# Solved: trojan.Wimad.a problems



## Jess222 (May 13, 2007)

Hi,
Could someone please advise me on how to get rid of this trojan. Darling daughter unwittingly opened it 2 days ago. Since then, I have used Avg anti-spyware and anti-virus and it seems to temporarily fix the problem. As soon as she logs on to her screen and signs in to her msn the trojan automatically sends to everyone online. I cant seem to stop this. Have also found that when using Youtube, pages load but video screen does not! I dont know whether or not this is related to having the trojan? Any help would be greatly appreciated. Thanks

Here is my log file

Logfile of HijackThis v1.99.1
Scan saved at 6:38:36 PM, on 4/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rndsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.paramountpc.com.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Application Process] rndsvc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Ashlyn.CATHY\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.paramountpc.com.au
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games  Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u2-windows-i586-jc.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games  Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games  Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} (CheckersZPA Object) - http://zone.msn.com/bingame/zpagames/CheckersZPA.cab40641.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe


----------



## cybertech (Apr 16, 2002)

Please *download* the *OTMoveIt by OldTimer*.

 *Save* it to your *desktop*.
 Please double-click *OTMoveIt.exe* to run it.
*Copy the file paths below to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy):

*C:\WINDOWS\system32\rndsvc.exe
*

 Return to OTMoveIt, right click on the *"Paste List of Files/Folders to be moved"* window and choose *Paste*.
Click the red *Moveit!* button.
Close *OTMoveIt*
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.*

Please download (save) *MsnCleaner.zip* to your desktop. 
Extract the content of MsnCleaner.zip to your Desktop.
Restart in Safe Mode.

To boot up in Safe mode, continuously tap the F8 key while starting your computer. 
You should see a black screen displaying the Windows Advanced Menu Options. 
Using your keyboard's arrow keys, select Safe mode, then hit Enter.

Double-click MsnCleaner.exe to run it.
Click the Analyze button.
A report will be created once after you finish scan.
If it finds an infection, click the Deleted button.
Now, please reboot back to normal mode.
Please post the contents of C:\MsnCleaner.txt in a reply to this post.


----------



## Jess222 (May 13, 2007)

Hi, 
Thanks for your reply. Since I last posted I have run Spy-bot S&D and Nod 32 because now I have this Bestseller anti-virus Virus which is allowing fake anti-virus alerts and solutions windows to keep popping up all over the place, as well as this constant yellow flashing triangle in my system tray. I cannot get rid of this! Only in the short term. It seems to have taken over my internet explorer. I tried to complete the first part of your solution but it told me that the file was not found. I am posting a new log and will wait for your response. Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:04:29 AM, on 9/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\wminqxkx.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [dc6c0abe] rundll32.exe "C:\WINDOWS\system32\dylvvcky.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Ashlyn.CATHY\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.paramountpc.com.au
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games  Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games  Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games  Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00FEB24.dat
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 7473 bytes


----------



## cybertech (Apr 16, 2002)

*Run HJT again and put a check in the following:*

O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} -
C:\WINDOWS\system32\wminqxkx.dll
O4 - HKLM\..\Run: [dc6c0abe] rundll32.exe "C:\WINDOWS\system32\dylvvcky.dll",b
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00FEB24.dat

*Close all applications and browser windows before you click "fix checked".*

Please *download* the *OTMoveIt by OldTimer*.

 *Save* it to your *desktop*.
 Please double-click *OTMoveIt.exe* to run it.
*Copy the file paths below to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy):

*C:\WINDOWS\system32\wminqxkx.dll
C:\WINDOWS\system32\dylvvcky.dll
C:\WINDOWS\system32\__c00FEB24.dat*

 Return to OTMoveIt, right click on the *"Paste List of Files/Folders to be moved"* window and choose *Paste*.
Click the red *Moveit!* button.
Close *OTMoveIt*
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.*

Download ComboFix from *Here* or *Here* to your Desktop.

***Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop***
--------------------------------------------------------------------
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results"_.
_Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask._
--------------------------------------------------------------------

Double click on *combofix.exe* & follow the prompts.

When finished, it will produce a report for you. 
Please post the *"C:\ComboFix.txt" *along with a *new HijackThis log* for further review.

***Note: Do not mouseclick combofix's window while it's running. That may cause it to stall***


----------



## Jess222 (May 13, 2007)

Hi Cybertech,

Well, I went to do as you said and ran another HijackThis. But unfortunately, I only have the first on the list of the things that you wanted me to check and fix. The other two are similar, but are not as you have told me. I havent checked or fixed anything yet, so I am wondering what to do next?? Thanks


----------



## cybertech (Apr 16, 2002)

Skip the HJT part and run ComboFix.


----------



## Jess222 (May 13, 2007)

Hi, 

I am trying to download combofix, but when I try to install it, it wont let me. It shows the save file button (faded) but it wont let me run the file! All it allows me to do is press the cancel button.Help!


----------



## cybertech (Apr 16, 2002)

Please perform a scan with *Kaspersky Webscan Online Virus Scanner*

1. Read the Requirements and Privacy statement, then select "*Accept*". 
2. A new window will appear promting you to install an ActiveX component from Kaspersky - "*Do you want to install this software*?". 
3. Click "*Yes*" or select "*Install*" to download the ActiveX controls that allows ActiveScan to run. 
4. When the download is complete it will say ready, click "*Next*". 
5. Click "*Scan Settings*" and check the option to use the *Extended Database* if available otherwise Standard). 
6. Click "*Scan Options*" and select both "*Scan Archives*" and "*Scan Mail Bases*". 
7. Click "*OK*". 
8. Under "*Select a target to scan*", click on "*My Computer*". 
9. When the scan is complete choose to save the results as "*Save as Text*" named kaspersky.txt to your desktop and post them in your next reply.

Kaspersky does not remove anything but will provide a log of anything it finds. On August 8th, 2006 Kaspersky updated the software used for _Free Online Virus Scanner_. In order to continue using the online scanner you will need to uninstall the old version (if previously used) from your Add/Remove Programs list and then install the latest version. To do this, follow the steps *here* and reboot afterwards if your system does not reboot automatically or it will show '_Kaspersky Online Scanner license key was not found!_


----------



## Jess222 (May 13, 2007)

Hi again,

Well, you aint gonna believe this one! I have done the scan and its sitting here on my desktop. But when I go to post it to you, it either does not let me even paste it...paste button is faded grey and I cant use it, so I thought to reboot my comp, and I got as far as pasting it into here, but then when I go to post it, the comp freezes everytime and it wont let me post anything! I have also had a window pop up when I have the kaspersky text open which tells me the contents have been changed and did I want to save the changes!!?. I think I am about to lose the plot!!!....lol


----------



## cybertech (Apr 16, 2002)

Please post the resulting log here as an attachment.


Click on the orange *Post a Reply!* button 
scroll down to Manage Attachments 
Click in the box that says Upload File from your Computer
Click the Browse... button and find the file then click open
Click the Upload button
Wait until you see *Current Attachment *and your file name
Click on Close this window
Then submit the reply.


----------



## LauraMJ (Mar 18, 2004)

Cybertech,

She is having problems posting on here, she keeps getting this message:



> ..."Invalid Thread
> > specified. If you have followed a valid link please notify the
> > administrator".


And we are working on a solution.


----------



## cybertech (Apr 16, 2002)

She can send me the log by e-mail. You can send her my e-mail addy if you want.


