[Resolved]Super Slow Boot, plus ad windows everywhere! - DSS main log

schin · 6th February 2008

Hi,

Over the past 2 days, I've witness my computer slow to a crawl in Normal mode and Safe mode. Plus, even though I use Firefox I get IE ad windows if I ever surf. I've since unplugged my computer. My Norton Firewall block certain packages coming from my computer.

I've notice the following files:

17PHolmes10006.exe (once when I shutdown - error closing)
c:\Windows\tk.exe (from Adaware scan - removed supposedly, but doesn't improve performance)

I'm a newbie and scared I'll lose my whole HD. I've run HijackThis - log as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:56:08 AM, on 2/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\lxamsp32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Drmupgds\Drmupgds.exe
C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
C:\Program Files\LexmarkX63\ACMonitor_X63.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnyes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {92B255FE-94E2-4BCA-958D-3926CE38913F} - (no file)
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKLM\..\Run: [4c86c91b] rundll32.exe "C:\WINDOWS\system32\cyjtuvys.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2006\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [hip2p] C:\Program Files\hip2p\hip2p.exe min
O4 - HKCU\..\Run: [Drmupgds] C:\Program Files\Drmupgds\Drmupgds.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor_X63.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-68e4741c1554c772.spaces.l...d/MsnPUpld.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9361 bytes

schin · 6th February 2008

This is my DSS main.txt -- Please help!

Deckard's System Scanner v20071014.68
Run by Helen Chiu on 2008-02-06 00:56:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
56: 2008-02-06 05:56:56 UTC - RP829 - Deckard's System Scanner Restore Point
55: 2008-02-05 06:31:05 UTC - RP828 - Last known good configuration
54: 2008-02-05 06:30:53 UTC - RP827 - System Checkpoint
53: 2008-02-05 06:30:53 UTC - RP826 - System Checkpoint
52: 2008-02-05 06:30:53 UTC - RP825 - System Checkpoint

-- First Restore Point --
1: 2008-02-05 06:30:39 UTC - RP774 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 503 MiB (512 MiB recommended).
System Drive C: has 9.26 GiB (less than 15%) free.

-- HijackThis (run as Helen Chiu.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:59:25 AM, on 2/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\lxamsp32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Drmupgds\Drmupgds.exe
C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
C:\Program Files\LexmarkX63\ACMonitor_X63.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Helen Chiu\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Helen Chiu.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnyes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: 0 - {062479A8-C6C3-4A5E-9D8E-E5F2D9E02CAB} - C:\Program Files\Common Files\qucav.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: {7d27df1d-7dc9-ecab-dd24-f9a0b95663a2} - {2a36659b-0a9f-42dd-bace-9cd7d1fd72d7} - C:\WINDOWS\system32\pfnvdsdd.dll
O2 - BHO: (no name) - {39EBC0A3-0793-4B15-AAF2-0CDA23BB2D3E} - C:\Program Files\Windows NT\meqocahot4444.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {78E5CBB5-A5C2-4FCF-8E72-54273C3AA186} - C:\WINDOWS\system32\jkhfc.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {96e54d11-3a80-40b1-b98f-35619fe2faaa} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\wslezvlu.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {E180F496-8A4B-44E2-9FE0-0364E345DB7F} - C:\WINDOWS\system32\opnopqq.dll
O2 - BHO: (no name) - {FC2C0946-1082-40F3-88CB-080546426B2F} - C:\Program Files\Windows NT\meqocahot83122.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {92B255FE-94E2-4BCA-958D-3926CE38913F} - (no file)
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKLM\..\Run: [4c86c91b] rundll32.exe "C:\WINDOWS\system32\cyjtuvys.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2006\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [hip2p] C:\Program Files\hip2p\hip2p.exe min
O4 - HKCU\..\Run: [Drmupgds] C:\Program Files\Drmupgds\Drmupgds.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor_X63.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-68e4741c1554c772.spaces.l...d/MsnPUpld.cab
O20 - Winlogon Notify: cmsCFG - cmsCFG.dll (file missing)
O20 - Winlogon Notify: opnopqq - C:\WINDOWS\SYSTEM32\opnopqq.dll
O20 - Winlogon Notify: wslezvlu - C:\WINDOWS\SYSTEM32\wslezvlu.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 11200 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe,2
.js - JSFile - shell\open\command - "C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe" "%1"

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 FLPYDISKK - c:\windows\system32\drivers\flpydiskk.sys
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>

S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: D-Link AirPlus Xtreme G DWL-G132 Wireless USB Adapter(rev.A)
Device ID: USB\VID_2001&PID_3A02\1.0
Manufacturer: D-Link
Name: D-Link AirPlus Xtreme G DWL-G132 Wireless USB Adapter(rev.A)
PNP Device ID: USB\VID_2001&PID_3A02\1.0
Service: A5AGU

-- Scheduled Tasks -------------------------------------------------------------

2008-02-06 00:58:15 366 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2008-02-04 20:42:41 632 --a------ C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Helen Chiu.job
2008-02-01 17:15:00 400 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job
2008-01-22 13:19:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2008-01-06 and 2008-02-06 -----------------------------

2008-02-05 22:43:24 0 d-------- C:\Program Files\Trend Micro
2008-02-05 01:33:28 88128 --a------ C:\WINDOWS\system32\cyjtuvys.dll
2008-02-05 01:31:55 163904 --a------ C:\WINDOWS\system32\wslezvlu.dll
2008-02-05 01:31:52 163904 --a------ C:\WINDOWS\system32\vhosgnsk.dll
2008-02-05 01:31:46 93248 --a------ C:\WINDOWS\system32\pfnvdsdd.dll
2008-02-05 01:30:28 365559 --ahs---- C:\WINDOWS\system32\cfhkj.ini2
2008-02-05 01:30:21 328704 --a------ C:\WINDOWS\system32\jkhfc.dll
2008-02-05 01:26:38 0 d-------- C:\Program Files\Drmupgds
2008-02-05 01:26:37 0 d-------- C:\Program Files\Temporary
2008-02-05 00:54:55 169147 --a------ C:\WINDOWS\TTC-4444.exe
2008-02-05 00:54:45 36864 --a------ C:\WINDOWS\17PHolmes1000106.exe
2008-02-05 00:54:11 86016 --a------ C:\WINDOWS\system32\drivers\FLPYDISKK.sys
2008-02-05 00:54:10 0 d-------- C:\WINDOWS\system32\z6
2008-02-05 00:54:10 0 d-------- C:\WINDOWS\system32\v9
2008-02-05 00:54:10 0 d-------- C:\WINDOWS\system32\s5
2008-02-05 00:54:10 0 d-------- C:\WINDOWS\system32\b3
2008-02-05 00:54:09 0 d-------- C:\WINDOWS\system32\p4
2008-02-05 00:53:51 36864 --a------ C:\WINDOWS\mrofinu572.exe
2008-02-05 00:53:35 41723 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
2008-02-05 00:53:32 0 d-------- C:\WINDOWS\system32\nGpxx01
2008-02-05 00:53:20 40960 --a------ C:\WINDOWS\system32\opnopqq.dll
2008-02-04 11:13:36 54272 --a------ C:\WINDOWS\b122.exe
2008-01-15 16:52:24 140800 ---hs---- C:\Program Files\Common Files\Yazzle1281OinAdmin.exe

