getsn32.dll? spyware attack [RESOLVED]

Welcome Guest ( Log In | Join )

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Want to ask a question, reply to a topic, or remove all advertising? It's easy, fast and free. Join today!
Spyware, virus, trojan, fake security or privacy alerts? Please start with our malware cleaning guide.

> Geeks to Go! » Security » Malware Removal - HijackThis� Logs Go Here

2 Pages

1 2 >

getsn32.dll? spyware attack [RESOLVED]

Options

trader View Member Profile	Oct 13 2008, 05:17 PM Post #1
Member Posts: 17 OS: XP	Hello, while browsing the web I got infected with a virus my Symantec AntiVirus popped up that it found something but I dont think It could delete it. My computer crashed then after restart my CTRL-ALT-DEL command returns the message "Task Manager has been disabled by your administrator." I only have one user account on my computer and its suppose to be the admin i think. I keep getting messages from the windows update triangle in the botton right corner of my screen telling me that my computer is infected, is running slowly, and that I need to download a FULL VIRUS SCAM. Also I got a prompt few times saying that a few of my windows files have been replaced or damaged and it asked me to insert my Windows XP Service Pack 3 CD. Right now Ive got my computer disconnected from the internet in safe mode. Before sending it in safe mode I copied the Hijackthis log to a USB drive and put it on this computer to send to you. So far I have used CleanUp! And ran a full Symantec virus scan, up to date as of 10/12/2008, which found nothing. Welp here you go, thanks soo much for your help. You guys have helped me out twice now. Thankyou. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:15:05 PM, on 10/13/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\basfipm.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\system32\lkcitdl.exe C:\WINDOWS\system32\lkads.exe C:\WINDOWS\system32\lktsrv.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\uesiuqcr.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vt.edu/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uesiuqcr.exe, O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll O2 - BHO: getsn32.msiesn - {36142BDD-7850-42FC-9681-1534A35285B9} - C:\WINDOWS\system32\getsn32.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9e0} - (no file) O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Digital Line Detect.lnk = ? O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Broken Internet access because of LSP provider 'c:\program files\webhancer\programs\webhdll.dll' missing O15 - Trusted Zone: http://learn.vt.edu O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe O23 - Service: NI Configuration Manager (mxssvr) - Unknown owner - C:\Program Files\National Instruments\MAX\nimxs.exe (file missing) O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: National Instruments Domain Service (NIDomainService) - Unknown owner - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe (file missing) O23 - Service: NILM License Manager - Unknown owner - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe (file missing) O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe O23 - Service: National Instruments Variable Engine (NITaggerService) - Unknown owner - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe (file missing) O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE (file missing) O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe -- End of file - 8005 bytes

Rorschach112 View Member Profile	Oct 13 2008, 05:29 PM Post #2
GeekU Teacher Posts: 21,845 From: Dublin OS: XP	Hello Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding. Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix) Please then reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, the Advanced Options Menu should appear; Select the first option, to run Windows in Safe Mode, then press Enter. Choose your usual account. Open the extracted SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). Finally paste the contents of the Report.txt back on the forum. Also post a new HJT log