----------



## LauraMJ (Mar 18, 2004)

Thanks, I'll let her know.


----------



## cybertech (Apr 16, 2002)

Hi Jess222,
I got your e-mail and the is a *very* large file. I suspect a lot of what is in there has to do with system volume restore, those items I am not concerned about. Can you eliminate those from the log?


----------



## cybertech (Apr 16, 2002)

If not try this instead:

Download *WinPFind3U.exe* to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program.

In the *Processes * group click *ALL* 
In the *Win32 Services * group click *ALL* 
In the *Driver Services * group click *ALL* 
In the *Registry * group click *ALL* 
In the *Files Created Within* group click *60 days* Make sure Non-Microsoft only is *UNCHECKED*
In the *Files Modified Within* group select *30 days* Make sure Non-Microsoft only is *UNCHECKED*
In the *File String Search* group select *ALL*
in the Additional scans sections please press select *ALL* 
Now click the *Run Scan* button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file but click on the "Format" menu and make sure that "word wrap" is not checked. If it is then click on it to uncheck it.
Please post the resulting log here as an attachment.


Click on the orange *Post a Reply!* button 
scroll down to Manage Attachments 
Click in the box that says Upload File from your Computer
Click the Browse... button and find the file then click open
Click the Upload button
Wait until you see *Current Attachment *and your file name
Click on Close this window
Then submit the reply.


----------



## Jess222 (May 13, 2007)

Hi Cybertech,
Can you please tell me how to elimate those system volume restore files from my log? I have tried Kaspersky scan and the WinPFind3u scan, and both logs are still way too big to send. Thanks


----------



## cybertech (Apr 16, 2002)

Turn off system restore and then turn it back on: http://support.microsoft.com/kb/310405


----------



## Jess222 (May 13, 2007)

Hi, 
I am still having a great deal of trouble trying to post my log. All of my files have "Object is locked skipped" written at the end of each of them. Is this normal? Doing the system restore thing does not seem to have lessened the size of the file. Help!


----------



## cybertech (Apr 16, 2002)

"Object is locked skipped" means the file is in use, so the less things you have open the fewer of these objects will be locked. Does that help?

I can only guess at what is making the log so big.

Let's try this...

Remove one of your anti-virus programs first. You have Eset and AVG.

Please download *ATF Cleaner* by Atribune. 
*This program is for XP and Windows 2000 only*
 
Double-click *ATF-Cleaner.exe* to run the program. 
Under *Main* choose: *Select All* 
Click the *Empty Selected* button. 

Click *Exit* on the Main menu to close the program.

*Download and scan with* *SUPERAntiSpyware* Free for Home Users
Double-click *SUPERAntiSpyware.exe* and use the default settings for installation. 
An icon will be created on your desktop. Double-click that icon to launch the program. 
If asked to update the program definitions, click "*Yes*". If not, update the definitions before scanning by selecting "*Check for Updates*". (_If you encounter any problems while downloading the updates, manually download and unzip them from here._) 
Under "*Configuration and Preferences*", click the *Preferences* button. 
Click the *Scanning Control* tab. 
Under *Scanner Options* make sure the following are checked _(leave all others unchecked)_:
_Close browsers before scanning._ 
_Scan for tracking cookies._ 
_Terminate memory threats before quarantining._

Click the "*Close*" button to leave the control center screen. 
Back on the main screen, under "*Scan for Harmful Software*" click *Scan your computer*. 
On the left, make sure you check *C:\Fixed Drive*. 
On the right, under "*Complete Scan*", choose *Perform Complete Scan*. 
Click "*Next*" to start the scan. Please be patient while it scans your computer. 
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "*OK*". 
Make sure everything has a checkmark next to it and click "*Next*". 
A notification will appear that "_Quarantine and Removal is Complete_". Click "*OK*" and then click the "*Finish*" button to return to the main menu. 
If asked if you want to reboot, click "*Yes*". 
To retrieve the removal information after reboot, launch SUPERAntispyware again.
_Click *Preferences*, then click the *Statistics/Logs* tab._ 
_Under Scanner Logs, double-click *SUPERAntiSpyware Scan Log*._ 
_If there are several logs, click the current dated log and press *View log*. A text file will open in your default text editor._ 
*Please copy and paste the Scan Log results in your next reply with a new hijackthis log.*

Click *Close* to exit the program.


----------



## Jess222 (May 13, 2007)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/15/2007 at 05:10 PM

Application Version : 3.9.1008

Core Rules Database Version : 3345
Trace Rules Database Version: 1346

Scan type : Complete Scan
Total Scan Time : 01:34:51

Memory items scanned : 373
Memory threats detected : 0
Registry items scanned : 5710
Registry threats detected : 7
File items scanned : 111704
File threats detected : 393

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{BC5698DC-82D3-405F-8506-F64FDAF58F56}
HKCR\CLSID\{BC5698DC-82D3-405F-8506-F64FDAF58F56}
HKCR\CLSID\{BC5698DC-82D3-405F-8506-F64FDAF58F56}\InprocServer32
HKCR\CLSID\{BC5698DC-82D3-405F-8506-F64FDAF58F56}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\VTSQO.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BC5698DC-82D3-405F-8506-F64FDAF58F56}

Unclassified.Unknown Origin
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKU\S-1-5-21-1957994488-790525478-725345543-1005\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{11A69AE4-FBED-4832-A2BF-45AF82825583}

Adware.Tracking Cookie
C:\Documents and Settings\Cathy28\Cookies\[email protected][1].txt
C:\Documents and Settings\Emmy\Cookies\[email protected][1].txt
C:\Documents and Settings\Emmy\Cookies\[email protected][1].txt
C:\Documents and Settings\Emmy\Cookies\[email protected][2].txt
C:\Documents and Settings\Emmy\Cookies\[email protected][2].txt
C:\Documents and Settings\Emmy\Cookies\[email protected][2].txt
C:\Documents and Settings\Emmy\Cookies\[email protected][3].txt
C:\Documents and Settings\Emmy\Cookies\[email protected][1].txt

