Not Sure What I Have, But It Looks Like Everyone Else's

I have two new icons on the desktop (Help & Support and Windows Update). Internet Explorer went berserk. Then windows stopped loading (XP, Pro, SP2). Used the install disk & repaired windows to load.


I loaded HJT to a jump drive from work and ran it. Log is here.


Please help!!!!


Logfile of Trend Micro HijackThis v2.0.0 (BETA)


Scan saved at 5:44:27 PM, on 2/27/2008


Platform: Windows XP SP2 (WinNT 5.01.2600)


Boot mode: Normal


Running processes:


C:\WINDOWS\System32\smss.exe


C:\WINDOWS\system32\csrss.exe


C:\WINDOWS\system32\winlogon.exe


C:\WINDOWS\system32\services.exe


C:\WINDOWS\system32\lsass.exe


C:\WINDOWS\system32\svchost.exe


C:\WINDOWS\System32\svchost.exe


C:\WINDOWS\system32\svchost.exe


C:\WINDOWS\system32\svchost.exe


C:\WINDOWS\system32\svchost.exe


C:\WINDOWS\system32\spoolsv.exe


C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


C:\WINDOWS\system32\cisvc.exe


C:\WINDOWS\IA\command.exe


C:\WINDOWS\system32\sdpasvc.exe


C:\WINDOWS\system32\svchost.exe


C:\WINDOWS\System32\alg.exe


C:\WINDOWS\system32\dllhost.exe


C:\WINDOWS\system32\msdtc.exe


C:\WINDOWS\system32\wscntfy.exe


C:\Program Files\Common Files\Real\Update_OB\realsched.exe


E:\iTunes\iTunesHelper.exe


C:\WINDOWS\Fonts\svchost.exe


C:\WINDOWS\system32\rundll32.exe


C:\WINDOWS\system32\ctfmon.exe


C:\Program Files\Messenger\msmsgs.exe


C:\Program Files\iPod\bin\iPodService.exe


C:\WINDOWS\explorer.exe


C:\WINDOWS\system32\windows


C:\WINDOWS\system32\cidaemon.exe


H:\HiJackThis_v2.exe


C:\WINDOWS\system32\wbem\wmiprvse.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www6.comcast.net/a/


O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll


O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll


O2 - BHO: RabioBHO - {1C2E5D27-A17C-4D89-85DD-3553C189380D} - C:\Program Files\RABCO\RABCO.dll


O2 - BHO: (no name) - {45C2A50F-8F4A-496E-AF02-D0207525BF5A} - C:\WINDOWS\system32\xxyvvut.dll


O2 - BHO: (no name) - {5572363F-F2D9-41F5-8B4D-DE96E76FFDE7} - C:\Program Files\folder.js\cymawigu89104.dll (file missing)


O2 - BHO: (no name) - {87526773-6e7b-4187-8aa2-d1221f2213a9} - C:\WINDOWS\system32\gvrgyyw.dll


O2 - BHO: (no name) - {94E7FB49-508F-4BF5-B21B-273DB57B373A} - C:\Program Files\folder.js\cymawigu89104.dll (file missing)


O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\grxnofvn.dll


O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)


O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll


O2 - BHO: (no name) - {C4C75055-666C-4065-81CB-F3F79CF52E4D} - C:\WINDOWS\system32\qopno.dll


O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)


O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll


O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll


O4 - HKLM\..\Run: [DVDUpgrade] DVDUpgrd.exe /async


O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe


O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot


O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"


O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime


O4 - HKLM\..\Run: [iTunesHelper] "E:\iTunes\iTunesHelper.exe"


O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe


O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310


O4 - HKLM\..\Run: [2863b2a6] rundll32.exe "C:\WINDOWS\system32\grfrfmxy.dll",b


O4 - HKLM\..\Run: [bM2b50813a] Rundll32.exe "C:\WINDOWS\system32\xlnerxff.dll",s


O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe


O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background


O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.8\webbuying.exe


O4 - HKCU\..\Run: [sUPERAntiSpyware] G:\SUPERAntiSpyware.exe


O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')


O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')


O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')


O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')


O4 - Startup: RABCO - Auto Update.lnk = C:\Program Files\RABCO\RABCOse.exe


O4 - Global Startup: Microsoft Office.lnk = G:\Office\OSA9.EXE


O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = D:\Palm\Hotsync.exe


O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html


O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html


O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html


O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html


O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000


O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html


O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html


O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll


O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


O20 - Winlogon Notify: !SASWinLogon - G:\SASWINLO.dll


O20 - Winlogon Notify: grxnofvn - C:\WINDOWS\SYSTEM32\grxnofvn.dll


O20 - Winlogon Notify: xxyvvut - C:\WINDOWS\SYSTEM32\xxyvvut.dll


O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll


O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll


O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe


O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe


O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe


O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows


O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe


O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe


--


End of file - 7330 bytes

Comments

  • Chesda
    edited February 2008

    o1darcie1o,


    You are infected with Trojan.Vundo. This is a nasty virus to get rid of so my instructions may only temporary fix your computer.


    Run Hijackthis, do a System Scan Only.


    Check and fix the following entires:


    O2 - BHO: (no name) - {45C2A50F-8F4A-496E-AF02-D0207525BF5A} - C:\WINDOWS\system32\xxyvvut.dll
    O2 - BHO: (no name) - {5572363F-F2D9-41F5-8B4D-DE96E76FFDE7} - C:\Program Files\folder.js\cymawigu89104.dll (file missing)
    O2 - BHO: (no name) - {87526773-6e7b-4187-8aa2-d1221f2213a9} - C:\WINDOWS\system32\gvrgyyw.dll
    O2 - BHO: (no name) - {94E7FB49-508F-4BF5-B21B-273DB57B373A} - C:\Program Files\folder.js\cymawigu89104.dll (file missing)
    O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\grxnofvn.dll
    O2 - BHO: (no name) - {C4C75055-666C-4065-81CB-F3F79CF52E4D} - C:\WINDOWS\system32\qopno.dll
    O4 - HKLM\..\Run: [2863b2a6] rundll32.exe "C:\WINDOWS\system32\grfrfmxy.dll",b
    O4 - HKLM\..\Run: [BM2b50813a] Rundll32.exe "C:\WINDOWS\system32\xlnerxff.dll",s
    O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.8\webbuying.exe
    O20 - Winlogon Notify: grxnofvn - C:\WINDOWS\SYSTEM32\grxnofvn.dll
    O20 - Winlogon Notify: xxyvvut - C:\WINDOWS\SYSTEM32\xxyvvut.dll


    After you've fix these please download Atribune's VundoFix from this site:


    http://www.atribune.org/ccount/click.php?id=4 and place it on your desktop.


