[teewanna]

Please help!! hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:03:09 PM, on 7/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {9C28EAFB-FF50-4F42-8D39-A006129CC907} - C:\WINDOWS\system32\byXNeEVm.dll
O2 - BHO: (no name) - {E33C28FE-3D8C-4697-95E1-942C14009C00} - C:\WINDOWS\system32\awtrRHYS.dll (file missing)
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O20 - Winlogon Notify: byXNeEVm - C:\WINDOWS\SYSTEM32\byXNeEVm.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 1869 bytes

I can't seem to remove byXNeEVm.dll. Also, I notice that freguently rundll32 is added to registry on startup (run) and a few dlls are generated randomly in system32 folder. These files cannot be removed, but I was able to rename them.

[Advertisements]

Hello teewanna,

Welcome to Geeks to Go.

First of all, do not rename any files unless I specifically ask you to as this can make the task of cleaning your computer more difficult.

That HJT log seems quite short, so let's have a more detailed look inside your system.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

[Octagonal]

Hello teewanna,

Welcome to Geeks to Go.

First of all, do not rename any files unless I specifically ask you to as this can make the task of cleaning your computer more difficult.

That HJT log seems quite short, so let's have a more detailed look inside your system.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

[teewanna]

Deckard's System Scanner v20071014.68
Run by Tri on 2008-07-09 09:52:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
47: 2008-07-09 13:52:47 UTC - RP290 - Deckard's System Scanner Restore Point
46: 2008-07-09 00:04:26 UTC - RP289 - Move file to quarantine: byXNeEVm.dll
45: 2008-07-09 00:02:31 UTC - RP288 - Move file to quarantine: byXNeEVm.dll
44: 2008-07-09 00:00:45 UTC - RP287 - Move file to quarantine: byXNeEVm.dll
43: 2008-07-08 22:38:56 UTC - RP286 - System Checkpoint


-- First Restore Point --
1: 2008-06-25 00:09:38 UTC - RP244 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 496 MiB (512 MiB recommended).


-- HijackThis (run as Tri.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:57 AM, on 7/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tri\Desktop\dss.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Tri.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {9C28EAFB-FF50-4F42-8D39-A006129CC907} - C:\WINDOWS\system32\byXNeEVm.dll
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1215558006578
O20 - Winlogon Notify: byXNeEVm - C:\WINDOWS\SYSTEM32\byXNeEVm.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 2013 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080708-174632-913 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
backup-20080708-174723-131 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 166.112.60.60:80
backup-20080708-174756-736 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 166.112.*.*;*.fema.net;dhsonline.dhs.gov;161.214.*.*;directory.dhs.gov;<local>
backup-20080708-174852-845 O2 - BHO: {066cd90f-e455-6248-4514-212925f12fc4} - {4cf21f52-9212-4154-8426-554ef09dc660} - C:\WINDOWS\system32\yrbrgz.dll
backup-20080708-174852-481 O2 - BHO: (no name) - {9C28EAFB-FF50-4F42-8D39-A006129CC907} - C:\WINDOWS\system32\byXNeEVm.dll
backup-20080708-174852-748 O2 - BHO: (no name) - {E33C28FE-3D8C-4697-95E1-942C14009C00} - C:\WINDOWS\system32\awtrRHYS.dll (file missing)
backup-20080708-174852-947 O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
backup-20080708-174930-998 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
backup-20080708-174930-753 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = %SystemRoot%\system32\blank.htm
backup-20080708-174930-490 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
backup-20080708-174930-443 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
backup-20080708-174930-684 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
backup-20080708-174930-960 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
backup-20080708-174930-603 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
backup-20080708-174930-938 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
backup-20080708-174944-889 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
backup-20080708-174944-968 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
backup-20080708-175246-551 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,
backup-20080708-175426-312 O2 - BHO: (no name) - {9C28EAFB-FF50-4F42-8D39-A006129CC907} - C:\WINDOWS\system32\byXNeEVm.dll
backup-20080708-175426-263 O2 - BHO: (no name) - {E33C28FE-3D8C-4697-95E1-942C14009C00} - C:\WINDOWS\system32\awtrRHYS.dll (file missing)
backup-20080708-175426-146 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20080708-175426-498 O9 - Extra button: Vietkar2 - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\Vietnam Audio Networks\Vietkar\Vietkar2.exe (file missing)
backup-20080708-175426-248 O9 - Extra 'Tools' menuitem: Tools Menu Item - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\Vietnam Audio Networks\Vietkar\Vietkar2.exe (file missing)
backup-20080708-175427-326 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
backup-20080708-175427-875 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
backup-20080708-175427-525 O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
backup-20080708-175427-953 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20080708-175428-896 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20080708-175428-747 O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
backup-20080708-175428-802 O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
backup-20080708-175430-736 O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://www.schaeffer...oad/CfxIEAx.cab
backup-20080708-175430-108 O16 - DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} (ChartFX Internet Financial Client 4.0) - http://www.schaeffer...x4Financial.cab
backup-20080708-175431-245 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1215058537031
backup-20080708-175431-993 O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
backup-20080708-175432-215 O20 - Winlogon Notify: byXNeEVm - C:\WINDOWS\SYSTEM32\byXNeEVm.dll
backup-20080708-175530-665 O2 - BHO: (no name) - {9C28EAFB-FF50-4F42-8D39-A006129CC907} - C:\WINDOWS\system32\byXNeEVm.dll
backup-20080708-175530-967 O2 - BHO: (no name) - {E33C28FE-3D8C-4697-95E1-942C14009C00} - C:\WINDOWS\system32\awtrRHYS.dll (file missing)
backup-20080708-175530-327 O20 - Winlogon Notify: byXNeEVm - C:\WINDOWS\SYSTEM32\byXNeEVm.dll
backup-20080708-180449-219 O2 - BHO: (no name) - {9C28EAFB-FF50-4F42-8D39-A006129CC907} - C:\WINDOWS\system32\byXNeEVm.dll
backup-20080708-180450-803 O2 - BHO: (no name) - {E33C28FE-3D8C-4697-95E1-942C14009C00} - C:\WINDOWS\system32\awtrRHYS.dll (file missing)
backup-20080708-180450-198 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20080708-180450-835 O20 - Winlogon Notify: byXNeEVm - C:\WINDOWS\SYSTEM32\byXNeEVm.dll
backup-20080708-180749-517 O2 - BHO: (no name) - {9C28EAFB-FF50-4F42-8D39-A006129CC907} - C:\WINDOWS\system32\byXNeEVm.dll
backup-20080708-180749-716 O20 - Winlogon Notify: byXNeEVm - C:\WINDOWS\SYSTEM32\byXNeEVm.dll