Trojan.Unknown Origin
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO104.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO105.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO106.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO107.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO108.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO10B.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO10C.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO10D.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO10E.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO10F.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO11A.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO11B.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO11C.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO11D.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO11E.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO12.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO13.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO132.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO133.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO134.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO135.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO136.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO138.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO139.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO13A.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO13B.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO13C.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO14.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO145.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO146.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO147.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO148.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO149.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO15.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO154.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO155.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO156.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO157.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO158.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO15D.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO15E.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO15F.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO16.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO160.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO161.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO162.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO163.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO164.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO165.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO166.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO17B.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO17C.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO17D.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO17E.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO17F.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO18.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO19.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO1A.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO1B.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO1B1.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO1B2.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO1B3.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO1B4.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO1B5.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO1B6.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO1B7.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO1B8.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO1B9.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO1BA.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO1C.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO1D.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO1D4.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO1D5.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO1D6.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO1D7.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO1D8.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO1E.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO1F.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO20.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO20B.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO20C.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO20D.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO20E.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO20F.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO21.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO22.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO23.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO23C7.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO23C8.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO23C9.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO23CA.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO23CB.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO24.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO25.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO254F.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO2550.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO2551.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO2552.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO2553.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO2570.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO2571.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO2572.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO2573.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO2574.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO257D.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO257E.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO257F.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO2580.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO2581.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO2583.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO2584.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO2585.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO2586.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO2587.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO259.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO25A.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO25B.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO25C.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO25D.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO26.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO27.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO28.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO29.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO2A.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO2B.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO2C.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO2C6.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO2C7.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO2C8.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO2C9.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO2CA.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO2CF.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO2D0.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO2D1.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO2D2.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO2D3.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO2E.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO2F.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO3.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO30.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO31.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO319.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO31A.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO31B.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO31C.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO31D.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO35.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO35C.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO35D.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO35E.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO35F.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO360.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO391.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO392.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO393.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO394.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO395.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO3A5.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO3A6.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO3A7.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO3A8.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO3A9.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO3B.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO3F.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO4.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO41.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO42.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO5.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO6.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO65.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO66.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO67.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO68.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO69.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO7.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO72.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO73.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO74.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO75.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO76.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO99.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO9A.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO9B.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO9C.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICO9D.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICOA5.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICOA6.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICOA7.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICOA8.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICOA9.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICODC.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICODD.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICODE.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICODF.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICOE0.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICOE1.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICOE2.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICOE3.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICOE4.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICOE5.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICOE7.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICOE8.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICOE9.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICOEA.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICOEB.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICOF2.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICOF3.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICOF4.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICOF5.TMP
C:\DOCUMENTS AND SETTINGS\CATHY28\LOCAL SETTINGS\TEMP\ICOF6.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO10.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO11.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO12.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO13.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO14.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO15.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO16.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO17.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO18.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO19.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO1A.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO1B.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO1C.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO1D.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO1E.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO1F.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO2.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO20.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO21.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO22.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO23.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO24.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO25.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO26.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO27.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO28.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO29.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO2A.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO2B.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO2C.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO2D.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO2E.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO2F.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO3.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO30.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO31.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO32.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO33.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO34.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO35.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO36.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO37.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO38.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO39.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO3A.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO3B.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO3C.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO3D.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO3E.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO4.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO42.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO45.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO46.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO47.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO48.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO49.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO4A.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO4E.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO4F.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO5.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO50.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO51.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO52.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO53.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO54.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO55.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO56.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO57.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO58.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO59.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO5A.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO5B.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO5C.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO5D.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO5E.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO5F.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO6.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO60.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO61.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO62.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO63.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO64.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO65.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO66.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO67.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO68.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO69.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO6A.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO6B.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO6C.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO6D.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO6E.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO6F.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO7.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO70.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO71.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO72.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO73.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO74.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO75.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO76.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO77.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO78.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO79.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO7A.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO7B.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO7C.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO7D.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO7E.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO7F.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO8.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO80.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO81.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO83.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO84.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO85.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO86.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO87.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO9.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO90.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO91.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO92.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO93.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICO94.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOA.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOA1.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOA2.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOA3.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOA4.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOA5.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOAE.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOAF.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOB.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOB0.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOB1.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOB2.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOB3.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOB4.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOB5.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOB6.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOB7.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOBE.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOBF.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOC.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOC0.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOC1.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOC2.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOD.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOD3.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOD4.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOD5.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOD6.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOD7.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICODF.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOE.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOE0.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOE1.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOE2.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOE3.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOE4.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOE5.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOE6.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOE7.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOE8.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOEE.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOF.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOF0.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOF1.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOF2.TMP
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\ICOF3.TMP

Malware.LocusSoftware Inc/BestSellerAntivirus
C:\DOCUMENTS AND SETTINGS\EMMY\LOCAL SETTINGS\TEMP\~UGA6PSETUP.EXE

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\MCRH.TMP
C:\WINDOWS\SYSTEM32\MLKKJ.TMP
C:\WINDOWS\SYSTEM32\OQSTV.BAK1

Well, I dont believe it!! I think it just posted..lol


----------



## Jess222 (May 13, 2007)

...and here is the HijackThis log....thought I would post seperately...didnt want to push my luck!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:29:42 PM, on 15/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {6e0505ab-fcab-009b-9f24-95b0b7052e16} - {61e2507b-0b59-42f9-b900-bacfba5050e6} - C:\WINDOWS\system32\plfpquxd.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [dc6c0abe] rundll32.exe "C:\WINDOWS\system32\epeulnov.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Ashlyn.CATHY\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.paramountpc.com.au
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games  Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games  Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games  Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c0085369.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: wminqxkx - wminqxkx.dll (file missing)
O20 - Winlogon Notify: wqjcwmvm - wqjcwmvm.dll (file missing)
O20 - Winlogon Notify: zrkwbnfv - zrkwbnfv.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 7510 bytes


----------



## cybertech (Apr 16, 2002)

*Run HJT again and put a check in the following:*

O2 - BHO: {6e0505ab-fcab-009b-9f24-95b0b7052e16} - {61e2507b-0b59-42f9-b900-bacfba5050e6} - C:\WINDOWS\system32\plfpquxd.dll (file missing)
O4 - HKLM\..\Run: [dc6c0abe] rundll32.exe "C:\WINDOWS\system32\epeulnov.dll",b
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c0085369.dat
O20 - Winlogon Notify: wminqxkx - wminqxkx.dll (file missing)
O20 - Winlogon Notify: wqjcwmvm - wqjcwmvm.dll (file missing)
O20 - Winlogon Notify: zrkwbnfv - zrkwbnfv.dll (file missing)

*Close all applications and browser windows before you click "fix checked".*

Open Windows Explorer. Go to Tools, Folder Options and click on the View tab. Make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files". Now click "Apply to all folders" Click "Apply" then "OK".

Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Next navigate to the C:\DOCUMENTS AND SETTINGS\*EMMY*\Local Settings\Temp folder.
Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Next navigate to the C:\DOCUMENTS AND SETTINGS\*CATHY28*\Local Settings\Temp folder.
Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Repeat this process for any other user profiles on the machine.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files".

Put a check by "Delete Offline Content" and click OK.

Empty your recycle bin.

Please *download* the *OTMoveIt by OldTimer*.

 *Save* it to your *desktop*.
 Please double-click *OTMoveIt.exe* to run it.
*Copy the file paths below to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy):



> * C:\WINDOWS\system32\__c0085369.dat
> C:\WINDOWS\system32\epeulnov.dll*



 Return to OTMoveIt, right click on the *"Paste List of Files/Folders to be moved"* window and choose *Paste*.
Click the red *Moveit!* button.
Close *OTMoveIt*
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.*

After you restart the machine please try to download ComboFix again, see my post #4.


----------



## Jess222 (May 13, 2007)

Hi Cybertech,
I dont know if this is correct. When I tried to go to C:Windows\Temp folder in all user profiles, 1 file could not be deleted. Perflib_Perfdata_784 NeroMediaPlayer media files 16KB would not budge! It told me it was being used by another person or program. Window came up to tell me to close any program that might be using the file and try again, but I dont even where to look. Any help on this would be great. Thanks

ComboFix 07-11-08.1 - Cathy28 2007-11-16 17:32:47.2 - NTFSx86 
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.211 [GMT 10.5:30]
Running from: C:\Documents and Settings\Cathy28\Local Settings\Temporary Internet Files\Content.IE5\OAZNOZX8\ComboFix[1].exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\wminqxkx.dllbox
C:\WINDOWS\system32\wqjcwmvm.dllbox
C:\WINDOWS\system32\zrkwbnfv.dllbox

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE

((((((((((((((((((((((((( Files Created from 2007-10-16 to 2007-11-16 )))))))))))))))))))))))))))))))
.