    Double-click
    VundoFix.exe
    to run it.


    Click the
    Scan
    for Vundo button.


    Once it's done scanning, click the Remove Vundo button.


    You will receive a prompt asking if you want to remove the files,


    click
    YES


    Once you click yes, your desktop will go blank as it starts removing


    Vundo.


    When completed, it will prompt that it will reboot your computer,


    click
    OK
    .


    Post a fresh Hijackthis log after you've done all the procedures mentioned above.


    Best of luck.


    bdgc1.png

  • o1darcie1o
    edited February 2008

    My post is showing up empty, so I'm trying to split it into a few:


    This will be a HUGE post, as I've run a lot of scans, and don't know enough about all of this to know which lines can be removed from the listing to still give a complete picture...


    The modem driver on the infected computer was uninstalled by something, so it's not connected to the internet. I'm working off a laptop to post, using a jump drive to transfer any programs and logs back & forth.


    After my first post last night, I was given a program by a tech friend: Trend Micro Sysclean Package. This took what seemed like forever to run. I ran it from the flash drive (H:)


    Sysclean Log2008-02-27, 19:29:55, Auto-clean mode specified.


    2008-02-27, 19:29:55, Running scanner "H:\TSC.BIN"...


    2008-02-27, 19:33:11, Scanner "H:\TSC.BIN" has finished running.


    2008-02-27, 19:33:11, TSC Log:


    2008-02-27, 19:35:00, An error was detected on "G:\System Volume Information\*.*": Access is denied.


    2008-02-27, 20:57:53, Files Detected:


    Copyright © 1990 - 2004 Trend Micro Inc.


    Report Date : 2/27/2008 19:35:03


    VSAPI Engine Version : 8.000-1001


    VSCANTM Version : 1.1-1001


    Virus Pattern Version : 125 (243493 Patterns) (2008/02/26) (512500)


    Command Line: H:\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=H:


    C:\WINDOWS\SYSTEM\msmsgs.exe [TROJ_ZLOB.GEN]


    C:\WINDOWS\SYSTEM32\urqqolk.dll [Mal_Vundo-3]


    C:\WINDOWS\SYSTEM32\ssqppno.dll [Mal_Vundo-3]


    C:\WINDOWS\SYSTEM32\csatr.exe [TROJ_AGENT.VIX]


    C:\WINDOWS\SYSTEM32\ogop.dll [TROJ_STARTPAG.SZ]


    C:\WINDOWS\SYSTEM32\ax3\dincomsdll3.exe [TROJ_DLOADER.DTK]


    C:\WINDOWS\SYSTEM32\ryyeidyb.dll [TROJ_VUNDO.YEK]


    C:\WINDOWS\SYSTEM32\grxnofvn.dll [TROJ_VUNDO.YEK]


    C:\WINDOWS\Downloaded Program Files\load.exe [TROJ_SMALL.ITN]


    C:\WINDOWS\ac3_0018.exe [TROJ_DLOADER.BRG]


    C:\WINDOWS\aff_0006.exe [TSPY_SOFTOMATE.A]


    C:\WINDOWS\srvedruxqh.exe [TROJ_DYFUCA.AI]


    C:\WINDOWS\uni_e6h.exe [TROJ_VB.VV]


    C:\WINDOWS\uninst108.exe [TROJ_VB.BKB]


    C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP1\A0000016.exe [TROJ_DLOADER.HGW]


    C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP1\A0000017.exe [TROJ_DLOADER.HGW]


    C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP3\A0001022.exe [TROJ_AGENT.VIX]


    C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP3\A0001023.dll [TROJ_STARTPAG.SZ]


    C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP3\A0001024.exe [TROJ_DLOADER.DTK]


    C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP3\A0001025.dll [TROJ_VUNDO.YEK]


    C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP3\A0001026.exe [TROJ_DLOADER.BRG]


    C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP3\A0001027.exe [TSPY_SOFTOMATE.A]


    C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP3\A0001028.exe [TROJ_DYFUCA.AI]


    C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP3\A0001029.exe [TROJ_VB.VV]


    C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP3\A0001030.exe [TROJ_VB.BKB]


    C:\ms32.sys [TROJ_SMALL.FES]


    83079 files have been read.


    83079 files have been checked.


    73315 files have been scanned.


    103663 files have been scanned. (including files in archived)


    26 files containing viruses.


    Found 26 viruses totally.


    Maybe 0 viruses totally.


    Stop At : 2/27/2008 20:57:51


    ---------*---------*---------*---------*---------*---------*---------*---------*


    2008-02-27, 20:57:53, Files Clean:


    Copyright © 1990 - 2004 Trend Micro Inc.