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 ENECBPTH (ENE Cardbus Patch Driver) - c:\windows\system32\drivers\enecbpth.sys <Not Verified; EnE Technology Inc.; EnE Cardbus Patch Driver for Windows ® 2000/XP>
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S3 SMNDIS5 (SMNDIS5 NDIS Protocol Driver) - c:\program files\verizon wireless\vzaccess manager\smndis5.sys <Not Verified; Smith Micro Software, Inc.; QuickLink Wi-Fi>
S3 TnIDriver - c:\docume~1\tri\locals~1\temp\tni2cb.tmp (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\530001A823F47
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\530001A823F47
Service: NIC1394


-- Files created between 2008-06-09 and 2008-07-09 -----------------------------

2008-07-09 01:01:15 320000 --a------ C:\WINDOWS\system32\urqQKBuR.dll
2008-07-09 00:01:17 320000 --a------ C:\WINDOWS\system32\qoMfdAQk.dll
2008-07-08 23:01:17 320000 --a------ C:\WINDOWS\system32\urqQgdcY.dll
2008-07-08 22:01:15 320000 --a------ C:\WINDOWS\system32\ljJBqrSJ.dll
2008-07-08 21:01:12 320000 --a------ C:\WINDOWS\system32\urqPiGVm.dll
2008-07-08 20:00:49 320000 --a------ C:\WINDOWS\system32\jkkICTmN.dll
2008-07-08 19:57:00 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-07-08 19:56:27 0 d-------- C:\Program Files\Security Task Manager
2008-07-08 19:00:10 0 d-------- C:\WINDOWS\LastGood
2008-07-08 17:41:15 0 d-------- C:\Program Files\Trend Micro
2008-07-02 20:29:05 0 d-------- C:\Documents and Settings\Tri\Application Data\PC Tools
2008-07-02 20:29:04 0 d-------- C:\Program Files\Spyware Doctor
2008-07-02 20:03:26 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-24 20:26:29 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-06-24 20:25:54 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-06-24 20:09:27 758223 --ahs---- C:\WINDOWS\system32\SYHRrtwa.ini2
2008-06-24 20:05:23 0 d--hs---- C:\WINDOWS\VHJp
2008-06-24 20:04:10 25088 -----n--- C:\WINDOWS\system32\byXNeEVm.dll
2008-06-21 12:31:15 0 d-------- C:\Program Files\Nsasoft


-- Find3M Report ---------------------------------------------------------------

Nothing modified in this timespan.