2007-11-15 15:31 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2007-11-15 15:31 d--------	C:\Documents and Settings\Cathy28\Application Data\SUPERAntiSpyware.com
2007-11-15 15:16 d--------	C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-14 07:01 d--------	C:\WINDOWS\system32\Kaspersky Lab
2007-11-14 07:01 d--------	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-14 06:36 d--------	C:\Program Files\ACW
2007-11-11 10:25 d--------	C:\Program Files\QuickTime
2007-11-09 16:20	146,638	--ahs----	C:\WINDOWS\system32\oqstv.ini2
2007-11-09 15:37	139,467	--ahs----	C:\WINDOWS\system32\oqstv.bak2
2007-11-08 16:56	502,368	--a------	C:\WINDOWS\system32\drivers\amon.sys
2007-11-08 16:56	274,432	--a------	C:\WINDOWS\system32\imon.dll
2007-11-08 16:36 d--------	C:\Program Files\Innovative Solutions
2007-11-08 16:14 d--------	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-07 21:47	6,465	--ahs----	C:\WINDOWS\system32\qqtss.bak1
2007-11-07 20:10	6,505	--ahs----	C:\WINDOWS\system32\orutv.bak1
2007-11-07 17:25	6,465	--ahs----	C:\WINDOWS\system32\gjkmp.bak1
2007-11-05 16:01 d--------	C:\Program Files\SUPERAntiSpyware
2007-11-05 16:01 d--------	C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-05 15:26	51,200	--a------	C:\WINDOWS\NirCmd.exe
2007-11-04 18:43 d--------	C:\Program Files\Trend Micro
2007-10-20 13:44 d--------	C:\Program Files\Virtual Earth 3D