    Report Date : 2/27/2008 19:35:03


    VSAPI Engine Version : 8.000-1001


    VSCANTM Version : 1.1-1001


    Virus Pattern Version : 125 (243493 Patterns) (2008/02/26) (512500)


    Command Line: H:\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=H:


    Success Clean [ TROJ_AGENT.VIX]( 1) from C:\WINDOWS\SYSTEM32\csatr.exe


    Success Clean [TROJ_STARTPAG.SZ]( 1) from C:\WINDOWS\SYSTEM32\ogop.dll


    Success Clean [TROJ_DLOADER.DTK]( 1) from C:\WINDOWS\SYSTEM32\ax3\dincomsdll3.exe


    Success Clean [ TROJ_VUNDO.YEK]( 1) from C:\WINDOWS\SYSTEM32\ryyeidyb.dll


    Success Clean [ TROJ_SMALL.ITN]( 1) from C:\WINDOWS\Downloaded Program Files\load.exe


    Success Clean [TROJ_DLOADER.BRG]( 1) from C:\WINDOWS\ac3_0018.exe


    Success Clean [TSPY_SOFTOMATE.A]( 1) from C:\WINDOWS\aff_0006.exe


    Success Clean [ TROJ_DYFUCA.AI]( 1) from C:\WINDOWS\srvedruxqh.exe


    Success Clean [ TROJ_VB.VV]( 1) from C:\WINDOWS\uni_e6h.exe


    Success Clean [ TROJ_VB.BKB]( 1) from C:\WINDOWS\uninst108.exe


    Success Clean [TROJ_DLOADER.HGW]( 1) from C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP1\A0000016.exe


    Success Clean [TROJ_DLOADER.HGW]( 1) from C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP1\A0000017.exe


    Success Clean [ TROJ_AGENT.VIX]( 1) from C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP3\A0001022.exe


    Success Clean [TROJ_STARTPAG.SZ]( 1) from C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP3\A0001023.dll


    Success Clean [TROJ_DLOADER.DTK]( 1) from C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP3\A0001024.exe


    Success Clean [ TROJ_VUNDO.YEK]( 1) from C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP3\A0001025.dll


    Success Clean [TROJ_DLOADER.BRG]( 1) from C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP3\A0001026.exe


    Success Clean [TSPY_SOFTOMATE.A]( 1) from C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP3\A0001027.exe


    Success Clean [ TROJ_DYFUCA.AI]( 1) from C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP3\A0001028.exe


    Success Clean [ TROJ_VB.VV]( 1) from C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP3\A0001029.exe


    Success Clean [ TROJ_VB.BKB]( 1) from C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP3\A0001030.exe


    Success Clean [ TROJ_SMALL.FES]( 1) from C:\ms32.sys


    83079 files have been read.


    83079 files have been checked.


    73315 files have been scanned.


    103663 files have been scanned. (including files in archived)


    26 files containing viruses.


    Found 26 viruses totally.


    Maybe 0 viruses totally.


    Stop At : 2/27/2008 20:57:51 1 hour 22 minutes 23 seconds (4943.02 seconds) has elapsed.


    ---------*---------*---------*---------*---------*---------*---------*---------*


    2008-02-27, 20:57:53, Clean Fail:


    Copyright © 1990 - 2004 Trend Micro Inc.


    Report Date : 2/27/2008 19:35:03


    VSAPI Engine Version : 8.000-1001


    VSCANTM Version : 1.1-1001


    Virus Pattern Version : 125 (243493 Patterns) (2008/02/26) (512500)


    Command Line: H:\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=H:


    83079 files have been read.


    83079 files have been checked.


    73315 files have been scanned.


    103663 files have been scanned. (including files in archived)


    26 files containing viruses.


    Found 26 viruses totally.


    Maybe 0 viruses totally.


    Stop At : 2/27/2008 20:57:51 1 hour 22 minutes 23 seconds (4943.02 seconds) has elapsed.


    ---------*---------*---------*---------*---------*---------*---------*---------*


    2008-02-27, 20:57:53, Scanner "H:\VSCANTM.BIN" has finished running.


    2008-02-27, 21:12:41, Files Detected:


    Copyright © 1990 - 2004 Trend Micro Inc.


    Report Date : 2/27/2008 20:58:04


    VSAPI Engine Version : 8.000-1001


    VSCANTM Version : 1.1-1001


    Virus Pattern Version : 125 (243493 Patterns) (2008/02/26) (512500)


    Command Line: H:\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=H:


    26914 files have been read.


    26914 files have been checked.


    22826 files have been scanned.


    52874 files have been scanned. (including files in archived)


    0 files containing viruses.


    Found 0 viruses totally.


    Maybe 0 viruses totally.


    Stop At : 2/27/2008 21:12:39


    ---------*---------*---------*---------*---------*---------*---------*---------*


    2008-02-27, 21:12:42, Files Clean:


    Copyright © 1990 - 2004 Trend Micro Inc.


    Report Date : 2/27/2008 20:58:04


    VSAPI Engine Version : 8.000-1001


    VSCANTM Version : 1.1-1001


    Virus Pattern Version : 125 (243493 Patterns) (2008/02/26) (512500)


    Command Line: H:\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=H:


    26914 files have been read.


    26914 files have been checked.


    22826 files have been scanned.


    52874 files have been scanned. (including files in archived)


    0 files containing viruses.


    Found 0 viruses totally.


    Maybe 0 viruses totally.


    Stop At : 2/27/2008 21:12:39 14 minutes 17 seconds (857.15 seconds) has elapsed.


    ---------*---------*---------*---------*---------*---------*---------*---------*


    2008-02-27, 21:12:42, Clean Fail:


    Copyright © 1990 - 2004 Trend Micro Inc.


    Report Date : 2/27/2008 20:58:04


    VSAPI Engine Version : 8.000-1001


    VSCANTM Version : 1.1-1001


    Virus Pattern Version : 125 (243493 Patterns) (2008/02/26) (512500)


    Command Line: H:\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=H:


    26914 files have been read.


    26914 files have been checked.


    22826 files have been scanned.


    52874 files have been scanned. (including files in archived)


    0 files containing viruses.


    Found 0 viruses totally.


    Maybe 0 viruses totally.


    Stop At : 2/27/2008 21:12:39 14 minutes 17 seconds (857.15 seconds) has elapsed.


    ---------*---------*---------*---------*---------*---------*---------*---------*


    2008-02-27, 21:12:42, Scanner "H:\VSCANTM.BIN" has finished running.


    2008-02-27, 21:14:59, Files Detected:


    Copyright © 1990 - 2004 Trend Micro Inc.


    Report Date : 2/27/2008 21:12:56


    VSAPI Engine Version : 8.000-1001


    VSCANTM Version : 1.1-1001


    Virus Pattern Version : 125 (243493 Patterns) (2008/02/26) (512500)


    Command Line: H:\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 E:\*.* /P=H:


    2516 files have been read.