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C28EAFB-FF50-4F42-8D39-A006129CC907}]
06/24/2008 08:04 PM 25088 --------- C:\WINDOWS\system32\byXNeEVm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [07/02/2008 10:49 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{9C28EAFB-FF50-4F42-8D39-A006129CC907}"= C:\WINDOWS\system32\byXNeEVm.dll [06/24/2008 08:04 PM 25088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXNeEVm]
byXNeEVm.dll 06/24/2008 08:04 PM 25088 C:\WINDOWS\system32\byXNeEVm.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\awtrRHYS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{209318ac-7e71-11dc-9dee-000e353a156b}]
AutoRun\command- F:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-07-09 09:58:07 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1.50GHz
Percentage of Memory in Use: 56%
Physical Memory (total/avail): 495.48 MiB / 214.72 MiB
Pagefile Memory (total/avail): 1159.24 MiB / 822.8 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1925.57 MiB

C: is Fixed (FAT32) - 27.38 GiB total, 6.64 GiB free.
D: is Fixed (FAT32) - 9.76 GiB total, 2.2 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST94019A - 37.26 GiB - 3 partitions
\PARTITION0 (bootable) - Unknown - 27.39 GiB - C:
\PARTITION1 - Unknown - 9.77 GiB - D:
\PARTITION2 - Unknown - 7.84 MiB



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AntivirusOverride is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\LeechFTP\\Leechftp.exe"="C:\\Program Files\\LeechFTP\\Leechftp.exe:*:Enabled:LeechFTP"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Tri\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MELISSA
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Tri
include=C:\Program Files\Microsoft Visual Studio\VC98\atl\include;C:\Program Files\Microsoft Visual Studio\VC98\mfc\include;C:\Program Files\Microsoft Visual Studio\VC98\include
lib=C:\Program Files\Microsoft Visual Studio\VC98\mfc\lib;C:\Program Files\Microsoft Visual Studio\VC98\lib
LOGONSERVER=\\MELISSA
MSDevDir=C:\Program Files\Microsoft Visual Studio\Common\MSDev98
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Microsoft Visual Studio\Common\Tools\WinNT;C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin;C:\Program Files\Microsoft Visual Studio\Common\Tools;C:\Program Files\Microsoft Visual Studio\VC98\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d06
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Tri\LOCALS~1\Temp
TMP=C:\DOCUME~1\Tri\LOCALS~1\Temp
USERDOMAIN=MELISSA
USERNAME=Tri
USERPROFILE=C:\Documents and Settings\Tri
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Tri (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Acer Inc.\Acer English Online Help Creator\Uninst.isu"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
--> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Agere Systems AC'97 Modem --> agrsmdel
ArcGIS Desktop --> MsiExec.exe /I{40F8FD5F-4701-48D6-A8FC-1F188007DF38}
Aspire Series --> C:\Program Files\Aspire Series\uninstall.exe
CRW Series Driver v1.17r019 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{39AE0413-CEFC-4559-AC5F-855A1C006D2F}\SETUP.EXE" -l0x9
Data Access Objects (DAO) 3.5 --> C:\WINDOWS\System32\Unwise32.exe C:\PROGRA~1\COMMON~1\MICROS~1\DAO\Dao35.log
ESRI MapObjects 2 Runtime --> C:\WINDOWS\System32\Unwise32.exe C:\WINDOWS\MO21RT.log
ESRI MapObjects 2.2 --> C:\WINDOWS\System32\Unwise32.exe C:\PROGRA~1\ESRI\MAPOBJ~1\Mo20.log
ESRI Software Documentation Library --> MsiExec.exe /I{0169C189-FB39-4756-B9A3-6B816C52357D}
getPlus®_ocx --> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\inf\GETPLUSo.INF, DefaultUninstall
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Indeo® Software --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Ligos\Indeo\Uninst.isu"
Intel® Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_3582
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
Java 2 Runtime Environment, SE v1.4.2_01 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142010}
Launch Manager --> C:\WINDOWS\UnInst32.exe CPLFL32.UNI
LeechFTP --> C:\WINDOWS\eraser.exe KILL "C:\Program Files\LeechFTP\uninstall.uif"
LotInfo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C19B1F40-4B5C-4782-8BB9-26FB55616F26}\setup.exe" -l0x9
Macromedia Shockwave Player --> C:\WINDOWS\system32\MACROMED\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\MACROMED\SHOCKW~1\Install.log
MapBasic 7.0 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MapInfo\MapBasic\MapBasic65.isu"
MapInfo Professional 7.0 --> MsiExec.exe /I{0660BFE2-CD47-400F-A19D-8EC89C91CA8B}
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office Live Meeting 2005 --> MsiExec.exe /I{AD6F07C1-F781-4743-A34E-2FEB9E714B15}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual Studio 6.0 Professional Edition --> "C:\Program Files\Microsoft Visual Studio\Common\Setup\1033\Setup.exe"
Microsoft Web Publishing Wizard 1.53 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie3x86.inf,WebPostUninstall
Mobile Broadband Drivers --> MsiExec.exe /X{8696ED8F-F797-40F0-A52A-CF6552E338E1}
Mozilla Firefox (2.0.0.15) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSDN Library - October 2003 --> MsiExec.exe /I{F95B340A-67A5-419C-843B-949406A357D2}
NTI CD & DVD-Maker Gold --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{C438B7C4-B4F8-49C5-A4DF-FF6F1F242778} /l1033 AnyText
PowerProducer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\SETUP.EXE" -uninstall
Python 2.1 --> C:\PYTHON21\\PYTHON21\UNWISE.EXE C:\PYTHON21\\PYTHON21\INSTALL.LOG
Python 2.1 combined Win32 extensions --> C:\PYTHON21\UNWISE~1.EXE C:\PYTHON21\w32inst.log
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Security Task Manager 1.7f --> C:\Program Files\Security Task Manager\Uninstal.exe "C:\Documents and Settings\All Users\Start Menu\Programs\Security Task Manager"
Skype 1.3 --> "C:\Program Files\Skype\Phone\unins000.exe"
SMSC IrCC Driver V5.1.2462.0 (WinXP) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EC86822D-3A20-11D5-801B-00E029348F40}\setup.exe"
Spyware Doctor 5.5 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
TradeStation 8.1 SP1 (Build 3159) --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{907AB914-566B-4BD6-A8F5-2786D1799A8B} TradeStation Uninstall
ud@Soft vbTool 2.2 --> C:\Program Files\svbTool\uninst.exe
Virtual Earth 3D (Beta) --> MsiExec.exe /X{619B8475-0F48-41B7-A370-5147F7092989}
VZAccess Manager --> C:\PROGRA~1\VERIZO~1\VZACCE~1\UNWISE.EXE C:\PROGRA~1\VERIZO~1\VZACCE~1\INSTALL.LOG
WebEx --> C:\WINDOWS\DOWNLO~1\atcliun.exe
whois 2.7 --> "C:\Program Files\Nsasoft\whois\unins000.exe"
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Yahoo! Address AutoComplete --> C:\WINDOWS\System32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\yaddbook.dll
Yahoo! Install Manager --> C:\WINDOWS\System32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\System32\regsvr32 /u /s C:\PROGRA~1\YAHOO!\COMMON\YMMAPI~1.DLL
Yahoo! Messenger --> C:\PROGRA~1\YAHOO!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\YAHOO!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar --> C:\PROGRA~1\YAHOO!\COMMON\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type1056 / Error
Event Submitted/Written: 07/02/2008 11:25:44 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2900.3156, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00011639.
Processing media-specific event for [explorer.exe!ws!]