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-15 04:45	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-14 07:13	---------	d-----w	C:\Program Files\Windows Live Toolbar
2007-11-14 07:11	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-11-14 07:11	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Ulead Systems
2007-11-14 07:09	---------	d-----w	C:\Program Files\MySpace
2007-11-08 12:00	---------	d-----w	C:\Program Files\IMVU
2007-10-08 00:48	---------	d-----w	C:\Documents and Settings\Guest\Application Data\MySpace
2007-10-04 03:44	---------	d-----w	C:\Documents and Settings\Guest\Application Data\Apple Computer
2007-10-03 03:29	---------	d-----w	C:\Documents and Settings\Guest\Application Data\Talkback
2007-10-01 22:50	---------	d-----w	C:\Program Files\Java
2007-10-01 22:49	---------	d-----w	C:\Program Files\Common Files\Java
2007-09-26 07:12	---------	d---a-w	C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-23 11:55	---------	d-----w	C:\Program Files\MSN Messenger
2006-07-14 07:53	21,408	----a-w	C:\Documents and Settings\Cathy28\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( [email protected]_15.42.00.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-01-24 10:54:24	299,432	----a-w	C:\WINDOWS\Downloaded Program Files\CONFLICT.1\StProxy.dll
+ 2004-08-04 12:00:00	61,440	-c--a-w	C:\WINDOWS\ie7\admparse.dll
+ 2004-08-04 12:00:00	99,840	-c--a-w	C:\WINDOWS\ie7\advpack.dll
+ 2004-08-04 12:00:00	35,328	-c--a-w	C:\WINDOWS\ie7\corpol.dll
+ 2006-06-03 11:40:49	33,792	-c--a-w	C:\WINDOWS\ie7\custsat.dll
+ 2007-08-22 12:55:30	357,888	-c--a-w	C:\WINDOWS\ie7\dxtmsft.dll
+ 2007-08-22 12:55:31	205,824	-c--a-w	C:\WINDOWS\ie7\dxtrans.dll
+ 2007-08-22 12:55:31	55,808	-c--a-w	C:\WINDOWS\ie7\extmgr.dll
+ 2004-08-04 12:00:00	38,912	-c--a-w	C:\WINDOWS\ie7\hmmapi.dll
+ 2004-08-04 12:00:00	34,304	-c--a-w	C:\WINDOWS\ie7\ie4uinit.exe
+ 2004-08-04 12:00:00	139,264	-c--a-w	C:\WINDOWS\ie7\ieakeng.dll
+ 2004-08-04 12:00:00	216,576	-c--a-w	C:\WINDOWS\ie7\ieaksie.dll
+ 2004-08-04 12:00:00	221,184	-c--a-w	C:\WINDOWS\ie7\ieakui.dll
+ 2004-08-04 12:00:00	323,584	-c--a-w	C:\WINDOWS\ie7\iedkcs32.dll
+ 2007-08-21 10:19:39	18,432	-c--a-w	C:\WINDOWS\ie7\iedw.exe
+ 2004-08-04 12:00:00	81,920	-c--a-w	C:\WINDOWS\ie7\ieencode.dll
+ 2007-08-22 12:55:32	251,904	-c--a-w	C:\WINDOWS\ie7\iepeers.dll
+ 2004-08-04 12:00:00	48,640	-c--a-w	C:\WINDOWS\ie7\iernonce.dll
+ 2004-08-04 12:00:00	62,976	-c--a-w	C:\WINDOWS\ie7\iesetup.dll
+ 2004-08-04 12:00:00	93,184	-c--a-w	C:\WINDOWS\ie7\iexplore.exe
+ 2004-08-04 12:00:00	35,840	-c--a-w	C:\WINDOWS\ie7\imgutil.dll
+ 2007-08-22 12:55:32	96,256	-c--a-w	C:\WINDOWS\ie7\inseng.dll
+ 2006-05-18 05:24:25	450,560	-c--a-w	C:\WINDOWS\ie7\jscript.dll
+ 2007-08-22 12:55:32	16,384	-c--a-w	C:\WINDOWS\ie7\jsproxy.dll
+ 2004-08-04 12:00:00	22,016	-c--a-w	C:\WINDOWS\ie7\licmgr10.dll
+ 2004-08-04 12:00:00	29,184	-c--a-w	C:\WINDOWS\ie7\mshta.exe
+ 2007-08-22 12:55:36	3,064,832	-c--a-w	C:\WINDOWS\ie7\mshtml.dll
+ 2007-08-22 12:55:37	449,024	-c--a-w	C:\WINDOWS\ie7\mshtmled.dll
+ 2004-08-04 12:00:00	56,832	-c--a-w	C:\WINDOWS\ie7\mshtmler.dll
+ 2004-08-04 12:00:00	146,432	-c--a-w	C:\WINDOWS\ie7\msls31.dll
+ 2007-08-22 12:55:37	146,432	-c--a-w	C:\WINDOWS\ie7\msrating.dll
+ 2007-08-22 12:55:38	532,480	-c--a-w	C:\WINDOWS\ie7\mstime.dll
+ 2004-08-04 12:00:00	96,256	-c--a-w	C:\WINDOWS\ie7\occache.dll
+ 2007-08-22 12:55:38	39,424	-c--a-w	C:\WINDOWS\ie7\pngfilt.dll
+ 2007-08-13 08:24:42	32,960	-c--a-w	C:\WINDOWS\ie7\spuninst\iecustom.dll
+ 2007-08-13 08:22:06	66,048	-c--a-w	C:\WINDOWS\ie7\spuninst\ieResetIcons.exe
+ 2006-09-06 07:13:16	213,216	-c--a-w	C:\WINDOWS\ie7\spuninst\spuninst.exe
+ 2006-09-06 07:13:18	371,424	-c--a-w	C:\WINDOWS\ie7\spuninst\updspapi.dll
+ 2004-08-04 12:00:00	37,888	-c--a-w	C:\WINDOWS\ie7\url.dll
+ 2007-08-22 12:55:43	617,984	-c--a-w	C:\WINDOWS\ie7\urlmon.dll
+ 2004-08-04 12:00:00	417,792	-c--a-w	C:\WINDOWS\ie7\vbscript.dll
+ 2007-06-26 15:13:22	851,968	-c--a-w	C:\WINDOWS\ie7\vgx.dll
+ 2004-08-04 12:00:00	276,480	-c--a-w	C:\WINDOWS\ie7\webcheck.dll
+ 2007-08-22 12:55:44	665,600	-c--a-w	C:\WINDOWS\ie7\wininet.dll
- 2007-10-04 03:44:20	102,400	----a-r	C:\WINDOWS\Installer\{446DBFFA-4088-48E3-8932-74316BA4CAE4}\iTunesIco.exe
+ 2007-11-10 23:58:45	102,400	----a-r	C:\WINDOWS\Installer\{446DBFFA-4088-48E3-8932-74316BA4CAE4}\iTunesIco.exe
+ 2007-11-15 05:01:56	29,696	----a-r	C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-11-15 05:01:56	18,944	----a-r	C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-11-15 05:01:56	65,024	----a-r	C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2004-08-04 12:00:00	61,440	----a-w	C:\WINDOWS\system32\admparse.dll
+ 2007-08-13 08:09:20	71,680	----a-w	C:\WINDOWS\system32\admparse.dll
- 2004-08-04 12:00:00	99,840	----a-w	C:\WINDOWS\system32\advpack.dll
+ 2007-08-20 10:04:34	124,928	----a-w	C:\WINDOWS\system32\advpack.dll
- 2004-08-04 12:00:00	35,328	----a-w	C:\WINDOWS\system32\corpol.dll
+ 2007-08-13 08:12:54	17,408	----a-w	C:\WINDOWS\system32\corpol.dll
- 2004-08-04 12:00:00	61,440	-c--a-w	C:\WINDOWS\system32\dllcache\admparse.dll
+ 2007-08-13 08:09:20	71,680	-c--a-w	C:\WINDOWS\system32\dllcache\admparse.dll
- 2004-08-04 12:00:00	99,840	-c--a-w	C:\WINDOWS\system32\dllcache\advpack.dll
+ 2007-08-20 10:04:34	124,928	-c----w	C:\WINDOWS\system32\dllcache\advpack.dll
- 2004-08-04 12:00:00	35,328	-c--a-w	C:\WINDOWS\system32\dllcache\corpol.dll
+ 2007-08-13 08:12:54	17,408	-c--a-w	C:\WINDOWS\system32\dllcache\corpol.dll
- 2006-06-03 11:40:49	33,792	-c--a-w	C:\WINDOWS\system32\dllcache\custsat.dll
+ 2007-08-13 08:24:10	33,792	-c--a-w	C:\WINDOWS\system32\dllcache\custsat.dll
- 2007-08-22 12:55:30	357,888	-c--a-w	C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2007-08-13 08:05:46	346,624	-c--a-w	C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2007-08-22 12:55:31	205,824	-c--a-w	C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2007-08-20 10:04:34	214,528	-c----w	C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-08-22 12:55:31	55,808	-c--a-w	C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2007-08-20 10:04:34	132,608	-c----w	C:\WINDOWS\system32\dllcache\extmgr.dll
- 2004-08-04 12:00:00	38,912	-c--a-w	C:\WINDOWS\system32\dllcache\hmmapi.dll
+ 2007-08-13 07:48:02	60,416	-c--a-w	C:\WINDOWS\system32\dllcache\hmmapi.dll
- 2004-08-04 12:00:00	34,304	-c--a-w	C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2007-08-17 10:20:54	63,488	-c----w	C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2004-08-04 12:00:00	139,264	-c--a-w	C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2007-08-20 10:04:34	153,088	-c----w	C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2004-08-04 12:00:00	216,576	-c--a-w	C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2007-08-20 10:04:35	230,400	-c----w	C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2004-08-04 12:00:00	221,184	-c--a-w	C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2007-08-17 07:34:25	161,792	-c----w	C:\WINDOWS\system32\dllcache\ieakui.dll
- 2004-08-04 12:00:00	323,584	-c--a-w	C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2007-08-20 10:04:35	384,512	-c----w	C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2007-08-21 10:19:39	18,432	-c--a-w	C:\WINDOWS\system32\dllcache\iedw.exe
+ 2007-08-13 08:14:02	69,120	-c--a-w	C:\WINDOWS\system32\dllcache\iedw.exe
- 2004-08-04 12:00:00	81,920	-c--a-w	C:\WINDOWS\system32\dllcache\ieencode.dll
+ 2007-08-13 08:15:18	78,336	-c--a-w	C:\WINDOWS\system32\dllcache\ieencode.dll
- 2007-08-22 12:55:32	251,904	-c--a-w	C:\WINDOWS\system32\dllcache\iepeers.dll
+ 2007-08-13 08:24:10	191,488	-c--a-w	C:\WINDOWS\system32\dllcache\iepeers.dll
- 2004-08-04 12:00:00	48,640	-c--a-w	C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2007-08-20 10:04:38	44,544	-c----w	C:\WINDOWS\system32\dllcache\iernonce.dll
- 2004-08-04 12:00:00	62,976	-c--a-w	C:\WINDOWS\system32\dllcache\iesetup.dll
+ 2007-08-13 08:09:12	55,296	-c--a-w	C:\WINDOWS\system32\dllcache\iesetup.dll
- 2004-08-04 12:00:00	93,184	-c--a-w	C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2007-08-17 10:21:21	625,152	-c----w	C:\WINDOWS\system32\dllcache\iexplore.exe
- 2004-08-04 12:00:00	35,840	-c--a-w	C:\WINDOWS\system32\dllcache\imgutil.dll
+ 2007-08-13 08:06:06	36,352	-c--a-w	C:\WINDOWS\system32\dllcache\imgutil.dll
- 2007-08-22 12:55:32	96,256	-c--a-w	C:\WINDOWS\system32\dllcache\inseng.dll
+ 2007-08-13 08:09:02	92,672	-c--a-w	C:\WINDOWS\system32\dllcache\inseng.dll
- 2006-05-18 05:24:25	450,560	-c--a-w	C:\WINDOWS\system32\dllcache\jscript.dll
+ 2007-08-13 08:08:04	491,520	-c--a-w	C:\WINDOWS\system32\dllcache\jscript.dll
- 2007-08-22 12:55:32	16,384	-c--a-w	C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2007-08-20 10:04:39	27,648	-c----w	C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2004-08-04 12:00:00	22,016	-c--a-w	C:\WINDOWS\system32\dllcache\licmgr10.dll