-- Find3M Report ---------------------------------------------------------------

2008-02-05 01:28:21 0 d-------- C:\Program Files\Common Files
2008-02-05 01:27:59 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-05 01:26:37 0 d-------- C:\Program Files\Windows NT
2008-02-01 18:51:16 0 d-------- C:\Documents and Settings\Helen Chiu\Application Data\uTorrent
2008-01-30 23:41:43 0 d-------- C:\Program Files\Net2Phone CommCenter
2008-01-23 14:44:09 0 d-------- C:\Documents and Settings\Helen Chiu\Application Data\Intuit
2008-01-02 00:51:12 0 d-------- C:\Program Files\Sportsbook Poker
2007-12-25 21:44:28 0 d-------- C:\Program Files\WON
2007-12-25 21:41:08 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-25 21:40:59 0 d-------- C:\Program Files\MasterCook 8
2007-12-25 21:36:59 0 d-------- C:\Documents and Settings\Helen Chiu\Application Data\Adobe
2007-12-14 02:39:04 0 d-------- C:\Documents and Settings\Helen Chiu\Application Data\Skype
2007-12-10 22:07:11 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2007-12-10 21:52:23 0 d-------- C:\Program Files\TurboTax

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{062479A8-C6C3-4A5E-9D8E-E5F2D9E02CAB}]
C:\Program Files\Common Files\qucav.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2a36659b-0a9f-42dd-bace-9cd7d1fd72d7}]
02/05/2008 01:31 AM 93248 --a------ C:\WINDOWS\system32\pfnvdsdd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39EBC0A3-0793-4B15-AAF2-0CDA23BB2D3E}]
08/02/2007 08:43 AM 282624 --a------ C:\Program Files\Windows NT\meqocahot4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{78E5CBB5-A5C2-4FCF-8E72-54273C3AA186}]
02/05/2008 01:30 AM 328704 --a------ C:\WINDOWS\system32\jkhfc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96e54d11-3a80-40b1-b98f-35619fe2faaa}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
02/05/2008 01:31 AM 163904 --a------ C:\WINDOWS\system32\wslezvlu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E180F496-8A4B-44E2-9FE0-0364E345DB7F}]
02/05/2008 12:53 AM 40960 --a------ C:\WINDOWS\system32\opnopqq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC2C0946-1082-40F3-88CB-080546426B2F}]
08/02/2007 08:43 AM 282624 --a------ C:\Program Files\Windows NT\meqocahot83122.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [10/11/2005 07:34 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 05:24 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [09/26/2007 01:42 PM]
"lxamsp32.exe"="lxamsp32.exe" [10/21/2001 02:12 PM C:\WINDOWS\SYSTEM32\LXAMSP32.EXE]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [10/21/2001 11:54 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/10/2007 12:59 AM]
"runner1"="C:\WINDOWS\mrofinu572.exe" [02/05/2008 12:53 AM]
"4c86c91b"="C:\WINDOWS\system32\cyjtuvys.dll" [02/05/2008 01:33 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]
"TuneUp MemOptimizer"="C:\Program Files\TuneUp Utilities 2006\MemOptimizer.exe" []
"hip2p"="C:\Program Files\hip2p\hip2p.exe" [02/15/2006 09:23 AM]
"Drmupgds"="C:\Program Files\Drmupgds\Drmupgds.exe" [02/05/2008 01:26 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\Helen Chiu\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 1:04:12 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AcBtnMgr_X63.exe.lnk - C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe [6/6/2001 3:03:10 PM]
ACMonitor_X63.exe.lnk - C:\Program Files\LexmarkX63\ACMonitor_X63.exe [6/6/2001 3:02:28 PM]
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [12/16/2005 9:55:16 PM]
DESKTOP.INI [8/10/2004 1:04:12 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell ExecuteHooks]
"{E180F496-8A4B-44E2-9FE0-0364E345DB7F}"= C:\WINDOWS\system32\opnopqq.dll [02/05/2008 12:53 AM 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cmsCFG]
cmsCFG.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnopqq]
opnopqq.dll 02/05/2008 12:53 AM 40960 C:\WINDOWS\SYSTEM32\opnopqq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wslezvlu]
wslezvlu.dll 02/05/2008 01:31 AM 163904 C:\WINDOWS\SYSTEM32\wslezvlu.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkhfc

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1134535982\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skyme]
NULL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Unshare]
C:\Program Files\safe-share\SafeShare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UPS"=3 (0x3)
"CiSvc"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"CommCtr"=C:\PROGRA~1\NET2PH~1\CommCtr.exe -auto
"spc_w"="C:\Program Files\NZSearch\nzspc.exe" -w

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"ViewMgr"=C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
"PrinTray"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
"igfxpers"=C:\WINDOWS\system32\igfxpers.exe
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"ANIWZCS2Service"=C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
"ShowIcon_The Company_MP3 Flash Drive Driver v2.08r022"="C:\Program Files\MP3 Flash Drive Driver v2.08r022\shwicon.exe" -t"The Company\MP3 Flash Drive Driver v2.08r022"
"SunJavaUpdateSched"=C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
"Symantec NetDriver Monitor"=C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - COMHOST

-- End of Deckard's System Scanner: finished at 2008-02-06 01:00:48 ------------------------

**Geri** · 7th February 2008

Hi schin
Welcome to Windowsbbs

I have merged your two threads, please make all replies to this thread.

Please give me a uninstall list, here is how.

To get an Uninstall List from HijackThis:

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Please post the results here.

Thanks
Geri

schin · 7th February 2008

Hi Geri,

Thanks for the warm greetings. I've read a couple of posts and everyone seems super helpful.

I ran in normal mode and I noticed it tried to reach the web after logging in. Luckily, it's unplugged. This is a shared computer, so I'm not conscience of all that is installed.

Thanks for your help. Looking forward to your reply.