trader View Member Profile	Oct 13 2008, 07:39 PM Post #3
Member Posts: 17 OS: XP	The situation doesnt seem to have gotten any better. Here are the logs. SDFix: Version 1.235 Run by Wesley Jessup on Mon 10/13/2008 at 09:00 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Restoring Default Desktop Wallpaper Resetting SecurityProviders Value Rebooting Checking Files : Trojan Files Found: C:\Program Files\GetModule\dicik.gz - Deleted C:\Program Files\GetModule\GetModule23.exe - Deleted C:\Program Files\GetModule\kwdik.gz - Deleted C:\Program Files\GetPack\dictame.gz - Deleted C:\Program Files\GetPack\GetPack22.exe - Deleted C:\Program Files\GetPack\trgtame.gz - Deleted C:\Program Files\iCheck\iCheck.exe - Deleted C:\Program Files\iCheck\Uninstall.exe - Deleted C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico - Deleted C:\WINDOWS\system32\wpv623.cpx - Deleted C:\WINDOWS\system32\wpv673.cpx - Deleted C:\WINDOWS\system32\wpv623.cpx - Deleted C:\WINDOWS\system32\wpv673.cpx - Deleted C:\WINDOWS\system32\getsn32.dll - Deleted C:\WINDOWS\system32\msansspc.dll - Deleted C:\WINDOWS\system32\smwin32.dll - Deleted Could Not Remove C:\WINDOWS\default.htm Folder C:\Program Files\GetModule - Removed Folder C:\Program Files\GetPack - Removed Folder C:\Program Files\iCheck - Removed Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-13 21:19:59 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "C:\\Program Files\\Warcraft III\\Warcraft III.exe"="C:\\Program Files\\Warcraft III\\Warcraft III.exe::Enabled:Warcraft III" "C:\\Program Files\\Valve\\Steam\\SteamApps\\dnsjo\\half-life\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\dnsjo\\half-life\\hl.exe::Enabled:Half-Life Launcher" "C:\\Program Files\\Valve\\Steam\\SteamApps\\dnsjo\\team fortress classic\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\dnsjo\\team fortress classic\\hl.exe::Enabled:Half-Life Launcher" "C:\\Program Files\\Valve\\Steam\\SteamApps\\dnsjo\\counter-strike source\\hl2.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\dnsjo\\counter-strike source\\hl2.exe::Enabled:hl2" "C:\\Program Files\\Valve\\Steam\\Steam.exe"="C:\\Program Files\\Valve\\Steam\\Steam.exe::Enabled:Steam" "C:\\Program Files\\National Instruments\\LabVIEW 8.2\\LabVIEW.exe"="C:\\Program Files\\National Instruments\\LabVIEW 8.2\\LabVIEW.exe::Enabled:LabVIEW 8.2.1 Development System" "C:\\Program Files\\National Instruments\\Shared\\Example Finder\\1.0\\BIN\\NIExampleFinder.exe"="C:\\Program Files\\National Instruments\\Shared\\Example Finder\\1.0\\BIN\\NIExampleFinder.exe::Enabled:NIExampleFinder" "C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="C:\\Program Files\\Winamp Remote\\bin\\Orb.exe::Enabled:Orb" "C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe::Enabled:OrbTray" "C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe::Enabled:Orb Stream Client" "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE::Enabled:Internet Explorer" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe::Enabled:�Torrent" "C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe::Enabled:Bonjour" "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe::Enabled:iTunes" "C:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"="C:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe::Enabled:Rosetta Stone Ltd Services" "C:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"="C:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe::Enabled:Rosetta Stone Version 3 Application" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"="C:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe::Enabled:Rosetta Stone Ltd Services" "C:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"="C:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe::Enabled:Rosetta Stone Version 3 Application" Remaining Files : C:\WINDOWS\default.htm Found File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Mon 2 Jan 2006 4,126,240 ...H. --- "C:\Program Files\Picasa2\setup.exe" Mon 27 Feb 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Sun 12 Oct 2008 19,968 ...H. --- "C:\Documents and Settings\Wesley Jessup\My Documents\~WRL0578.tmp" Tue 28 Nov 2006 228 A..H. --- "C:\Program Files\InterActual\InterActual Player\itiA.tmp" Sun 26 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Wed 29 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp" Thu 15 Feb 2007 1,487 A..H. --- "C:\Program Files\Common Files\AOL\IPHSend\IPH.BAK" Finished! Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:35:49 PM, on 10/13/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\basfipm.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\system32\lkcitdl.exe C:\WINDOWS\system32\lkads.exe C:\WINDOWS\system32\lktsrv.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\uesiuqcr.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vt.edu/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uesiuqcr.exe, O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll O2 - BHO: getsn32.msiesn - {36142BDD-7850-42FC-9681-1534A35285B9} - C:\WINDOWS\system32\getsn32.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9e0} - (no file) O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Digital Line Detect.lnk = ? O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Broken Internet access because of LSP provider 'c:\program files\webhancer\programs\webhdll.dll' missing O15 - Trusted Zone: http://learn.vt.edu O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe O23 - Service: NI Configuration Manager (mxssvr) - Unknown owner - C:\Program Files\National Instruments\MAX\nimxs.exe (file missing) O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: National Instruments Domain Service (NIDomainService) - Unknown owner - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe (file missing) O23 - Service: NILM License Manager - Unknown owner - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe (file missing) O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe O23 - Service: National Instruments Variable Engine (NITaggerService) - Unknown owner - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe (file missing) O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE (file missing) O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe -- End of file - 8020 bytes This post has been edited by trader: Oct 13 2008, 08:10 PM