Event Record #/Type1047 / Error
Event Submitted/Written: 07/02/2008 08:24:32 PM
Event ID/Source: 0 / pctsSvc.exe
Event Description:
The service process could not connect to the service controller

Event Record #/Type1044 / Error
Event Submitted/Written: 07/02/2008 07:26:39 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16674, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type1042 / Error
Event Submitted/Written: 07/02/2008 07:24:30 PM
Event ID/Source: 1010 / Windows Product Activation
Event Description:
The Windows license was restored due to a system error. You might need to reactivate your Windows product.

Event Record #/Type1041 / Error
Event Submitted/Written: 07/02/2008 07:16:22 PM
Event ID/Source: 1010 / Windows Product Activation
Event Description:
The Windows license was restored due to a system error. You might need to reactivate your Windows product.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type15921 / Warning
Event Submitted/Written: 07/09/2008 09:49:06 AM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 02023F19E348. The IP address being used is 169.254.43.181.

Event Record #/Type15908 / Error
Event Submitted/Written: 07/08/2008 06:57:52 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Event Record #/Type15894 / Error
Event Submitted/Written: 07/08/2008 06:21:36 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
IKFileSec

Event Record #/Type15875 / Error
Event Submitted/Written: 07/08/2008 06:02:24 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
IKFileSec

Event Record #/Type15873 / Warning
Event Submitted/Written: 07/08/2008 06:01:43 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 000E353A156B. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.



-- End of Deckard's System Scanner: finished at 2008-07-09 09:58:07 ------------

[Octagonal]

Hello teewanna,

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

[Octagonal]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.