Below is my uninstall_list.txt:

µTorrent
ACDSee 8
Ad-Aware SE Personal
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat 7.0.9 Professional
Adobe Common File Installer
Adobe Flash Player ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader Chinese Traditional Fonts
Adobe Shockwave Player
Adobe Stock Photos 1.0
AirPlus XtremeG
ANIO Service
ANIWZCS2 Service
AnswerWorks 4.0 Runtime - English
AppCore
Apple Mobile Device Support
Apple Software Update
AV
BUM
Canon IXY 200a, PowerShot S200, IXUS v2 WIA Driver
Canon PhotoRecord
Canon Utilities PhotoStitch 3.1
Canon Utilities RAW Image Converter2
Canon Utilities RemoteCapture 2.4
Canon Utilities ZoomBrowser EX
ccCommon
Conexant D850 56K V.9x DFVc Modem
dBpoweramp Music Converter
Dell Driver Reset Tool
Dell Picture Studio v3.0
Dell Support 3.1
Digital Line Detect
DVD Decrypter (Remove Only)
Free WMA to MP3 Converter 1.16
FXCM Chart Plugin II
FXCM News Plugin II
FXCM Trading Station II
HijackThis 2.0.2
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
Ipswitch WS_FTP LE
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
K-Lite Mega Codec Pack 1.53
LaserJet 1020 series
Learn2 Player (Uninstall Only)
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
LLC Forms
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia Fireworks MX 2004
Macromedia Flash Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Outlook Web Access S/MIME
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Modem Helper
Mozilla Firefox (2.0.0.11)
MP3 Flash Drive Driver v2.08r022
MSRedist
Nero 6 Enterprise Edition
Net2Phone CommCenter
NetWaiting
NetZero Internet
Norton AntiVirus
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
Outerinfo
PCMan 2004 Combo
PowerDVD
PowerISO
Qualxserve Service Agreement
QuickBooks Simple Start Special Edition
QuickTime
RealPlayer
River Past Audio Converter
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Skype 1.4
Smart Wedding 4.0
Sonic DLA
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
SPBBC 32bit
SymNet
Turbo Lister 2
TurboTax Deluxe 2007
TurboTax Premier 2005
TurboTax Premier Investments 2006
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
VideoLAN VLC media player 0.8.2
Viewpoint Manager (Remove Only)
Viewpoint Media Player
WebCyberCoach 3.2 Dell
WebPainter for Win32 version 3.0
WexTech AnswerWorks
Windows Defender Signatures
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB893086
WinRAR archiver

**Geri** · 7th February 2008

Hi schin

Quote:

This is a shared computer

All accounts will need to be gone through and cleaned,,,one at a time. Remind me of this after this account is cleaned. thanks.

Please do this in the order given.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Outerinfo

Please note any other programs that you dont recognize in that list and post them in your next response

Now this.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Now do this.

Download ComboFix from Here to your Desktop.
It's best to disable realtime protection applications as they sometimes interfere with the tool. Check this link for any applicable programs you may have.

Close all open programs and windows
Double click combofix.exe and follow the prompts.
Vista users right click Combofix.exe and select Run As Administrator.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Please post the SDFix log and the Combofix log.

Thanks
Geri

schin · 7th February 2008

Geri,

I tried to remove OuterInfo which takes 715 megs of data, but I get the following message:

Yazzle Uninstall
=============
Download of uninstaller failed: creating socket. Please download and run the uninstaller from http://www.outerinfo.com/OiUninstaller.exe

I've tried to d/l it, but the site/file is not there.

I have the following programs which I do not recognize:

Anio Service
Aniwzcsz Service
Drmupgds
Qualxserve Service Agreement
WexTechAnswerWorks

Should I proceed with SDFix and ComboFix without uninstalling this? I tried in both Safe and Normal mode.

**Geri** · 7th February 2008

Hi

Just proceed with the tools I asked you to run.

Geri

schin · 8th February 2008

SDFix: Version 1.137

Run by Helen Chiu on Thu 02/07/2008 at 02:00 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Trojan Files Found:

C:\PROGRA~1\COMMON~1\RTELEK~1.HTM - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\Program Files\Temporary\kernInst.exe - Deleted
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe - Deleted
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe - Deleted
C:\WINDOWS\17PHolmes1000106.exe - Deleted
C:\WINDOWS\b122.exe - Deleted
C:\WINDOWS\mrofinu572.exe - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\TTC-4444.exe - Deleted

Could Not Remove C:\WINDOWS\system32\drivers\core.cache.dsk

Folder C:\Program Files\Temporary - Removed
Folder C:\Temp\1cb - Removed
Folder C:\Temp\tn3 - Removed

Removing Temp Files...

ADS Check:

Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 02:15:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameter s\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enable d:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1134535982\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1134535982\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1134535982\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1134535982\\ee\\aim6.exe:*:Enabled:AIM"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\TurboTax\\Premier 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Premier 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Premier 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Premier 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\HelpCtr.exe"="C:\\WINDOWS\\PCHEA LTH\\HELPCTR\\BINARIES\\HelpCtr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameter s\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enable d:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------
C:\WINDOWS\system32\drivers\core.cache.dsk Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sat 8 Oct 2005 337,723 A.SH. --- "C:\WINDOWS\SYSTEM32\jjkkj.bak2"
Thu 7 Feb 2008 210 ..SH. --- "C:\WINDOWS\SYSTEM32\wslezvlu.dllbox"
Fri 7 Oct 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 23 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\ BIT5.tmp"
Tue 22 Jun 2004 53,248 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Memory Stick\New Folder\~WRL0003.tmp"
Tue 22 Jun 2004 20,480 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Memory Stick\New Folder\~WRL0005.tmp"
Tue 22 Jun 2004 25,088 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Memory Stick\New Folder\~WRL0171.tmp"
Tue 22 Jun 2004 20,480 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Memory Stick\New Folder\~WRL0585.tmp"
Tue 22 Jun 2004 27,648 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Memory Stick\New Folder\~WRL0640.tmp"
Tue 22 Jun 2004 25,088 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Memory Stick\New Folder\~WRL0681.tmp"
Tue 22 Jun 2004 24,064 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Memory Stick\New Folder\~WRL0720.tmp"
Tue 22 Jun 2004 25,600 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Memory Stick\New Folder\~WRL1074.tmp"
Tue 22 Jun 2004 24,064 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Memory Stick\New Folder\~WRL1110.tmp"
Tue 22 Jun 2004 24,064 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Memory Stick\New Folder\~WRL1138.tmp"
Tue 22 Jun 2004 24,064 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Memory Stick\New Folder\~WRL1295.tmp"
Tue 22 Jun 2004 26,112 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Memory Stick\New Folder\~WRL1990.tmp"
Tue 22 Jun 2004 27,648 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Memory Stick\New Folder\~WRL2102.tmp"
Tue 22 Jun 2004 24,064 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Memory Stick\New Folder\~WRL2396.tmp"
Tue 22 Jun 2004 24,064 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Memory Stick\New Folder\~WRL2500.tmp"
Tue 22 Jun 2004 24,064 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Memory Stick\New Folder\~WRL3161.tmp"
Tue 22 Jun 2004 69,632 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Memory Stick\New Folder\~WRL3387.tmp"
Tue 22 Jun 2004 24,064 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Memory Stick\New Folder\~WRL3491.tmp"
Tue 22 Jun 2004 23,552 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Memory Stick\New Folder\~WRL3518.tmp"
Tue 22 Jun 2004 23,040 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Memory Stick\New Folder\~WRL3520.tmp"
Tue 22 Jun 2004 24,064 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Memory Stick\New Folder\~WRL3646.tmp"
Mon 26 Aug 2002 29,184 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\~WRL0001.tmp"
Mon 26 Aug 2002 29,184 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\~WRL0002.tmp"
Mon 26 Aug 2002 29,696 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\~WRL0003.tmp"
Thu 22 Aug 2002 19,456 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\~WRL0005.tmp"
Mon 26 Aug 2002 30,208 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\~WRL0565.tmp"
Mon 26 Aug 2002 29,696 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\~WRL0728.tmp"
Mon 26 Aug 2002 29,184 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\~WRL0928.tmp"
Mon 26 Aug 2002 28,672 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\~WRL0987.tmp"
Mon 26 Aug 2002 29,696 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\~WRL1023.tmp"
Mon 26 Aug 2002 28,160 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\~WRL1340.tmp"
Mon 26 Aug 2002 29,696 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\~WRL1982.tmp"
Mon 26 Aug 2002 28,672 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\~WRL2350.tmp"
Mon 26 Aug 2002 29,184 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\~WRL2720.tmp"
Mon 26 Aug 2002 29,696 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\~WRL3173.tmp"
Mon 26 Aug 2002 28,672 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\~WRL3543.tmp"
Mon 26 Aug 2002 29,184 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\~WRL4031.tmp"
Mon 19 Aug 2002 3,958 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\MP32.tmp"
Mon 19 Aug 2002 7,222 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\MP32h.tmp"
Mon 19 Aug 2002 7,222 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\MP32s.tmp"
Sun 18 Aug 2002 7,222 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\MP338h.tmp"
Sun 18 Aug 2002 7,222 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\MP338s.tmp"
Sun 18 Aug 2002 7,222 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\MP33Ah.tmp"
Sun 18 Aug 2002 7,222 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\MP33As.tmp"
Mon 19 Aug 2002 7,222 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\MP3h.tmp"
Mon 19 Aug 2002 7,222 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\MP3s.tmp"
Sun 18 Aug 2002 10,294 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\My 39h.tmp"
Sun 18 Aug 2002 10,294 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\My 39s.tmp"
Wed 2 Oct 2002 9,718 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\Off2.tmp"
Wed 2 Oct 2002 8,246 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\Off2h.tmp"
Wed 2 Oct 2002 8,246 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\Off2s.tmp"
Thu 1 Apr 2004 9,718 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\Off3.tmp"
Thu 1 Apr 2004 8,246 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\Off3h.tmp"
Thu 1 Apr 2004 8,246 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\Off3s.tmp"
Sun 9 Jun 2002 7,318 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\OffEC.tmp"
Sun 9 Jun 2002 8,246 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\OffECh.tmp"
Sun 9 Jun 2002 8,246 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\OffECs.tmp"
Sun 9 Jun 2002 8,246 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\Officeh.tmp"
Sun 9 Jun 2002 8,246 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\Offices.tmp"
Fri 21 Jun 2002 6,358 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\??31.tmp"
Fri 21 Jun 2002 7,222 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\??31h.tmp"
Fri 21 Jun 2002 7,222 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\??31s.tmp"
Fri 21 Jun 2002 7,222 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\??h.tmp"
Fri 21 Jun 2002 7,222 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\??s.tmp"
Sun 9 Jun 2002 9,270 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\???11Bh.tmp"
Sun 9 Jun 2002 9,270 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\???11Bs.tmp"
Wed 25 Sep 2002 5,398 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\???2.tmp"
Fri 21 Jun 2002 4,918 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\???2C.tmp"
Fri 21 Jun 2002 9,270 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\???2Ch.tmp"
Fri 21 Jun 2002 9,270 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\???2Cs.tmp"
Wed 25 Sep 2002 9,270 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\???2h.tmp"
Wed 25 Sep 2002 9,270 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\???2s.tmp"
Wed 24 Sep 2003 4,918 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\???3.tmp"
Wed 24 Sep 2003 9,270 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\???3h.tmp"
Wed 24 Sep 2003 9,270 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\???3s.tmp"
Mon 3 Jan 2005 4,918 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\???4.tmp"
Mon 3 Jan 2005 9,270 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\???4h.tmp"
Mon 3 Jan 2005 9,270 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\???4s.tmp"
Sun 9 Jun 2002 9,270 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\??????h.tmp"
Sun 9 Jun 2002 9,270 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Local Settings\Temp\??????s.tmp"
Fri 31 May 2002 4,348 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\My Music\License Backup\drmv1key.bak"
Tue 20 Jul 2004 20 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\My Music\License Backup\drmv1lic.bak"
Tue 23 Sep 2003 400 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\My Music\License Backup\drmv2key.bak"
Tue 20 Jul 2004 1,536 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\My Music\License Backup\drmv2lic.bak"
Fri 6 Feb 2004 24,576 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\Prof Alt\States Book Project\~WRL0957.tmp"
Thu 20 Mar 2003 172,544 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\Calendar\~WRL0005.tmp"
Wed 20 Nov 2002 92,160 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\Calendar\~WRL0185.tmp"