Rorschach112 View Member Profile	Oct 14 2008, 04:49 AM Post #4
GeekU Teacher Posts: 21,845 From: Dublin OS: XP	Hello Please visit this web page for instructions for downloading and running ComboFix http://www.bleepingcomputer.com/combofix/how-to-use-combofix This includes installing the Windows XP Recovery Console in case you have not installed it yet. For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058. Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal. Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

trader View Member Profile	Oct 14 2008, 03:02 PM Post #5
Member Posts: 17 OS: XP	Still no noticable improvement. Here are the logs. ComboFix 08-10-12.01 - Wesley Jessup 2008-10-14 16:36:48.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.638 [GMT -4:00] Running from: C:\Documents and Settings\Wesley Jessup\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\default.htm C:\WINDOWS\system32\getsn32.dll C:\WINDOWS\system32\MSINET.oca . ((((((((((((((((((((((((( Files Created from 2008-09-14 to 2008-10-14 ))))))))))))))))))))))))))))))) . 2008-10-14 16:42 . 2008-10-14 16:42 1,961 --a------ C:\WINDOWS\default.htm 2008-10-13 22:06 . 2008-10-14 13:07 8,704 --a------ C:\WINDOWS\system32\smwin32.dll 2008-10-13 20:58 . 2008-10-13 20:58 578,560 --a------ C:\WINDOWS\system32\dllcache\user32.dll 2008-10-13 20:50 . 2008-10-13 20:50 <DIR> d-------- C:\WINDOWS\ERUNT 2008-10-13 20:46 . 2008-10-13 21:22 <DIR> d-------- C:\SDFix 2008-10-13 19:14 . 2008-10-13 19:14 <DIR> d-------- C:\Program Files\Trend Micro 2008-10-12 22:36 . 2008-10-12 22:36 85,008 --a------ C:\WINDOWS\system32\uesiuqcr.exe 2008-10-12 22:36 . 2008-10-12 22:36 16,896 --a------ C:\Documents and Settings\Wesley Jessup\~.exe 2008-09-24 20:39 . 2008-09-24 20:47 <DIR> d-------- C:\Program Files\support.com 2008-09-24 20:39 . 2008-09-24 20:39 <DIR> d-------- C:\Program Files\Common Files\SupportSoft 2008-09-24 20:39 . 2008-09-24 20:39 1,100 --a------ C:\net_save.dna 2008-09-15 12:09 . 2008-09-15 12:09 <DIR> d-------- C:\Program Files\Rosetta Stone 2008-09-15 12:08 . 2008-09-15 12:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RosettaStoneLtdBackup 2008-09-15 11:47 . 2008-09-15 12:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet 2008-09-15 11:46 . 2008-09-15 11:46 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared 2008-09-15 11:45 . 2008-10-12 00:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rosetta Stone . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-14 20:34 --------- d-----w C:\Program Files\Symantec AntiVirus 2008-10-14 17:10 --------- d-----w C:\Documents and Settings\Wesley Jessup\Application Data\uTorrent 2008-10-13 02:57 --------- d-----w C:\Program Files\CleanUp! 2008-10-12 20:17 --------- d-----w C:\Program Files\Warcraft III 2008-10-06 19:15 --------- d-----w C:\Program Files\MATLAB 2008-09-29 23:35 --------- d-----w C:\Program Files\Diablo ][ 2008-09-27 02:43 --------- d-----w C:\Program Files\World of Warcraft 2008-09-21 21:51 --------- d-----w C:\Program Files\Pure Networks 2008-09-13 19:22 --------- d-----w C:\Program Files\iTunes 2008-09-13 19:22 --------- d-----w C:\Program Files\iPod 2008-09-13 19:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-09-13 19:20 --------- d-----w C:\Program Files\QuickTime 2008-09-13 19:20 --------- d-----w C:\Program Files\Bonjour 2008-09-13 19:19 --------- d-----w C:\Program Files\Common Files\Apple 2008-09-13 19:18 --------- d-----w C:\Program Files\Apple Software Update 2008-09-12 01:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-09-12 01:04 --------- d-----w C:\Documents and Settings\Wesley Jessup\Application Data\Move Networks 2008-09-12 00:56 --------- d-----w C:\Program Files\Image-Line 2008-09-12 00:54 --------- d-----w C:\Program Files\VstPlugins 2008-09-12 00:52 --------- d-----w C:\Program Files\IGN 2008-09-12 00:52 --------- d-----w C:\Documents and Settings\Wesley Jessup\Application Data\IGN_DLM 2008-09-12 00:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-09-01 05:50 --------- d-----w C:\Program Files\Dub 2008-09-01 00:53 --------- d-----w C:\Program Files\LD-Anime 2008-08-29 16:50 --------- d-----r C:\Documents and Settings\Wesley Jessup\Application Data\Brother 2008-08-29 14:18 87,336 ----a-w C:\WINDOWS\system32\dns-sd.exe 2008-08-29 13:53 61,440 ----a-w C:\WINDOWS\system32\dnssd.dll 2008-08-28 23:30 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-08-23 22:34 --------- d-----w C:\Documents and Settings\Wesley Jessup\Application Data\AdobeUM 2008-08-08 21:56 21,840 ----atw C:\WINDOWS\system32\SIntfNT.dll 2008-08-08 21:56 17,212 ----atw C:\WINDOWS\system32\SIntf32.dll 2008-08-08 21:56 12,067 ----atw C:\WINDOWS\system32\SIntf16.dll 2008-08-08 19:01 94,208 ----a-w C:\WINDOWS\DIIUnin.exe 2008-08-08 19:01 2,829 ----a-w C:\WINDOWS\DIIUnin.pif 2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll 2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll 2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe 2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe 2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll 2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll 2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll 2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll 2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll 2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll 2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll 2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll 2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll 2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll 2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll 2007-04-10 23:20 3,820,104 ----a-w C:\Documents and Settings\Wesley Jessup\gosetup.exe 2004-03-15 21:51 114,688 ----a-w C:\Program Files\internet explorer\plugins\LV71ActiveXControl.dll 2003-05-01 13:36 114,688 ----a-w C:\Program Files\internet explorer\plugins\LV7ActiveXControl.dll 2005-10-12 20:04 131,072 ----a-w C:\Program Files\internet explorer\plugins\LV80ActiveXControl.dll 2007-02-08 15:48 133,920 ----a-w C:\Program Files\internet explorer\plugins\LV82ActiveXControl.