    2516 files have been checked.


    1473 files have been scanned.


    9402 files have been scanned. (including files in archived)


    0 files containing viruses.


    Found 0 viruses totally.


    Maybe 0 viruses totally.


    Stop At : 2/27/2008 21:14:58


    ---------*---------*---------*---------*---------*---------*---------*---------*


    2008-02-27, 21:14:59, Files Clean:


    Copyright © 1990 - 2004 Trend Micro Inc.


    Report Date : 2/27/2008 21:12:56


    VSAPI Engine Version : 8.000-1001


    VSCANTM Version : 1.1-1001


    Virus Pattern Version : 125 (243493 Patterns) (2008/02/26) (512500)


    Command Line: H:\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 E:\*.* /P=H:


    2516 files have been read.


    2516 files have been checked.


    1473 files have been scanned.


    9402 files have been scanned. (including files in archived)


    0 files containing viruses.


    Found 0 viruses totally.


    Maybe 0 viruses totally.


    Stop At : 2/27/2008 21:14:58 1 minute 47 seconds (106.96 seconds) has elapsed.


    ---------*---------*---------*---------*---------*---------*---------*---------*


    2008-02-27, 21:14:59, Clean Fail:


    Copyright © 1990 - 2004 Trend Micro Inc.


    Report Date : 2/27/2008 21:12:56


    VSAPI Engine Version : 8.000-1001


    VSCANTM Version : 1.1-1001


    Virus Pattern Version : 125 (243493 Patterns) (2008/02/26) (512500)


    Command Line: H:\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 E:\*.* /P=H:


    2516 files have been read.


    2516 files have been checked.


    1473 files have been scanned.


    9402 files have been scanned. (including files in archived)


    0 files containing viruses.


    Found 0 viruses totally.


    Maybe 0 viruses totally.


    Stop At : 2/27/2008 21:14:58 1 minute 47 seconds (106.96 seconds) has elapsed.


    ---------*---------*---------*---------*---------*---------*---------*---------*


    2008-02-27, 21:14:59, Scanner "H:\VSCANTM.BIN" has finished running.


    2008-02-27, 21:15:30, Files Detected:


    Copyright © 1990 - 2004 Trend Micro Inc.


    Report Date : 2/27/2008 21:15:17


    VSAPI Engine Version : 8.000-1001


    VSCANTM Version : 1.1-1001


    Virus Pattern Version : 125 (243493 Patterns) (2008/02/26) (512500)


    Command Line: H:\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 F:\*.* /P=H:


    10 files have been read.


    10 files have been checked.


    9 files have been scanned.


    9 files have been scanned. (including files in archived)


    0 files containing viruses.


    Found 0 viruses totally.


    Maybe 0 viruses totally.


    Stop At : 2/27/2008 21:15:30


    ---------*---------*---------*---------*---------*---------*---------*---------*


    2008-02-27, 21:15:30, Files Clean:


    Copyright © 1990 - 2004 Trend Micro Inc.


    Report Date : 2/27/2008 21:15:16


    VSAPI Engine Version : 8.000-1001


    VSCANTM Version : 1.1-1001


    Virus Pattern Version : 125 (243493 Patterns) (2008/02/26) (512500)


    Command Line: H:\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 F:\*.* /P=H:


    10 files have been read.


    10 files have been checked.


    9 files have been scanned.


    9 files have been scanned. (including files in archived)


    0 files containing viruses.


    Found 0 viruses totally.


    Maybe 0 viruses totally.


    Stop At : 2/27/2008 21:15:30 1 second (0.59 seconds) has elapsed.


    ---------*---------*---------*---------*---------*---------*---------*---------*


    2008-02-27, 21:15:30, Clean Fail:


    Copyright © 1990 - 2004 Trend Micro Inc.


    Report Date : 2/27/2008 21:15:17


    VSAPI Engine Version : 8.000-1001


    VSCANTM Version : 1.1-1001


    Virus Pattern Version : 125 (243493 Patterns) (2008/02/26) (512500)


    Command Line: H:\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 F:\*.* /P=H:


    10 files have been read.


    10 files have been checked.


    9 files have been scanned.


    9 files have been scanned. (including files in archived)


    0 files containing viruses.


    Found 0 viruses totally.


    Maybe 0 viruses totally.


    Stop At : 2/27/2008 21:15:30 1 second (0.59 seconds) has elapsed.


    ---------*---------*---------*---------*---------*---------*---------*---------*


    2008-02-27, 21:15:30, Scanner "H:\VSCANTM.BIN" has finished running.


    2008-02-27, 21:17:34, Files Detected:


    Copyright © 1990 - 2004 Trend Micro Inc.


    Report Date : 2/27/2008 21:15:39


    VSAPI Engine Version : 8.000-1001


    VSCANTM Version : 1.1-1001


    Virus Pattern Version : 125 (243493 Patterns) (2008/02/26) (512500)


    Command Line: H:\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 G:\*.* /P=H:


    3729 files have been read.


    3729 files have been checked.


    3412 files have been scanned.


    3413 files have been scanned. (including files in archived)


    0 files containing viruses.


    Found 0 viruses totally.


    Maybe 0 viruses totally.


    Stop At : 2/27/2008 21:17:31


    ---------*---------*---------*---------*---------*---------*---------*---------*


    2008-02-27, 21:17:35, Files Clean:


    Copyright © 1990 - 2004 Trend Micro Inc.


    Report Date : 2/27/2008 21:15:39


    VSAPI Engine Version : 8.000-1001


    VSCANTM Version : 1.1-1001


    Virus Pattern Version : 125 (243493 Patterns) (2008/02/26) (512500)


    Command Line: H:\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 G:\*.* /P=H:


    3729 files have been read.


    3729 files have been checked.


    3412 files have been scanned.


    3413 files have been scanned. (including files in archived)


    0 files containing viruses.


    Found 0 viruses totally.


    Maybe 0 viruses totally.


    Stop At : 2/27/2008 21:17:31 1 minute 45 seconds (105.82 seconds) has elapsed.