Wed 20 Nov 2002 87,040 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\Calendar\~WRL0709.tmp"
Wed 20 Nov 2002 172,032 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\Calendar\~WRL0754.tmp"
Wed 20 Nov 2002 84,992 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\Calendar\~WRL0829.tmp"
Thu 20 Mar 2003 158,720 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\Calendar\~WRL1468.tmp"
Thu 20 Mar 2003 19,456 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\Calendar\~WRL2041.tmp"
Wed 20 Nov 2002 189,952 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\Calendar\~WRL2271.tmp"
Mon 2 Sep 2002 29,184 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\CPQ_INTERNSHIP\~WRL0001.tmp"
Tue 3 Sep 2002 29,184 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\CPQ_INTERNSHIP\~WRL0003.tmp"
Fri 13 Sep 2002 25,088 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\CPQ_INTERNSHIP\~WRL0004.tmp"
Tue 3 Sep 2002 29,696 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\CPQ_INTERNSHIP\~WRL0005.tmp"
Tue 3 Sep 2002 28,672 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\CPQ_INTERNSHIP\~WRL0567.tmp"
Tue 3 Sep 2002 28,160 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\CPQ_INTERNSHIP\~WRL0762.tmp"
Tue 3 Sep 2002 28,160 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\CPQ_INTERNSHIP\~WRL1194.tmp"
Tue 3 Sep 2002 29,184 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\CPQ_INTERNSHIP\~WRL2053.tmp"
Tue 3 Sep 2002 29,696 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\CPQ_INTERNSHIP\~WRL3054.tmp"
Tue 3 Sep 2002 30,208 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\CPQ_INTERNSHIP\~WRL3132.tmp"
Tue 3 Sep 2002 28,160 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\CPQ_INTERNSHIP\~WRL3141.tmp"
Tue 3 Sep 2002 30,720 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\CPQ_INTERNSHIP\~WRL3443.tmp"
Thu 28 Jul 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Thu 28 Jul 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Thu 28 Jul 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Tue 23 Aug 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"
Sat 25 Oct 2003 30,208 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\CPQ_FullTime\SCI One-on-One Consulting\~WRL0002.tmp"
Tue 28 Oct 2003 31,232 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\CPQ_FullTime\SCI One-on-One Consulting\~WRL0882.tmp"
Tue 28 Oct 2003 32,256 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\CPQ_FullTime\SCI One-on-One Consulting\~WRL1086.tmp"
Tue 28 Oct 2003 32,768 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\CPQ_FullTime\SCI One-on-One Consulting\~WRL1139.tmp"
Tue 28 Oct 2003 32,256 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\CPQ_FullTime\SCI One-on-One Consulting\~WRL1455.tmp"
Tue 28 Oct 2003 32,768 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\CPQ_FullTime\SCI One-on-One Consulting\~WRL1534.tmp"
Tue 28 Oct 2003 34,304 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\CPQ_FullTime\SCI One-on-One Consulting\~WRL1953.tmp"
Tue 28 Oct 2003 30,720 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\CPQ_FullTime\SCI One-on-One Consulting\~WRL2253.tmp"
Tue 28 Oct 2003 33,792 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\CPQ_FullTime\SCI One-on-One Consulting\~WRL2562.tmp"
Tue 28 Oct 2003 32,256 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\CPQ_FullTime\SCI One-on-One Consulting\~WRL2760.tmp"
Tue 28 Oct 2003 30,720 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\CPQ_FullTime\SCI One-on-One Consulting\~WRL3429.tmp"
Tue 28 Oct 2003 32,768 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\CPQ_FullTime\SCI One-on-One Consulting\~WRL3538.tmp"
Tue 28 Oct 2003 32,768 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\CPQ_FullTime\SCI One-on-One Consulting\~WRL3610.tmp"
Tue 28 Oct 2003 31,232 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\CPQ_FullTime\SCI One-on-One Consulting\~WRL3883.tmp"
Tue 28 Oct 2003 31,232 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\CPQ_FullTime\SCI One-on-One Consulting\~WRL3907.tmp"
Tue 28 Oct 2003 32,768 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\UMCP Assignment\CPQ_FullTime\SCI One-on-One Consulting\~WRL3957.tmp"
Tue 22 Jun 2004 53,248 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\_FT Job Search\Jun & Jul 2004\New Folder\~WRL0003.tmp"
Tue 22 Jun 2004 20,480 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\_FT Job Search\Jun & Jul 2004\New Folder\~WRL0005.tmp"
Tue 22 Jun 2004 25,088 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\_FT Job Search\Jun & Jul 2004\New Folder\~WRL0171.tmp"
Tue 22 Jun 2004 20,480 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\_FT Job Search\Jun & Jul 2004\New Folder\~WRL0585.tmp"
Tue 22 Jun 2004 27,648 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\_FT Job Search\Jun & Jul 2004\New Folder\~WRL0640.tmp"
Tue 22 Jun 2004 25,088 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\_FT Job Search\Jun & Jul 2004\New Folder\~WRL0681.tmp"
Tue 22 Jun 2004 24,064 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\_FT Job Search\Jun & Jul 2004\New Folder\~WRL0720.tmp"
Tue 22 Jun 2004 25,600 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\_FT Job Search\Jun & Jul 2004\New Folder\~WRL1074.tmp"
Tue 22 Jun 2004 24,064 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\_FT Job Search\Jun & Jul 2004\New Folder\~WRL1110.tmp"
Tue 22 Jun 2004 24,064 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\_FT Job Search\Jun & Jul 2004\New Folder\~WRL1138.tmp"
Tue 22 Jun 2004 24,064 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\_FT Job Search\Jun & Jul 2004\New Folder\~WRL1295.tmp"
Tue 22 Jun 2004 26,112 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\_FT Job Search\Jun & Jul 2004\New Folder\~WRL1990.tmp"
Tue 22 Jun 2004 27,648 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\_FT Job Search\Jun & Jul 2004\New Folder\~WRL2102.tmp"
Tue 22 Jun 2004 24,064 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\_FT Job Search\Jun & Jul 2004\New Folder\~WRL2396.tmp"
Tue 22 Jun 2004 24,064 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\_FT Job Search\Jun & Jul 2004\New Folder\~WRL2500.tmp"
Tue 22 Jun 2004 24,064 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\_FT Job Search\Jun & Jul 2004\New Folder\~WRL3161.tmp"
Tue 22 Jun 2004 69,632 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\_FT Job Search\Jun & Jul 2004\New Folder\~WRL3387.tmp"
Tue 22 Jun 2004 24,064 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\_FT Job Search\Jun & Jul 2004\New Folder\~WRL3491.tmp"
Tue 22 Jun 2004 23,552 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\_FT Job Search\Jun & Jul 2004\New Folder\~WRL3518.tmp"
Tue 22 Jun 2004 23,040 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\_FT Job Search\Jun & Jul 2004\New Folder\~WRL3520.tmp"
Tue 22 Jun 2004 24,064 ...H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\My Documents\_FT Job Search\Jun & Jul 2004\New Folder\~WRL3646.tmp"
Sun 24 Jul 2005 3,958 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Application Data\Microsoft\Office\Shortcut Bar\MP32.tmp"
Mon 19 Aug 2002 7,222 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Application Data\Microsoft\Office\Shortcut Bar\MP32h.tmp"
Mon 19 Aug 2002 7,222 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Application Data\Microsoft\Office\Shortcut Bar\MP32s.tmp"
Sun 18 Aug 2002 7,222 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Application Data\Microsoft\Office\Shortcut Bar\MP33Ah.tmp"
Sun 18 Aug 2002 7,222 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Application Data\Microsoft\Office\Shortcut Bar\MP33As.tmp"
Thu 3 Oct 2002 8,246 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Application Data\Microsoft\Office\Shortcut Bar\Off2h.tmp"
Thu 3 Oct 2002 8,246 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Application Data\Microsoft\Office\Shortcut Bar\Off2s.tmp"
Sun 24 Jul 2005 9,718 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Application Data\Microsoft\Office\Shortcut Bar\Off3.tmp"
Fri 2 Apr 2004 8,246 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Application Data\Microsoft\Office\Shortcut Bar\Off3h.tmp"
Fri 2 Apr 2004 8,246 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Application Data\Microsoft\Office\Shortcut Bar\Off3s.tmp"
Sun 9 Jun 2002 8,246 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Application Data\Microsoft\Office\Shortcut Bar\OffECh.tmp"
Sun 9 Jun 2002 8,246 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Application Data\Microsoft\Office\Shortcut Bar\OffECs.tmp"
Sat 22 Jun 2002 9,270 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Application Data\Microsoft\Office\Shortcut Bar\???2Ch.tmp"
Sat 22 Jun 2002 9,270 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Application Data\Microsoft\Office\Shortcut Bar\???2Cs.tmp"
Wed 25 Sep 2002 9,270 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Application Data\Microsoft\Office\Shortcut Bar\???2h.tmp"
Wed 25 Sep 2002 9,270 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Application Data\Microsoft\Office\Shortcut Bar\???2s.tmp"
Wed 24 Sep 2003 9,270 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Application Data\Microsoft\Office\Shortcut Bar\???3h.tmp"
Wed 24 Sep 2003 9,270 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Application Data\Microsoft\Office\Shortcut Bar\???3s.tmp"
Sun 24 Jul 2005 4,918 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Application Data\Microsoft\Office\Shortcut Bar\???4.tmp"
Mon 3 Jan 2005 9,270 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Application Data\Microsoft\Office\Shortcut Bar\???4h.tmp"
Mon 3 Jan 2005 9,270 A..H. --- "C:\Documents and Settings\Helen Chiu\My Documents\_Laptop 08.01.05\Helen\Application Data\Microsoft\Office\Shortcut Bar\???4s.tmp"