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-06 344064] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2008-04-13 C:\WINDOWS\system32\narrator.exe] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696] Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-08-08 24576] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "AllowLegacyWebView"= 1 (0x1) "AllowUnhashedWebView"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\uesiuqcr.exe," [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.avis"= ff_acm.acm [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer] -ra------ 2006-10-23 08:50 71216 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint] --a------ 2004-09-13 17:33 155648 C:\Program Files\Apoint\Apoint.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier] --a------ 2008-09-03 20:12 111936 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet] --a------ 2005-03-04 12:26 606208 C:\Program Files\Dell\QuickSet\quickset.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher] --------- 2004-04-26 09:04 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] --a------ 2006-09-25 20:52 50736 C:\Program Files\Common Files\AOL\1123866785\EE\aolsoftware.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager] --a------ 2005-01-12 15:54 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] --a------ 2005-02-17 00:11 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-09-10 17:40 289576 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-09-06 15:09 413696 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] -ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender] --a------ 2006-04-03 18:12 777424 C:\Program Files\Windows Defender\MSASCui.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "AOL TopSpeedMonitor"=2 (0x2) "AOL ACS"=2 (0x2) "MSSQL$MICROSOFTSMLBIZ"=2 (0x2) "IDriverT"=3 (0x3) "GoToMyPC"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\Warcraft III\\Warcraft III.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"= "C:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"= R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2007-02-21 4096] R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2004-05-03 80384] S2 mxssvr;NI Configuration Manager;C:\Program Files\National Instruments\MAX\nimxs.exe [ ] S2 NITaggerService;National Instruments Variable Engine;C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe [ ] . Contents of the 'Scheduled Tasks' folder 2008-10-10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] 2008-10-14 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe [2006-04-03 18:12] . - - - - ORPHANS REMOVED - - - - BHO-{36142BDD-7850-42FC-9681-1534A35285B9} - C:\WINDOWS\system32\getsn32.dll Notify-GoToMyPC - C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll MSConfigStartUp-!AVG Anti-Spyware - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe MSConfigStartUp-AOL Spyware Protection - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe MSConfigStartUp-GetModule23 - C:\Program Files\GetModule\GetModule23.exe MSConfigStartUp-GetPack22 - C:\Program Files\GetPack\GetPack22.exe MSConfigStartUp-GoToMyPC - C:\Program Files\Citrix\GoToMyPC\g2svc.exe MSConfigStartUp-SBCSTray - C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe MSConfigStartUp-UpdateManager - C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe MSConfigStartUp-WinampAgent - C:\Program Files\Winamp\winampa.exe . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Wesley Jessup\Application Data\Mozilla\Firefox\Profiles\c9w6x3hc.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.vt.edu/ . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-14 16:42:12 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-10-14 16:47:41 ComboFix-quarantined-files.txt 2008-10-14 20:47:38 ComboFix2.txt 2007-06-12 20:42:16 Pre-Run: 3,013,808,128 bytes free Post-Run: 3,000,229,888 bytes free 209 --- E O F --- 2008-09-10 16:56:56 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:59:27 PM, on 10/14/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\uesiuqcr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Digital Line Detect\DLG.exe C:\WINDOWS\system32\basfipm.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\system32\lkcitdl.exe C:\WINDOWS\system32\lkads.exe C:\WINDOWS\system32\lktsrv.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vt.edu/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uesiuqcr.exe, O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Digital Line Detect.lnk = ? O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://learn.vt.edu O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe O23 - Service: NI Configuration Manager (mxssvr) - Unknown owner - C:\Program Files\National Instruments\MAX\nimxs.exe (file missing) O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: National Instruments Domain Service (NIDomainService) - Unknown owner - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe (file missing) O23 - Service: NILM License Manager - Unknown owner - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe (file missing) O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe O23 - Service: National Instruments Variable Engine (NITaggerService) - Unknown owner - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe (file missing) O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE (file missing) O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe -- End of file - 7678 bytes