    ---------*---------*---------*---------*---------*---------*---------*---------*


    2008-02-27, 21:17:35, Clean Fail:


    Copyright © 1990 - 2004 Trend Micro Inc.


    Report Date : 2/27/2008 21:15:39


    VSAPI Engine Version : 8.000-1001


    VSCANTM Version : 1.1-1001


    Virus Pattern Version : 125 (243493 Patterns) (2008/02/26) (512500)


    Command Line: H:\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 G:\*.* /P=H:


    3729 files have been read.


    3729 files have been checked.


    3412 files have been scanned.


    3413 files have been scanned. (including files in archived)


    0 files containing viruses.


    Found 0 viruses totally.


    Maybe 0 viruses totally.


    Stop At : 2/27/2008 21:17:31 1 minute 45 seconds (105.82 seconds) has elapsed.


    ---------*---------*---------*---------*---------*---------*---------*---------*


    2008-02-27, 21:17:35, Scanner "H:\VSCANTM.BIN" has finished running.


    Then we went to bed & ran HiJack first thing this morning.


    HJT Log 5:14AM, 2-28-08


    Logfile of Trend Micro HijackThis v2.0.0 (BETA)


    Scan saved at 5:34:46 AM, on 2/28/2008


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\csrss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


    C:\WINDOWS\system32\cisvc.exe


    C:\WINDOWS\IA\command.exe


    C:\Program Files\Network Monitor\netmon.exe


    C:\WINDOWS\system32\HPZipm12.exe


    C:\WINDOWS\system32\sdpasvc.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\MsPMSPSv.exe


    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe


    C:\Program Files\Common Files\Real\Update_OB\realsched.exe


    E:\iTunes\iTunesHelper.exe


    C:\WINDOWS\Fonts\svchost.exe


    C:\WINDOWS\system32\rundll32.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\WINDOWS\system32\wscntfy.exe


    C:\WINDOWS\System32\alg.exe


    C:\Program Files\Messenger\msmsgs.exe


    D:\Palm\Hotsync.exe


    C:\Program Files\iPod\bin\iPodService.exe


    C:\WINDOWS\system32\cidaemon.exe


    C:\WINDOWS\system32\windows


    C:\WINDOWS\explorer.exe


    C:\Documents and Settings\Windows User\Desktop\moon.exe


    C:\WINDOWS\system32\wbem\wmiprvse.exe


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www6.comcast.net/a/


    O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll


    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll


    O2 - BHO: RabioBHO - {1C2E5D27-A17C-4D89-85DD-3553C189380D} - C:\Program Files\RABCO\RABCO.dll


    O2 - BHO: (no name) - {377C2660-3320-4CCB-917B-6671A3E55888} - C:\WINDOWS\system32\qopno.dll


    O2 - BHO: (no name) - {45C2A50F-8F4A-496E-AF02-D0207525BF5A} - C:\WINDOWS\system32\xxyvvut.dll


    O2 - BHO: (no name) - {5572363F-F2D9-41F5-8B4D-DE96E76FFDE7} - (no file)


    O2 - BHO: (no name) - {87526773-6e7b-4187-8aa2-d1221f2213a9} - C:\WINDOWS\system32\gvrgyyw.dll


    O2 - BHO: (no name) - {94E7FB49-508F-4BF5-B21B-273DB57B373A} - (no file)


    O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\grxnofvn.dll


    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)


    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll


    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)


    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll


    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll


    O4 - HKLM\..\Run: [bM2b50813a] Rundll32.exe "C:\WINDOWS\system32\xlnerxff.dll",s


    O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe


    O4 - HKLM\..\Run: [2863b2a6] rundll32.exe "C:\WINDOWS\system32\grfrfmxy.dll",b


    O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background


    O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.8\webbuying.exe


    O4 - HKCU\..\Run: [sUPERAntiSpyware] G:\SUPERAntiSpyware.exe


    O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')


    O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')


    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')


    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')


    O4 - Startup: RABCO - Auto Update.lnk = C:\Program Files\RABCO\RABCOse.exe


    O4 - Global Startup: Microsoft Office.lnk = G:\Office\OSA9.EXE


    O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = D:\Palm\Hotsync.exe


    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html


    O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html


    O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html


    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html


    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000


    O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html


    O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html


    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O20 - Winlogon Notify: !SASWinLogon - G:\SASWINLO.dll


    O20 - Winlogon Notify: grxnofvn - C:\WINDOWS\SYSTEM32\grxnofvn.dll


    O20 - Winlogon Notify: xxyvvut - C:\WINDOWS\SYSTEM32\xxyvvut.dll


    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll


    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll


    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe


    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe


    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe


    O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows


    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe


    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


    O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe


    --


    End of file - 6748 bytes


    Then I found the post, installed & ran VundoFix.exe. Started running at 5:47am; it said (Not Responding) in the title bar at 7:28am, so I ended task. As it was running, it listed the following files in the window:


    grfrfmwy.dll


    grxnofvn.dll


    qopno.dll


    xlnerxff.dll


    xxyawtt.dll


    xxyvvut.dll


    ssqppno.dll


    urqqolk.dll

  • I ran HJT again.[/color]


    HJT Log 7:29AM, 2-28-08


    Logfile of Trend Micro HijackThis v2.0.0 (BETA)


    Scan saved at 7:29:56 AM, on 2/28/2008


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\csrss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\WINDOWS\system32\cisvc.exe


    C:\WINDOWS\IA\command.exe


    C:\WINDOWS\system32\HPZipm12.exe


    C:\WINDOWS\system32\sdpasvc.exe


    C:\WINDOWS\system32\svchost.exe


    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe


    C:\WINDOWS\Fonts\svchost.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\WINDOWS\System32\alg.exe


    D:\Palm\Hotsync.exe


    C:\WINDOWS\system32\cidaemon.exe


    C:\WINDOWS\system32\windows


    C:\WINDOWS\explorer.exe


    C:\WINDOWS\system32\wscntfy.exe


    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


    C:\Documents and Settings\Windows User\Desktop\moon.exe


    C:\WINDOWS\system32\wbem\wmiprvse.exe


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www6.comcast.net/a/


    O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll


    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll


    O2 - BHO: RabioBHO - {1C2E5D27-A17C-4D89-85DD-3553C189380D} - C:\Program Files\RABCO\RABCO.dll