Finished!

schin · 8th February 2008

ComboFix 08-02.05.3 - Helen Chiu 2008-02-07 22:02:13.2 - NTFSx86
Running from: C:\Documents and Settings\Helen Chiu\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
.

2008-02-07 02:32 . 2004-08-04 05:00 388,608 --a------ C:\kmd.exe
2008-02-07 01:57 . 2008-02-07 01:57 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-07 00:38 . 2008-02-07 02:30 <DIR> d-------- C:\SDFix
2008-02-06 00:50 . 2008-02-06 00:50 <DIR> d-------- C:\Deckard
2008-02-05 22:43 . 2008-02-05 22:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-05 01:26 . 2008-02-05 01:26 <DIR> d-------- C:\Program Files\Drmupgds
2008-02-05 00:53 . 2008-02-05 00:53 <DIR> d-------- C:\WINDOWS\SYSTEM32\nGpxx01
2008-02-05 00:53 . 2008-02-05 00:54 <DIR> d-------- C:\temp\isgTi19

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-08 03:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-07 08:15 --------- d-----w C:\Documents and Settings\Helen Chiu\Application Data\Lavasoft
2008-02-07 08:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-07 02:25 --------- d-----w C:\Program Files\Sierra On-Line
2008-02-07 02:25 --------- d-----w C:\Program Files\Safe-Share Downloads
2008-02-07 02:25 --------- d-----w C:\Program Files\NetZero
2008-02-07 02:25 --------- d-----w C:\Program Files\NetWaiting
2008-02-07 02:25 --------- d-----w C:\Program Files\MP3 Flash Drive Driver v2.08r022
2008-02-07 02:25 --------- d-----w C:\Program Files\Modem Helper
2008-02-07 02:25 --------- d-----w C:\Program Files\IKEA HomePlanner
2008-02-01 23:51 --------- d-----w C:\Documents and Settings\Helen Chiu\Application Data\uTorrent
2008-01-31 04:41 --------- d-----w C:\Program Files\Net2Phone CommCenter
2008-01-26 00:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-23 19:44 --------- d-----w C:\Documents and Settings\Helen Chiu\Application Data\Intuit
2008-01-02 05:51 --------- d-----w C:\Program Files\Sportsbook Poker
2007-12-26 02:44 --------- d-----w C:\Program Files\WON
2007-12-26 02:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-26 02:40 --------- d-----w C:\Program Files\MasterCook 8
2007-12-11 03:07 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2007-12-11 02:52 --------- d-----w C:\Program Files\TurboTax
2007-11-14 07:26 450,560 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jscript.dll
2007-03-25 13:29 439,296 ----a-w C:\Documents and Settings\Helen Chiu\GoToAssist_phone__317_en.exe
2006-11-09 00:57 194,376 ----a-w C:\Documents and Settings\Helen Chiu\Application Data\shb.dat
2005-11-10 17:29 389,120 ----a-w C:\Documents and Settings\Helen Chiu\remote.exe
2005-10-08 17:21 2,449,408 ----a-w C:\Documents and Settings\Helen Chiu\gosetup.exe
2005-10-08 16:01 337,723 -csha-w C:\WINDOWS\SYSTEM32\jjkkj.bak2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{062479A8-C6C3-4A5E-9D8E-E5F2D9E02CAB}]
C:\Program Files\Common Files\qucav.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"TuneUp MemOptimizer"="C:\Program Files\TuneUp Utilities 2006\MemOptimizer.exe" [ ]
"hip2p"="C:\Program Files\hip2p\hip2p.exe" [2006-02-15 09:23 3048960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-10-11 19:34 180269]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42 267064]
"lxamsp32.exe"="lxamsp32.exe" [2001-10-21 14:12 45056 C:\WINDOWS\SYSTEM32\LXAMSP32.EXE]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-21 11:54 36864]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 00:59 115816]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 05:00 53760 C:\WINDOWS\SYSTEM32\NARRATOR.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cmsCFG]
cmsCFG.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1134535982\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-10-11 19:35 208941 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skyme]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-10-11 19:34 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Unshare]
C:\Program Files\safe-share\SafeShare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UPS"=3 (0x3)
"CiSvc"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"CommCtr"=C:\PROGRA~1\NET2PH~1\CommCtr.exe -auto
"spc_w"="C:\Program Files\NZSearch\nzspc.exe" -w

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"ViewMgr"=C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
"PrinTray"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
"igfxpers"=C:\WINDOWS\system32\igfxpers.exe
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"ANIWZCS2Service"=C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
"ShowIcon_The Company_MP3 Flash Drive Driver v2.08r022"="C:\Program Files\MP3 Flash Drive Driver v2.08r022\shwicon.exe" -t"The Company\MP3 Flash Drive Driver v2.08r022"
"SunJavaUpdateSched"=C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
"Symantec NetDriver Monitor"=C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2004-08-04 05:00]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\A5AGU.sys [2005-07-26 13:32]
S3 ATHFMWDL;D-Link predator Bootloader driver;C:\WINDOWS\system32\Drivers\ATHFMWDL.sys [2005-03-15 20:11]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-02-01 22:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
"2008-01-22 18:19:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-05 01:42:41 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Helen Chiu.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
"2008-02-08 03:08:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 22:06:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-07 22:09:04
ComboFix-quarantined-files.txt 2008-02-08 03:09:00
ComboFix2.txt 2008-02-07 08:04:15
.
2008-01-09 08:02:37 --- E O F ---

schin · 8th February 2008

Geri,

Windows doesn't give me the pop-up and the Outer Info is not in my Program list.

Oddly, when I run IE it seems to log files slower. When I use FireFox, there doesn't appear to be "hitch" or slow display. Is this usual?

Looks like I'm super close.... thanks for all your help. Looking forward to your clean bill of health message! =)

-schin

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:10:58 PM, on 2/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\lxamsp32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
C:\Program Files\LexmarkX63\ACMonitor_X63.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnyes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: 0 - {062479A8-C6C3-4A5E-9D8E-E5F2D9E02CAB} - C:\Program Files\Common Files\qucav.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {92B255FE-94E2-4BCA-958D-3926CE38913F} - (no file)
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2006\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [hip2p] C:\Program Files\hip2p\hip2p.exe min
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor_X63.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-68e4741c1554c772.spaces.l...d/MsnPUpld.cab
O20 - Winlogon Notify: cmsCFG - cmsCFG.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9529 bytes

**Geri** · 8th February 2008

Hi schin

Please do these in the order given.