+ 2007-08-13 08:14:18	40,960	-c--a-w	C:\WINDOWS\system32\dllcache\licmgr10.dll
- 2004-08-04 12:00:00	29,184	-c--a-w	C:\WINDOWS\system32\dllcache\mshta.exe
+ 2007-08-13 08:02:30	45,568	-c--a-w	C:\WINDOWS\system32\dllcache\mshta.exe
- 2007-08-22 12:55:36	3,064,832	-c--a-w	C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2007-08-20 05:04:42	3,584,512	-c----w	C:\WINDOWS\system32\dllcache\mshtml.dll
- 2007-08-22 12:55:37	449,024	-c--a-w	C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2007-08-20 10:04:41	477,696	-c----w	C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2004-08-04 12:00:00	56,832	-c--a-w	C:\WINDOWS\system32\dllcache\mshtmler.dll
+ 2007-08-13 07:31:12	48,128	-c--a-w	C:\WINDOWS\system32\dllcache\mshtmler.dll
- 2004-08-04 12:00:00	146,432	-c--a-w	C:\WINDOWS\system32\dllcache\msls31.dll
+ 2007-08-13 08:24:10	156,160	-c--a-w	C:\WINDOWS\system32\dllcache\msls31.dll
- 2007-08-22 12:55:37	146,432	-c--a-w	C:\WINDOWS\system32\dllcache\msrating.dll
+ 2007-08-20 10:04:41	193,024	-c----w	C:\WINDOWS\system32\dllcache\msrating.dll
- 2007-08-22 12:55:38	532,480	-c--a-w	C:\WINDOWS\system32\dllcache\mstime.dll
+ 2007-08-20 10:04:42	671,232	-c----w	C:\WINDOWS\system32\dllcache\mstime.dll
- 2004-08-04 12:00:00	96,256	-c--a-w	C:\WINDOWS\system32\dllcache\occache.dll
+ 2007-08-20 10:04:42	102,400	-c----w	C:\WINDOWS\system32\dllcache\occache.dll
- 2007-08-22 12:55:38	39,424	-c--a-w	C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2007-08-13 08:06:12	44,544	-c--a-w	C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2006-12-19 21:52:18	8,453,632	-c--a-w	C:\WINDOWS\system32\dllcache\shell32.dll
+ 2007-10-26 03:34:01	8,460,288	-c--a-w	C:\WINDOWS\system32\dllcache\shell32.dll
- 2004-08-04 12:00:00	37,888	-c--a-w	C:\WINDOWS\system32\dllcache\url.dll
+ 2007-08-20 10:04:42	105,984	-c----w	C:\WINDOWS\system32\dllcache\url.dll
- 2007-08-22 12:55:43	617,984	-c--a-w	C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2007-08-20 10:04:42	1,152,000	-c----w	C:\WINDOWS\system32\dllcache\urlmon.dll
- 2004-08-04 12:00:00	417,792	-c--a-w	C:\WINDOWS\system32\dllcache\vbscript.dll
+ 2007-08-13 08:24:10	413,696	-c--a-w	C:\WINDOWS\system32\dllcache\vbscript.dll
- 2007-06-26 15:13:22	851,968	-c--a-w	C:\WINDOWS\system32\dllcache\vgx.dll
+ 2007-07-12 23:31:54	765,952	-c--a-w	C:\WINDOWS\system32\dllcache\vgx.dll
- 2004-08-04 12:00:00	276,480	-c--a-w	C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2007-08-20 10:04:42	232,960	-c----w	C:\WINDOWS\system32\dllcache\webcheck.dll
- 2007-08-22 12:55:44	665,600	-c--a-w	C:\WINDOWS\system32\dllcache\wininet.dll
+ 2007-08-20 10:04:43	824,832	-c----w	C:\WINDOWS\system32\dllcache\wininet.dll
- 2007-08-22 12:55:30	357,888	----a-w	C:\WINDOWS\system32\dxtmsft.dll
+ 2007-08-13 08:05:46	346,624	----a-w	C:\WINDOWS\system32\dxtmsft.dll
- 2007-08-22 12:55:31	205,824	----a-w	C:\WINDOWS\system32\dxtrans.dll
+ 2007-08-20 10:04:34	214,528	----a-w	C:\WINDOWS\system32\dxtrans.dll
- 2007-08-22 12:55:31	55,808	----a-w	C:\WINDOWS\system32\extmgr.dll
+ 2007-08-20 10:04:34	132,608	----a-w	C:\WINDOWS\system32\extmgr.dll
+ 2007-08-20 10:04:34	63,488	----a-w	C:\WINDOWS\system32\icardie.dll
- 2004-08-04 12:00:00	34,304	----a-w	C:\WINDOWS\system32\ie4uinit.exe
+ 2007-08-17 10:20:54	63,488	----a-w	C:\WINDOWS\system32\ie4uinit.exe
- 2004-08-04 12:00:00	139,264	----a-w	C:\WINDOWS\system32\ieakeng.dll
+ 2007-08-20 10:04:34	153,088	----a-w	C:\WINDOWS\system32\ieakeng.dll
- 2004-08-04 12:00:00	216,576	----a-w	C:\WINDOWS\system32\ieaksie.dll
+ 2007-08-20 10:04:35	230,400	----a-w	C:\WINDOWS\system32\ieaksie.dll
- 2004-08-04 12:00:00	221,184	----a-w	C:\WINDOWS\system32\ieakui.dll
+ 2007-08-17 07:34:25	161,792	----a-w	C:\WINDOWS\system32\ieakui.dll
- 2004-08-04 12:00:00	323,584	----a-w	C:\WINDOWS\system32\iedkcs32.dll
+ 2007-08-20 10:04:35	384,512	----a-w	C:\WINDOWS\system32\iedkcs32.dll
- 2004-08-04 12:00:00	81,920	----a-w	C:\WINDOWS\system32\ieencode.dll
+ 2007-08-13 08:15:18	78,336	----a-w	C:\WINDOWS\system32\ieencode.dll
+ 2007-08-20 10:04:37	6,058,496	----a-w	C:\WINDOWS\system32\ieframe.dll
- 2007-08-22 12:55:32	251,904	----a-w	C:\WINDOWS\system32\iepeers.dll
+ 2007-08-13 08:24:10	191,488	----a-w	C:\WINDOWS\system32\iepeers.dll
- 2004-08-04 12:00:00	48,640	----a-w	C:\WINDOWS\system32\iernonce.dll
+ 2007-08-20 10:04:38	44,544	----a-w	C:\WINDOWS\system32\iernonce.dll
+ 2007-08-20 10:04:38	267,776	----a-w	C:\WINDOWS\system32\iertutil.dll
- 2004-08-04 12:00:00	62,976	----a-w	C:\WINDOWS\system32\iesetup.dll
+ 2007-08-13 08:09:12	55,296	----a-w	C:\WINDOWS\system32\iesetup.dll
+ 2007-08-13 08:24:10	180,736	----a-w	C:\WINDOWS\system32\ieui.dll
- 2004-08-04 12:00:00	35,840	----a-w	C:\WINDOWS\system32\imgutil.dll
+ 2007-08-13 08:06:06	36,352	----a-w	C:\WINDOWS\system32\imgutil.dll
- 2007-08-22 12:55:32	96,256	----a-w	C:\WINDOWS\system32\inseng.dll
+ 2007-08-13 08:09:02	92,672	----a-w	C:\WINDOWS\system32\inseng.dll
- 2006-05-18 05:24:25	450,560	----a-w	C:\WINDOWS\system32\jscript.dll
+ 2007-08-13 08:08:04	491,520	----a-w	C:\WINDOWS\system32\jscript.dll
- 2007-08-22 12:55:32	16,384	----a-w	C:\WINDOWS\system32\jsproxy.dll
+ 2007-08-20 10:04:39	27,648	----a-w	C:\WINDOWS\system32\jsproxy.dll
+ 2005-05-24 01:57:16	213,048	----a-w	C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 05:17:20	94,208	----a-w	C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 05:19:54	950,272	----a-w	C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2004-08-04 12:00:00	22,016	----a-w	C:\WINDOWS\system32\licmgr10.dll
+ 2007-08-13 08:14:18	40,960	----a-w	C:\WINDOWS\system32\licmgr10.dll
- 2007-09-28 05:19:39	18,089,592	----a-w	C:\WINDOWS\system32\MRT.exe
+ 2007-11-02 07:12:57	18,238,072	----a-w	C:\WINDOWS\system32\MRT.exe
+ 2007-08-13 08:06:40	12,288	----a-w	C:\WINDOWS\system32\msfeedssync.exe
- 2004-08-04 12:00:00	29,184	----a-w	C:\WINDOWS\system32\mshta.exe
+ 2007-08-13 08:02:30	45,568	----a-w	C:\WINDOWS\system32\mshta.exe
- 2007-08-22 12:55:36	3,064,832	----a-w	C:\WINDOWS\system32\mshtml.dll
+ 2007-08-20 05:04:42	3,584,512	----a-w	C:\WINDOWS\system32\mshtml.dll
- 2007-08-22 12:55:37	449,024	----a-w	C:\WINDOWS\system32\mshtmled.dll
+ 2007-08-20 10:04:41	477,696	----a-w	C:\WINDOWS\system32\mshtmled.dll
- 2004-08-04 12:00:00	56,832	----a-w	C:\WINDOWS\system32\mshtmler.dll
+ 2007-08-13 07:31:12	48,128	----a-w	C:\WINDOWS\system32\mshtmler.dll
- 2004-08-04 12:00:00	146,432	----a-w	C:\WINDOWS\system32\msls31.dll
+ 2007-08-13 08:24:10	156,160	----a-w	C:\WINDOWS\system32\msls31.dll
- 2007-08-22 12:55:37	146,432	----a-w	C:\WINDOWS\system32\msrating.dll
+ 2007-08-20 10:04:41	193,024	----a-w	C:\WINDOWS\system32\msrating.dll
- 2007-08-22 12:55:38	532,480	----a-w	C:\WINDOWS\system32\mstime.dll
+ 2007-08-20 10:04:42	671,232	----a-w	C:\WINDOWS\system32\mstime.dll
- 2004-08-04 12:00:00	96,256	----a-w	C:\WINDOWS\system32\occache.dll
+ 2007-08-20 10:04:42	102,400	----a-w	C:\WINDOWS\system32\occache.dll
- 2007-08-22 12:55:38	39,424	----a-w	C:\WINDOWS\system32\pngfilt.dll
+ 2007-08-13 08:06:12	44,544	----a-w	C:\WINDOWS\system32\pngfilt.dll
- 2006-12-19 21:52:18	8,453,632	----a-w	C:\WINDOWS\system32\shell32.dll
+ 2007-10-26 03:34:01	8,460,288	----a-w	C:\WINDOWS\system32\shell32.dll
- 2004-08-04 12:00:00	37,888	----a-w	C:\WINDOWS\system32\url.dll
+ 2007-08-20 10:04:42	105,984	----a-w	C:\WINDOWS\system32\url.dll
- 2007-08-22 12:55:43	617,984	----a-w	C:\WINDOWS\system32\urlmon.dll
+ 2007-08-20 10:04:42	1,152,000	----a-w	C:\WINDOWS\system32\urlmon.dll
- 2004-08-04 12:00:00	417,792	----a-w	C:\WINDOWS\system32\vbscript.dll
+ 2007-08-13 08:24:10	413,696	----a-w	C:\WINDOWS\system32\vbscript.dll
- 2004-08-04 12:00:00	276,480	----a-w	C:\WINDOWS\system32\webcheck.dll
+ 2007-08-20 10:04:42	232,960	----a-w	C:\WINDOWS\system32\webcheck.dll
+ 2007-08-13 08:15:16	206,336	----a-w	C:\WINDOWS\system32\WinFXDocObj.exe
- 2007-08-22 12:55:44	665,600	----a-w	C:\WINDOWS\system32\wininet.dll
+ 2007-08-20 10:04:43	824,832	----a-w	C:\WINDOWS\system32\wininet.dll
- 2007-08-21 10:13:33	350,720	----a-w	C:\WINDOWS\system32\xpsp3res.dll
+ 2007-10-29 10:04:03	350,720	----a-w	C:\WINDOWS\system32\xpsp3res.dll
+ 2007-11-16 07:06:26	16,384	----atw	C:\WINDOWS\Temp\Perflib_Perfdata_7f4.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2005-04-26 16:46 C:\WINDOWS\RTHDCPL.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-10 21:36]
"nwiz"="nwiz.exe" [2005-12-10 21:36 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-12-10 21:36]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-11-08 16:56]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:30]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [1999-10-22 11:40:00]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-07 15:22:04]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-03-17 19:31:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"InCDsrv"=2 (0x2)