    O2 - BHO: (no name) - {377C2660-3320-4CCB-917B-6671A3E55888} - C:\WINDOWS\system32\qopno.dll


    O2 - BHO: (no name) - {45C2A50F-8F4A-496E-AF02-D0207525BF5A} - C:\WINDOWS\system32\xxyvvut.dll


    O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\grxnofvn.dll


    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)


    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll


    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)


    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll


    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll


    O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe


    O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background


    O4 - HKCU\..\Run: [sUPERAntiSpyware] G:\SUPERAntiSpyware.exe


    O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')


    O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')


    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')


    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')


    O4 - Startup: RABCO - Auto Update.lnk = C:\Program Files\RABCO\RABCOse.exe


    O4 - Global Startup: Microsoft Office.lnk = G:\Office\OSA9.EXE


    O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = D:\Palm\Hotsync.exe


    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html


    O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html


    O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html


    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html


    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000


    O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html


    O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html


    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O20 - Winlogon Notify: !SASWinLogon - G:\SASWINLO.dll


    O20 - Winlogon Notify: grxnofvn - C:\WINDOWS\SYSTEM32\grxnofvn.dll


    O20 - Winlogon Notify: xxyvvut - C:\WINDOWS\SYSTEM32\xxyvvut.dll


    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll


    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll


    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe


    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe


    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe


    O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows


    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe


    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


    O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe


    --


    End of file - 5979 bytes


    I checked to repair the following, based on the Vundo listing:


    O2 - BHO: (no name) - {377C2660-3320-4CCB-917B-6671A3E55888} - C:\WINDOWS\system32\qopno.dll


    O2 - BHO: (no name) - {45C2A50F-8F4A-496E-AF02-D0207525BF5A} - C:\WINDOWS\system32\xxyvvut.dll


    O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\grxnofvn.dll


    O20 - Winlogon Notify: grxnofvn - C:\WINDOWS\SYSTEM32\grxnofvn.dll


    O20 - Winlogon Notify: xxyvvut - C:\WINDOWS\SYSTEM32\xxyvvut.dll


    Based on other posts, I ran ComboFix. The post said it may need to reboot, which it did, but it didn't restart after the reboot, and there were two new folders on the desktop: backups and Catchme.zip. The catchme folder had three files in it: grxnofvn.dll, qopno.dll, and xxyvvut.dll.


    I did some looking around & didn't recognize the folder RABCO. Found a setup log, and it listed a registry line with Internet Settings... Rabco Search Enhancer. I've never added a search enhancer, so I used Add/Remove Programs and got rid of it. I did a search on the C: drive and found two files with the name in the prefetch folder and a folder and a file in the Recent folder. I deleted all of them as well.


    I then ran HJT again:


    HJT Log 8:14AM, 2-28-08


    Logfile of Trend Micro HijackThis v2.0.0 (BETA)


    Scan saved at 08:15, on 2008-02-28


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\Explorer.EXE


    C:\WINDOWS\system32\spoolsv.exe


    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


    C:\WINDOWS\system32\cisvc.exe


    C:\WINDOWS\system32\HPZipm12.exe


    C:\WINDOWS\system32\sdpasvc.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\MsPMSPSv.exe


    C:\WINDOWS\system32\wscntfy.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\Program Files\Messenger\msmsgs.exe


    D:\Palm\Hotsync.exe


    C:\WINDOWS\system32\cidaemon.exe


    C:\Documents and Settings\Windows User\Desktop\moon.exe


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www6.comcast.net/a/


    O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll


    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll


    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll


    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)


    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll


    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll


    O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background


    O4 - HKCU\..\Run: [sUPERAntiSpyware] G:\SUPERAntiSpyware.exe


    O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')


    O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')


    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')


    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')


    O4 - Global Startup: Microsoft Office.lnk = G:\Office\OSA9.EXE


    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html


    O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html


    O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html


    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html


    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000


    O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html


    O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html


    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll


    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll


    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe


    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe


    O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)


    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


    O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe


    --


    End of file - 4677 bytes

  • After that, I ran ComboFix again:


    ComboFix Log 8:30AM, 2-28-08


    ComboFix 08-02-25.3 - Windows User 2008-02-28 8:19:45.2 - FAT32x86


    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.34 [GMT -5:00]


    Running from: C:\Documents and Settings\Windows User\Desktop\ComboFix.exe


    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!


    .


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    .


    C:\WINDOWS\Fonts\'


    .


    ---- Previous Run -------


    .


    C:\24612699.exe


    C:\Documents and Settings\LocalService\Application Data\NetMon


    C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt


    C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt


    C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe


    C:\Program Files\folder.js


    C:\Program Files\network monitor


    C:\Program Files\network monitor\netmon.exe


    C:\Program Files\outlook


    C:\Program Files\TTC.dll


    C:\Program Files\web buying


    C:\Program Files\web buying\v1.8.8\wbuninst.exe


    C:\Program Files\web buying\v1.8.8\webbuying.exe


    C:\Temp\1cb


    C:\Temp\1cb\syscheck.log


    C:\WINDOWS\b.exe


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\accessories\cup.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\accessories\customer_cup.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\accessories\heart.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\accessories\menu_down.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\accessories\menu_up.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\accessories\plates.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\accessories\ticket.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\accessories\tray.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\music\mainmenumusic.ogg


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_bring_check_1_snd.ogg


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_deliver_food_1_snd.ogg


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_deliver_order_1_snd.ogg


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_diner.ogg


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_dish_dropoff_1_snd.ogg


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_food_ready_1_snd.ogg


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_gain_heart_1.ogg


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_get_drinks_1_snd.ogg


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_party_arrive_1_snd.ogg


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_pencil_write_2.ogg


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_pickup_food_1_snd.ogg


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_rollover_1.ogg


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_seat_people_snd.ogg


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\choosedifficulty.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\credits.jpg