Do you know what this is?
C:\Program Files\hip2p

You ran Combofix 2 times, I need to see the first combofix log.
ComboFix2.txt, which I believe is located in c:\qoobox

Please download VundoFix.exe to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Jotti File Submission:

Please go to Jotti's malware scan
Copy and paste the following file path into *the *"File to upload & scan"box on the top of the page: one at a time.
- C:\Documents and Settings\Helen Chiu\Application Data\shb.dat
  C:\Documents and Settings\Helen Chiu\remote.exe
Click on the submit button
Please post the results in your next reply.

Please Post the Vundo log, Combofix log and Jotti results.
Also let me know if you know what that program is.

Thanks
Geri

schin · 8th February 2008

I couldn't find the ComboFix file after I ran it last night and reran it.

The follow you requested in the Qoobox directory is:

ComboFix 08-02.05.3 - Helen Chiu 2008-02-07 2:34:53.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.152 [GMT -5:00]
Running from: C:\Documents and Settings\Helen Chiu\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\FLPYDISKK.sys
C:\WINDOWS\system32\jkhfc.dll
C:\WINDOWS\system32\opnopqq.dll
C:\WINDOWS\system32\wslezvlu.dll
C:\Program Files\Windows NT\meqocahot4444.dll
C:\Program Files\Windows NT\meqocahot83122.dll
C:\temp\tn3
C:\WINDOWS\system32\b3
C:\WINDOWS\system32\b3\snmaildriv3.exe
C:\WINDOWS\SYSTEM32\cfhkj.ini
C:\WINDOWS\SYSTEM32\cfhkj.ini2
C:\WINDOWS\system32\cyjtuvys.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\FLPYDISKK.sys
C:\WINDOWS\system32\jkhfc.dll
C:\WINDOWS\system32\opnopqq.dll
C:\WINDOWS\system32\p4
C:\WINDOWS\system32\pfnvdsdd.dll
C:\WINDOWS\system32\s5
C:\WINDOWS\system32\s5\advcomms3.exe
C:\WINDOWS\SYSTEM32\syvutjyc.ini
C:\WINDOWS\system32\v9
C:\WINDOWS\system32\v9\rabs2135.exe
C:\WINDOWS\system32\vhosgnsk.dll
C:\WINDOWS\system32\wslezvlu.dll
C:\WINDOWS\system32\wslezvlu.dllbox
C:\WINDOWS\system32\z6
C:\WINDOWS\system32\z6\kiffs83122.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_FLPYDISKK
-------\FLPYDISKK

((((((((((((((((((((((((( Files Created from 2008-01-07 to 2008-02-07 )))))))))))))))))))))))))))))))
.

2008-02-07 01:57 . 2008-02-07 01:57 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-07 00:38 . 2008-02-07 02:30 <DIR> d-------- C:\SDFix
2008-02-06 00:50 . 2008-02-06 00:50 <DIR> d-------- C:\Deckard
2008-02-05 22:43 . 2008-02-05 22:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-05 01:26 . 2008-02-05 01:26 <DIR> d-------- C:\Program Files\Drmupgds
2008-02-05 00:53 . 2008-02-05 00:53 <DIR> d-------- C:\WINDOWS\SYSTEM32\nGpxx01
2008-02-05 00:53 . 2008-02-05 00:54 <DIR> d-------- C:\temp\isgTi19

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 02:25 --------- d-----w C:\Program Files\Sierra On-Line
2008-02-07 02:25 --------- d-----w C:\Program Files\Safe-Share Downloads
2008-02-07 02:25 --------- d-----w C:\Program Files\NetZero
2008-02-07 02:25 --------- d-----w C:\Program Files\NetWaiting
2008-02-07 02:25 --------- d-----w C:\Program Files\MP3 Flash Drive Driver v2.08r022
2008-02-07 02:25 --------- d-----w C:\Program Files\Modem Helper
2008-02-07 02:25 --------- d-----w C:\Program Files\IKEA HomePlanner
2008-02-05 06:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-01 23:51 --------- d-----w C:\Documents and Settings\Helen Chiu\Application Data\uTorrent
2008-01-31 04:41 --------- d-----w C:\Program Files\Net2Phone CommCenter
2008-01-26 00:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-23 19:44 --------- d-----w C:\Documents and Settings\Helen Chiu\Application Data\Intuit
2008-01-02 05:51 --------- d-----w C:\Program Files\Sportsbook Poker
2007-12-26 02:44 --------- d-----w C:\Program Files\WON
2007-12-26 02:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-26 02:40 --------- d-----w C:\Program Files\MasterCook 8
2007-12-11 03:07 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2007-12-11 02:52 --------- d-----w C:\Program Files\TurboTax
2007-03-25 13:29 439,296 ----a-w C:\Documents and Settings\Helen Chiu\GoToAssist_phone__317_en.exe
2006-11-09 00:57 194,376 ----a-w C:\Documents and Settings\Helen Chiu\Application Data\shb.dat
2005-11-10 17:29 389,120 ----a-w C:\Documents and Settings\Helen Chiu\remote.exe
2005-10-08 17:21 2,449,408 ----a-w C:\Documents and Settings\Helen Chiu\gosetup.exe
2005-10-08 16:01 337,723 -csha-w C:\WINDOWS\SYSTEM32\jjkkj.bak2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{062479A8-C6C3-4A5E-9D8E-E5F2D9E02CAB}]
C:\Program Files\Common Files\qucav.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"TuneUp MemOptimizer"="C:\Program Files\TuneUp Utilities 2006\MemOptimizer.exe" [ ]
"hip2p"="C:\Program Files\hip2p\hip2p.exe" [2006-02-15 09:23 3048960]
"Drmupgds"="C:\Program Files\Drmupgds\Drmupgds.exe" [2008-02-05 01:26 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-10-11 19:34 180269]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42 267064]
"lxamsp32.exe"="lxamsp32.exe" [2001-10-21 14:12 45056 C:\WINDOWS\SYSTEM32\LXAMSP32.EXE]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-21 11:54 36864]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 00:59 115816]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 05:00 53760 C:\WINDOWS\SYSTEM32\NARRATOR.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cmsCFG]
cmsCFG.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1134535982\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-10-11 19:35 208941 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skyme]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-10-11 19:34 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Unshare]
C:\Program Files\safe-share\SafeShare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UPS"=3 (0x3)
"CiSvc"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"CommCtr"=C:\PROGRA~1\NET2PH~1\CommCtr.exe -auto
"spc_w"="C:\Program Files\NZSearch\nzspc.exe" -w

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"ViewMgr"=C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
"PrinTray"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
"igfxpers"=C:\WINDOWS\system32\igfxpers.exe
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"ANIWZCS2Service"=C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
"ShowIcon_The Company_MP3 Flash Drive Driver v2.08r022"="C:\Program Files\MP3 Flash Drive Driver v2.08r022\shwicon.exe" -t"The Company\MP3 Flash Drive Driver v2.08r022"
"SunJavaUpdateSched"=C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
"Symantec NetDriver Monitor"=C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2004-08-04 05:00]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\A5AGU.sys [2005-07-26 13:32]
S3 ATHFMWDL;D-Link predator Bootloader driver;C:\WINDOWS\system32\Drivers\ATHFMWDL.sys [2005-03-15 20:11]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-02-01 22:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
"2008-01-22 18:19:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-05 01:42:41 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Helen Chiu.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
"2008-02-07 08:03:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 03:01:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
C:\Program Files\LexmarkX63\ACMonitor_X63.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-02-07 3:04:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-07 08:04:10
.
2008-01-09 08:02:37 --- E O F ---

schin · 8th February 2008

The Jotti came back with "Found Nothing" messages for both files.