R0 axwhisky;axwhisky;C:\WINDOWS\system32\DRIVERS\axwhisky.sys
R0 axwskbus;axwskbus;C:\WINDOWS\system32\DRIVERS\axwskbus.sys
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;\??\D:\INSTAL~E\Core\BVRPMPR5.SYS
S3 ICAM3NT5;Intel USB Video Camera III;C:\WINDOWS\system32\Drivers\Icam3.sys
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 usb2vcom;Nokia CA-42 USB;C:\WINDOWS\system32\DRIVERS\usb2vcom.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc	p2psvc p2pimsvc p2pgasvc PNRPSvc

.
Contents of the 'Scheduled Tasks' folder
"2007-10-18 03:50:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-11-16 05:13:00 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-16 17:38:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-16 17:39:20 - machine was rebooted 
C:\ComboFix2.txt ... 2007-11-05 15:42
.
--- E O F ---


----------



## Jess222 (May 13, 2007)

Oh, I forgot. When trying to getting into EMMY temp folder or CATHY28 temp folder, it told me that access is denied!! Here is new Hijack This log anyway.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:49:14 PM, on 16/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Ashlyn.CATHY\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.paramountpc.com.au
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games  Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games  Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games  Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 6966 bytes


----------



## cybertech (Apr 16, 2002)

Jess222 said:


> Hi Cybertech,
> I dont know if this is correct. When I tried to go to C:Windows\Temp folder in all user profiles, 1 file could not be deleted. Perflib_Perfdata_784 NeroMediaPlayer media files 16KB would not budge! It told me it was being used by another person or program. Window came up to tell me to close any program that might be using the file and try again, but I dont even where to look. Any help on this would be great. Thanks


Those are fine, they are generated by System Monitor.


----------



## cybertech (Apr 16, 2002)

Jess222 said:


> Oh, I forgot. When trying to getting into EMMY temp folder or CATHY28 temp folder, it told me that access is denied!!