Rorschach112 View Member Profile	Oct 14 2008, 03:23 PM Post #6
GeekU Teacher Posts: 21,845 From: Dublin OS: XP	Hello 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 3. Open notepad and copy/paste the text in the quotebox below into it: QUOTE File:: C:\WINDOWS\default.htm C:\WINDOWS\system32\smwin32.dll C:\WINDOWS\system32\uesiuqcr.exe C:\Documents and Settings\Wesley Jessup\~.exe Folder:: Registry:: [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"=- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"=- KillAll:: Driver:: Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

trader

Oct 14 2008, 05:28 PM

Post #7

Member

Posts: 17
OS: XP

My computer seems to be better. I can use my task manager, connect to the interenet, my desktop background warning is going, and so is the little windows update triangle warning. domo arigato gozaimasu, thank you.

ComboFix 08-10-12.01 - Wesley Jessup 2008-10-14 18:00:34.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.624 [GMT -4:00]
Running from: C:\Documents and Settings\Wesley Jessup\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Wesley Jessup\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\Wesley Jessup\~.exe
C:\WINDOWS\default.htm
C:\WINDOWS\system32\smwin32.dll
C:\WINDOWS\system32\uesiuqcr.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Wesley Jessup\~.exe
C:\WINDOWS\default.htm
C:\WINDOWS\system32\smwin32.dll
C:\WINDOWS\system32\uesiuqcr.exe

.
((((((((((((((((((((((((( Files Created from 2008-09-14 to 2008-10-14 )))))))))))))))))))))))))))))))
.