=========

VundoFix V6.7.8

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 12:27:54 AM 2/8/2008

Listing files found while scanning....

No infected files were found.

Beginning removal...

**Geri** · 8th February 2008

Hi schin

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

File::
C:\WINDOWS\SYSTEM32\jjkkj.bak2

Folder::
C:\WINDOWS\SYSTEM32\nGpxx01
C:\temp\isgTi19

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{062479A8-C6C3-4A5E-9D8E-E5F2D9E02CAB}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cmsCFG]

Please post the new combofix log.

Thanks
Geri

schin · 9th February 2008

ComboFix 08-02.05.3 - Helen Chiu 2008-02-08 20:07:59.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.215 [GMT -5:00]
Running from: C:\Documents and Settings\Helen Chiu\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Helen Chiu\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\SYSTEM32\jjkkj.bak2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\isgTi19
C:\temp\isgTi19\lPig.log
C:\WINDOWS\SYSTEM32\jjkkj.bak2
C:\WINDOWS\SYSTEM32\nGpxx01
C:\WINDOWS\SYSTEM32\nGpxx01\nGpxx011065.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))
.

2008-02-08 00:27 . 2008-02-08 00:27 <DIR> d-------- C:\VundoFix Backups
2008-02-07 22:38 . 2008-02-07 22:38 <DIR> d-------- C:\Documents and Settings\Helen Chiu\Application Data\Comodo
2008-02-07 22:38 . 2008-02-07 22:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2008-02-07 22:36 . 2008-02-07 22:50 <DIR> d-------- C:\Program Files\Comodo
2008-02-07 22:36 . 2006-12-21 23:35 211 --a------ C:\boot.ini.comodofirewall
2008-02-07 22:24 . 2008-02-07 22:24 <DIR> d-------- C:\Program Files\CodeStuff
2008-02-07 22:23 . 2008-02-07 22:23 <DIR> d-------- C:\StartupSetup
2008-02-07 22:01 . 2004-08-04 05:00 388,608 --a------ C:\kmd.exe
2008-02-07 01:57 . 2008-02-07 01:57 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-07 00:38 . 2008-02-07 02:30 <DIR> d-------- C:\SDFix
2008-02-06 00:50 . 2008-02-06 00:50 <DIR> d-------- C:\Deckard
2008-02-05 22:43 . 2008-02-05 22:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-05 01:26 . 2008-02-05 01:26 <DIR> d-------- C:\Program Files\Drmupgds

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-08 07:12 --------- d-----w C:\Documents and Settings\Helen Chiu\Application Data\uTorrent
2008-02-08 03:40 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-07 08:15 --------- d-----w C:\Documents and Settings\Helen Chiu\Application Data\Lavasoft
2008-02-07 08:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-07 02:25 --------- d-----w C:\Program Files\Sierra On-Line
2008-02-07 02:25 --------- d-----w C:\Program Files\Safe-Share Downloads
2008-02-07 02:25 --------- d-----w C:\Program Files\NetZero
2008-02-07 02:25 --------- d-----w C:\Program Files\NetWaiting
2008-02-07 02:25 --------- d-----w C:\Program Files\MP3 Flash Drive Driver v2.08r022
2008-02-07 02:25 --------- d-----w C:\Program Files\Modem Helper
2008-02-07 02:25 --------- d-----w C:\Program Files\IKEA HomePlanner
2008-01-31 04:41 --------- d-----w C:\Program Files\Net2Phone CommCenter
2008-01-26 00:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-23 19:44 --------- d-----w C:\Documents and Settings\Helen Chiu\Application Data\Intuit
2008-01-02 05:51 --------- d-----w C:\Program Files\Sportsbook Poker
2007-12-26 02:44 --------- d-----w C:\Program Files\WON
2007-12-26 02:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-26 02:40 --------- d-----w C:\Program Files\MasterCook 8
2007-12-11 03:07 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2007-12-11 02:52 --------- d-----w C:\Program Files\TurboTax
2007-11-14 07:26 450,560 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jscript.dll
2007-03-25 13:29 439,296 ----a-w C:\Documents and Settings\Helen Chiu\GoToAssist_phone__317_en.exe
2006-11-09 00:57 194,376 ----a-w C:\Documents and Settings\Helen Chiu\Application Data\shb.dat
2005-11-10 17:29 389,120 ----a-w C:\Documents and Settings\Helen Chiu\remote.exe
2005-10-08 17:21 2,449,408 ----a-w C:\Documents and Settings\Helen Chiu\gosetup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"TuneUp MemOptimizer"="C:\Program Files\TuneUp Utilities 2006\MemOptimizer.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 05:00 53760 C:\WINDOWS\SYSTEM32\NARRATOR.EXE]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1134535982\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-10-11 19:35 208941 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skyme]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-10-11 19:34 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Unshare]
C:\Program Files\safe-share\SafeShare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UPS"=3 (0x3)
"CiSvc"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"CommCtr"=C:\PROGRA~1\NET2PH~1\CommCtr.exe -auto
"spc_w"="C:\Program Files\NZSearch\nzspc.exe" -w

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"ViewMgr"=C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
"PrinTray"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
"igfxpers"=C:\WINDOWS\system32\igfxpers.exe
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"ANIWZCS2Service"=C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
"ShowIcon_The Company_MP3 Flash Drive Driver v2.08r022"="C:\Program Files\MP3 Flash Drive Driver v2.08r022\shwicon.exe" -t"The Company\MP3 Flash Drive Driver v2.08r022"
"SunJavaUpdateSched"=C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
"Symantec NetDriver Monitor"=C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2004-08-04 05:00]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\A5AGU.sys [2005-07-26 13:32]
S3 ATHFMWDL;D-Link predator Bootloader driver;C:\WINDOWS\system32\Drivers\ATHFMWDL.sys [2005-03-15 20:11]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-02-01 22:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
"2008-01-22 18:19:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-05 01:42:41 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Helen Chiu.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
"2008-02-09 01:08:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-08 20:11:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-08 20:13:17
ComboFix-quarantined-files.txt 2008-02-09 01:13:02
ComboFix2.txt 2008-02-08 03:09:05
ComboFix3.txt 2008-02-07 08:04:15
.
2008-01-09 08:02:37 --- E O F ---