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\flo_lose.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\flo_win.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\help1.jpg


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\help2.jpg


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\highscores.jpg


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\levelintro.jpg


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\levelintro_mask.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\levelover.jpg


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\levelover_mask.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\mainmenu.jpg


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\popup.jpg


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\popup_mask.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\upgradegrid.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\upgradetitle.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\upsell.jpg


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\arrowleft_blue.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\arrowleft_yellow.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\arrowright_blue.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\arrowright_yellow.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\back_blue.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\back_yellow.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\backchalk.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\backchalkup.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\backtomenu_blue.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\backtomenu_yellow.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\cancel.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\cancelup.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\career.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\career_over.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\close.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\closeup.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\continue.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\continueover.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\credits_blue.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\credits_yellow.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\download_blue.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\download_yellow.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\easy.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\easy_over.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\endlessshift.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\endlessshift_over.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\hard.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\hard_over.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\help.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\help_over.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\highscores.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\highscores_over.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\instructions_blue.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\instructions_yellow.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\letsplay.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\letsplayover.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\medium.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\medium_over.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\moreinfo.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\moreinfoup.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\off.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\off_on.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\on.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\on_on.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\pause.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\pauseover.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\quit.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\quitgame.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\quitgameover.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\quitover.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\resumegame.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\resumegameover.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\submit.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\submitup.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\tryagain.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\tryagainover.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\upgrade_over.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\upgrade_up.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\viewglobal.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\viewglobalup.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\viewhighscore.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\viewhighscoreon.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\viewlocal.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\viewlocalup.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\comics\webcomic.jpg


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\config\career.xml


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\config\customer.xml


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\config\endless.xml


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\config\global.xml


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\config\powerups.xml


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\cook\cook.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\cook\cook.xml


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\cook\stove.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\cursor\arrow.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\cursor\click.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\cursor\click2.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\cursor\grab.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\cursor\open.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\anim.xml


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\blue\anim.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\blue\anim.xml


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\blue\sit_legs.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\green\anim.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\green\anim.xml


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\green\sit_legs.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\purple\anim.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\purple\anim.xml


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\purple\sit_legs.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\red\anim.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\red\anim.xml


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\red\sit_legs.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\yellow\anim.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\yellow\anim.xml


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\yellow\sit_legs.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\anim.xml


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\blue\anim.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\blue\anim.xml


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\blue\sit_legs.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\green\anim.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\green\anim.xml


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\green\sit_legs.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\purple\anim.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\purple\anim.xml


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\purple\sit_legs.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\red\anim.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\red\anim.xml


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\red\sit_legs.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\yellow\anim.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\yellow\anim.xml


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\yellow\sit_legs.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\flo\idle.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\flo\idle.xml


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\flo\lower.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\flo\lower.xml


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\flo\upper.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\flo\upper.xml


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\fonts\arial.mvec


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\fonts\komikaaxis.mvec


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\furniture\chair.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\furniture\chair.xml


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\furniture\dirt2top.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\furniture\dirt4top.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\furniture\dishcart.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\furniture\dishcart.xml


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\furniture\drinkstation_off.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\furniture\drinkstation_on1.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\furniture\drinkstation_on2.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\furniture\ticketstation.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\furniture\ticketstation.xml


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\hiscore\arrowdown.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\hiscore\arrowdownon.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\hiscore\arrowleft.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\hiscore\arrowlefton.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\hiscore\arrowright.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\hiscore\arrowrighton.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\hiscore\arrowup.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\hiscore\arrowupon.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\hiscore\p1icon.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\hiscore\textedit.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\hiscore\title.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_1.txt


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_1_a.txt


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_1_b.txt


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_1_c.txt


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_2.txt


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_2_a.txt


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_2_b.txt


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_2_c.txt


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_2_d.txt


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_3.txt


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_3_a.txt


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_3_b.txt


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_3_c.txt


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_3_d.txt


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\fifth_level_diner.txt


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\first_level_diner.txt


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\fourth_level_diner.txt


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\second_level_diner.txt


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\playfirst_logo.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\background.jpg


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\food\food1.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\food\food1.xml


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\food\food2.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\food\food2.xml


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\food\food3.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\food\food3.xml


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\frames\upgrade_0001.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\tables\2top.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\tables\2top.xml


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\tables\4top.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\tables\4top.xml


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\upgrades.xml


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\tableshadow.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\choosedifficulty.lua


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\chooseplayer.lua


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\chooserestaurant.lua


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\credits.lua


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\game.lua


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\gothighscore.lua


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\help.lua


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\help2.lua


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\hiscore.lua


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\hiscoreinfo.lua


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\hiscoresubmit.lua


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\levelintro.lua


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\levelover.lua


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\loading.lua


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\mainloop.lua


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\mainmenu.lua


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\ok.lua


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\pause.lua


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\style.lua


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\tutorialintro.lua


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\upgrade.lua


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\upsell.lua


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\webcomic.lua


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\yesno.lua


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\splash\gamelabsplash.jpg


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\splash\playfirst_logo.jpg


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\strings.xml


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\angersmoke.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\angersmoke.xml


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\chairflags.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\chairflags.xml


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\check.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\checkmark.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\clock.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\closed.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\closingtime.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\coinflip.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\coinflip.xml


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\dollar.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\doodles\coffee.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\doodles\tables.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\doodles\wallpaper.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\expert.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\expertscore.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\foodpoof.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\foodpoof.xml


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\fork_timer.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\goalcompleted.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\heartgrow.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\heartgrow.xml


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\jar.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\jar.xml


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\level.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\level_career.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\score.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\sound.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\staroff.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\staron.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\tablenumber.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\tablenumberup.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\traynumber.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\tutorial_character.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\tutorialarrow.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\tutorialbox.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\upgradeanim.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\upgradeanim.xml


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\upgrades\drinks.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\upgrades\maitred.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\upgrades\oven.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\upgrades\select.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\upgrades\######.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\upgrades\stereo.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\upgrades\table.png