2008-10-13 20:58 . 2008-10-13 20:58 578,560 --a------ C:\WINDOWS\system32\dllcache\user32.dll
2008-10-13 20:50 . 2008-10-13 20:50 <DIR> d-------- C:\WINDOWS\ERUNT
2008-10-13 20:46 . 2008-10-13 21:22 <DIR> d-------- C:\SDFix
2008-10-13 19:14 . 2008-10-13 19:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-24 20:39 . 2008-09-24 20:47 <DIR> d-------- C:\Program Files\support.com
2008-09-24 20:39 . 2008-09-24 20:39 <DIR> d-------- C:\Program Files\Common Files\SupportSoft
2008-09-24 20:39 . 2008-09-24 20:39 1,100 --a------ C:\net_save.dna
2008-09-15 12:09 . 2008-09-15 12:09 <DIR> d-------- C:\Program Files\Rosetta Stone
2008-09-15 12:08 . 2008-09-15 12:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RosettaStoneLtdBackup
2008-09-15 11:47 . 2008-09-15 12:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-09-15 11:46 . 2008-09-15 11:46 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-09-15 11:45 . 2008-10-12 00:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rosetta Stone

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-14 20:34 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-10-14 17:10 --------- d-----w C:\Documents and Settings\Wesley Jessup\Application Data\uTorrent
2008-10-13 02:57 --------- d-----w C:\Program Files\CleanUp!
2008-10-12 20:17 --------- d-----w C:\Program Files\Warcraft III
2008-10-06 19:15 --------- d-----w C:\Program Files\MATLAB
2008-09-29 23:35 --------- d-----w C:\Program Files\Diablo ][
2008-09-27 02:43 --------- d-----w C:\Program Files\World of Warcraft
2008-09-21 21:51 --------- d-----w C:\Program Files\Pure Networks
2008-09-13 19:22 --------- d-----w C:\Program Files\iTunes
2008-09-13 19:22 --------- d-----w C:\Program Files\iPod
2008-09-13 19:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-13 19:20 --------- d-----w C:\Program Files\QuickTime
2008-09-13 19:20 --------- d-----w C:\Program Files\Bonjour
2008-09-13 19:19 --------- d-----w C:\Program Files\Common Files\Apple
2008-09-13 19:18 --------- d-----w C:\Program Files\Apple Software Update
2008-09-12 01:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-12 01:04 --------- d-----w C:\Documents and Settings\Wesley Jessup\Application Data\Move Networks
2008-09-12 00:56 --------- d-----w C:\Program Files\Image-Line
2008-09-12 00:54 --------- d-----w C:\Program Files\VstPlugins
2008-09-12 00:52 --------- d-----w C:\Program Files\IGN
2008-09-12 00:52 --------- d-----w C:\Documents and Settings\Wesley Jessup\Application Data\IGN_DLM
2008-09-12 00:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-01 05:50 --------- d-----w C:\Program Files\Dub
2008-09-01 00:53 --------- d-----w C:\Program Files\LD-Anime
2008-08-29 16:50 --------- d-----r C:\Documents and Settings\Wesley Jessup\Application Data\Brother
2008-08-28 23:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-23 22:34 --------- d-----w C:\Documents and Settings\Wesley Jessup\Application Data\AdobeUM
2008-08-08 19:01 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
2008-08-08 19:01 2,829 ----a-w C:\WINDOWS\DIIUnin.pif
2007-04-10 23:20 3,820,104 ----a-w C:\Documents and Settings\Wesley Jessup\gosetup.exe
2004-03-15 21:51 114,688 ----a-w C:\Program Files\internet explorer\plugins\LV71ActiveXControl.dll
2003-05-01 13:36 114,688 ----a-w C:\Program Files\internet explorer\plugins\LV7ActiveXControl.dll
2005-10-12 20:04 131,072 ----a-w C:\Program Files\internet explorer\plugins\LV80ActiveXControl.dll
2007-02-08 15:48 133,920 ----a-w C:\Program Files\internet explorer\plugins\LV82ActiveXControl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-06 344064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-08-08 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windo