008-05-24 23:28 . 2003-01-24 22:27 22,198 -ra------ C:\WINDOWS\system32\OEMLogo.bmp
2008-05-24 23:27 . 2003-05-24 21:48 6,912,056 -ra------ C:\WINDOWS\Fractal Blue.bmp
2008-05-24 23:27 . 2003-05-24 21:32 6,912,056 -ra------ C:\WINDOWS\Crystal Rush.bmp
2008-05-24 23:27 . 2004-05-11 19:47 6,912,056 -ra------ C:\WINDOWS\Blue Sonic.bmp
2008-05-24 23:24 . 2003-10-24 01:11 46,976 --a------ C:\WINDOWS\system32\drivers\R8139n51.sys
2008-05-24 23:22 . 2008-05-24 23:22 <DIR> d-------- C:\WINDOWS\tiinst
2008-05-24 23:20 . 2008-05-24 23:20 <DIR> d-------- C:\Program Files\Analog Devices
2008-05-24 23:19 . 2008-05-24 23:43 <DIR> d-------- C:\SYSTEM.SAV
2008-05-22 01:30 . 2008-05-25 00:17 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-22 01:30 . 2008-05-25 00:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-22 01:21 . 2008-05-22 01:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-22 00:42 . 2008-06-05 00:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-09 16:52 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-04 05:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-31 04:15 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-31 04:15 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-31 04:15 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-31 04:15 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-31 04:15 --------- d-----w C:\Program Files\Symantec
2008-05-25 05:35 --------- d-----w C:\Program Files\Java
2008-05-25 05:29 --------- d-----w C:\Program Files\HPQ
2008-05-25 04:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-25 04:59 --------- d-----w C:\Program Files\Hewlett-Packard
2008-05-20 04:46 --------- d-----w C:\Program Files\UltimateBet
2008-04-29 16:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 16:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 16:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-22 14:24 --------- d-----w C:\Program Files\Safari
2008-04-22 14:22 --------- d-----w C:\Program Files\Apple Software Update
2008-01-09 03:06 61,224 ----a-w C:\Documents and Settings\Derren\GoToAssistDownloadHelper.exe
2007-12-12 22:28 61,760 ----a-w C:\Documents and Settings\Derren\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 11:15 50528]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2008-05-05 13:01 1923352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-07-17 20:54 116072]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
-ra------ 2004-09-03 22:52 88363 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-01-03 11:15 50528 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a--c--- 2003-10-08 06:40 159744 C:\Program Files\Apoint2K\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
--a------ 2004-08-19 11:50 290816 C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
C:\Program Files\Napster\napster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
-ra------ 2004-04-08 05:22 323584 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-06-04 21:41]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2006-07-27 09:00]
R2 LxrSII1d;Secure II Driver;C:\WINDOWS\system32\Drivers\LxrSII1d.sys [2006-12-14 09:37]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-06-05 01:42:18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-09 11:55:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-09 11:56:55
ComboFix-quarantined-files.txt 2008-06-09 16:56:35

Pre-Run: 69,013,458,944 bytes free
Post-Run: 68,984,033,280 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition"
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

166 --- E O F --- 2008-06-09 09:00:58



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:02, on 6/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?L