You have to have admin rights on the computer or log in as admin then. If you can't do that this attempt to clean up the pc is not going to work.

Please *download* the *OTMoveIt by OldTimer*.

 *Save* it to your *desktop*.
 Please double-click *OTMoveIt.exe* to run it.
*Copy the file paths below to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy):



> *C:\WINDOWS\system32\oqstv.ini2
> C:\WINDOWS\system32\oqstv.bak2
> C:\WINDOWS\system32\qqtss.bak1
> C:\WINDOWS\system32\orutv.bak1
> ...



 Return to OTMoveIt, right click on the *"Paste List of Files/Folders to be moved"* window and choose *Paste*.
Click the red *Moveit!* button.
Close *OTMoveIt*
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.*


----------



## Jess222 (May 13, 2007)

Hi Cybertech,

You were right, again! I went to the User Accounts and found that the kids had changed their accounts to Administrators!! God love 'em!!! I have returned things back to they way they were, with only me as the Admin. I got rid of those files with OT and here are the new logs. Do things seem better?

ComboFix 07-11-08.1 - Cathy28 2007-11-17 10:17:45.3 - NTFSx86 
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.173 [GMT 10.5:30]
Running from: C:\Documents and Settings\Cathy28\Local Settings\Temporary Internet Files\Content.IE5\OAZNOZX8\ComboFix[1].exe
.

((((((((((((((((((((((((( Files Created from 2007-10-16 to 2007-11-16 )))))))))))))))))))))))))))))))
.

2007-11-15 15:31 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2007-11-15 15:31 d--------	C:\Documents and Settings\Cathy28\Application Data\SUPERAntiSpyware.com
2007-11-15 15:16 d--------	C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-14 07:01 d--------	C:\WINDOWS\system32\Kaspersky Lab
2007-11-14 07:01 d--------	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-14 06:36 d--------	C:\Program Files\ACW
2007-11-11 10:25 d--------	C:\Program Files\QuickTime
2007-11-08 16:56	502,368	--a------	C:\WINDOWS\system32\drivers\amon.sys
2007-11-08 16:56	274,432	--a------	C:\WINDOWS\system32\imon.dll
2007-11-08 16:36 d--------	C:\Program Files\Innovative Solutions
2007-11-08 16:14 d--------	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-05 16:01 d--------	C:\Program Files\SUPERAntiSpyware
2007-11-05 16:01 d--------	C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-05 15:26	51,200	--a------	C:\WINDOWS\NirCmd.exe
2007-11-04 18:43 d--------	C:\Program Files\Trend Micro
2007-10-20 13:44 d--------	C:\Program Files\Virtual Earth 3D

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-15 04:45	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-14 07:13	---------	d-----w	C:\Program Files\Windows Live Toolbar
2007-11-14 07:11	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-11-14 07:11	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Ulead Systems
2007-11-14 07:09	---------	d-----w	C:\Program Files\MySpace
2007-11-08 12:00	---------	d-----w	C:\Program Files\IMVU
2007-10-08 00:48	---------	d-----w	C:\Documents and Settings\Guest\Application Data\MySpace
2007-10-04 03:44	---------	d-----w	C:\Documents and Settings\Guest\Application Data\Apple Computer
2007-10-03 03:29	---------	d-----w	C:\Documents and Settings\Guest\Application Data\Talkback
2007-10-01 22:50	---------	d-----w	C:\Program Files\Java
2007-10-01 22:49	---------	d-----w	C:\Program Files\Common Files\Java
2007-09-26 07:12	---------	d---a-w	C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-23 11:55	---------	d-----w	C:\Program Files\MSN Messenger
2007-08-21 06:15	683,520	----a-w	C:\WINDOWS\system32\inetcomm.dll
2006-07-14 07:53	21,408	----a-w	C:\Documents and Settings\Cathy28\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot_2007-11-16_17.38.46.76 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-16 23:45:03	16,384	----atw	C:\WINDOWS\Temp\Perflib_Perfdata_48c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2005-04-26 16:46 C:\WINDOWS\RTHDCPL.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-10 21:36]
"nwiz"="nwiz.exe" [2005-12-10 21:36 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-12-10 21:36]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-11-08 16:56]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:30]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [1999-10-22 11:40:00]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-07 15:22:04]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-03-17 19:31:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"InCDsrv"=2 (0x2)

R0 axwhisky;axwhisky;C:\WINDOWS\system32\DRIVERS\axwhisky.sys
R0 axwskbus;axwskbus;C:\WINDOWS\system32\DRIVERS\axwskbus.sys
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;\??\D:\INSTAL~E\Core\BVRPMPR5.SYS
S3 ICAM3NT5;Intel USB Video Camera III;C:\WINDOWS\system32\Drivers\Icam3.sys
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 usb2vcom;Nokia CA-42 USB;C:\WINDOWS\system32\DRIVERS\usb2vcom.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc	p2psvc p2pimsvc p2pgasvc PNRPSvc

.
Contents of the 'Scheduled Tasks' folder
"2007-10-18 03:50:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-11-16 23:47:48 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-17 10:19:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-17 10:20:34
C:\ComboFix2.txt ... 2007-11-16 17:39
C:\ComboFix3.txt ... 2007-11-05 15:42
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25:57 AM, on 17/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Ashlyn.CATHY\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.paramountpc.com.au
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games  Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games  Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games  Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 6913 bytes


----------



## cybertech (Apr 16, 2002)

Jess222 said:


> Hi Cybertech,
> 
> You were right, again! I went to the User Accounts and found that the kids had changed their accounts to Administrators!! God love 'em!!! I have returned things back to they way they were, with only me as the Admin. I got rid of those files with OT and here are the new logs. Do things seem better?






Kids will be kids! I know because I was one.... once!

Yes the log looks better.

Are you having any problems or shall we set a new restore point now?


----------



## Jess222 (May 13, 2007)

Hi, 
There only seems to be one problem (minor) I think. I use Mozilla Thunderbird as my default email (always seem to have less problems with that than IE) However, when I receive an email with a web address in it, I am unable to go str8 to the address. I was able to before, but now an IE window opens and it is blank. Would it be best just to uninstall and reinstall Thunderbird and see if that works? Im not quite sure. Thanks in advance.


----------



## cybertech (Apr 16, 2002)

Yes, try a reinstall of Thunderbird.


----------



## Jess222 (May 13, 2007)

Hi Cybertech,

:up: :up: :up: :up: :up: :up: :up: :up

All is good!!!! Comp is running so much better because of your help. Never thought it would happen, but we got there in the end. Once again, THANK YOU so much for all your time and effort. It is very much appreciated.

            :


----------



## cybertech (Apr 16, 2002)

You can and *should* remove all of the tools I requested you to download and/or folders associated with them now. It is pointless to keep these tools around as they are updated so frequently that the tools can be outdated within a few days, sometimes within just hours.

*OTMoveIt by OldTimer* has a *CleanUp!* option you can use to remove most of the fixes and associated files and folders if you want to use that. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.

It's a good idea to Flush your System Restore after removing malware: 
Turn off system restore and then turn it back on: http://support.microsoft.com/kb/310405

Clean up your PC 

Here are some additional links for you to check out to help you with your computer security.

How did I get infected in the first place.

Secunia software inspector & update checker

Good free tools and advice on how to tighten your security settings.

Security Help Tools

You're welcome!


----------