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\dinerdash.exe


    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\logfile.txt


    C:\WINDOWS\Fonts\a.zip


    C:\WINDOWS\Fonts\svchost.exe


    C:\WINDOWS\IA


    C:\WINDOWS\IA\asappsrv.dll


    C:\WINDOWS\IA\command.exe


    C:\WINDOWS\IA\KE.vbs


    C:\WINDOWS\start.exe


    C:\WINDOWS\system\msmsgs.exe


    C:\WINDOWS\system32\{92A5FCA1-D047-4B05-88D1-76863E87C6E5}.exe


    C:\WINDOWS\system32\atmtd.dll


    C:\WINDOWS\system32\atmtd.dll._


    C:\WINDOWS\system32\grfrfmxy.dll


    C:\WINDOWS\system32\grxnofvn.dllbox


    C:\WINDOWS\SYSTEM32\onpoq.ini


    C:\WINDOWS\SYSTEM32\onpoq.ini2


    C:\WINDOWS\system32\pac.txt


    C:\WINDOWS\system32\ssqppno.dll


    C:\WINDOWS\system32\urqqolk.dll


    C:\WINDOWS\system32\windows


    C:\WINDOWS\system32\windows.scr


    C:\WINDOWS\system32\xlnerxff.dll


    C:\WINDOWS\system32\xxyawtt.dll


    C:\WINDOWS\SYSTEM32\yxmfrfrg.ini


    C:\WINDOWS\uninst2.htm


    C:\WINDOWS\uninstall_nmon.vbs


    C:\WINDOWS\unist1.htm


    C:\WINDOWS\Web\default.htt


    .


    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


    .


    -------\LEGACY_CMDSERVICE


    -------\LEGACY_NETWORK_MONITOR


    -------\cmdService


    -------\Network Monitor


    ((((((((((((((((((((((((( Files Created from 2008-01-28 to 2008-02-28 )))))))))))))))))))))))))))))))


    .


    2008-02-28 05:47 . 2008-02-28 05:47 <DIR> d-------- C:\VundoFix Backups


    2008-02-27 18:00 . 2002-07-17 07:42 577,536 --a------ C:\WINDOWS\SYSTEM32\igfxres.dll


    2008-02-27 17:04 . 2008-02-27 17:04 <DIR> d-------- C:\Documents and Settings\Windows User\Application Data\SUPERAntiSpyware.com


    2008-02-27 17:04 . 2008-02-27 17:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com


    2008-02-27 16:56 . 2008-02-27 16:56 0 --a------ C:\WINDOWS\nsreg.dat


    2008-02-27 06:45 . 2008-02-27 18:22 54,156 --ah----- C:\WINDOWS\QTFont.qfn


    2008-02-27 06:30 . 2001-08-23 07:00 1,875,968 --a------ C:\WINDOWS\SYSTEM32\dllcache\msir3jp.lex


    2008-02-27 06:29 . 2001-08-23 07:00 13,463,552 --a------ C:\WINDOWS\SYSTEM32\dllcache\hwxjpn.dll


    2008-02-27 06:28 . 2004-08-03 17:56 2,134,528 --a------ C:\WINDOWS\SYSTEM32\dllcache\smtpsnap.dll


    2008-02-27 06:27 . 2004-08-03 17:56 829,440 --a------ C:\WINDOWS\SYSTEM32\dllcache\inetmgr.dll


    2008-02-27 06:23 . 2008-02-27 06:23 749 -rah----- C:\WINDOWS\WindowsShell.Manifest


    2008-02-27 06:23 . 2008-02-27 06:23 749 -rah----- C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest


    2008-02-27 06:23 . 2008-02-27 06:23 749 -rah----- C:\WINDOWS\SYSTEM32\sapi.cpl.manifest


    2008-02-27 06:23 . 2008-02-27 06:23 749 -rah----- C:\WINDOWS\SYSTEM32\nwc.cpl.manifest


    2008-02-27 06:23 . 2008-02-27 06:23 749 -rah----- C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest


    2008-02-27 06:23 . 2008-02-27 06:23 488 -rah----- C:\WINDOWS\SYSTEM32\logonui.exe.manifest


    2008-02-27 06:03 . 2004-08-03 22:31 20,992 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\RTL8139.sys


    2008-02-27 05:58 . 2004-08-03 18:57 1,086,058 -ra------ C:\WINDOWS\SET9B.tmp


    2008-02-27 05:58 . 2004-08-03 19:03 1,042,903 -ra------ C:\WINDOWS\SET9A.tmp


    2008-02-27 05:58 . 2004-08-03 18:58 13,753 -ra------ C:\WINDOWS\SET9F.tmp


    2008-02-27 05:56 . 2008-02-27 05:56 <DIR> d--hs---- C:\FOUND.004


    2008-02-26 20:15 . 2004-08-04 00:56 185,856 --a------ C:\WINDOWS\SYSTEM32\framedyn.dll


    2008-02-26 17:48 . 2008-02-26 17:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio


    2008-02-26 16:58 . 2008-02-26 16:58 <DIR> d-------- C:\Temp\sanR24


    2008-02-26 16:55 . 2008-02-26 16:55 <DIR> d--hs---- C:\FOUND.003


    2008-02-26 10:06 . 2008-02-27 18:22 22 --a------ C:\WINDOWS\pskt.ini


    2008-02-26 05:19 . 2004-08-04 20:46 520,192 --a------ C:\WINDOWS\SYSTEM32\wscma2u.exe


    2008-02-26 05:19 . 2005-10-21 20:20 278,528 --a------ C:\WINDOWS\SYSTEM32\ammpp.dll


    2008-02-26 05:19 . 2005-10-18 11:14 144,896 --a------ C:\WINDOWS\SYSTEM32\lame_dshow.ax


    2008-02-26 05:19 . 2006-12-24 07:36 73,728 --a------ C:\WINDOWS\SYSTEM32\a1.dll


    2008-02-26 05:19 . 2005-10-26 13:12 70,144 --a------ C:\WINDOWS\SYSTEM32\AudioFileConvert.ocx


    2008-02-26 05:19 . 2005-09-18 13:17 61,440 --a------ C:\WINDOWS\SYSTEM32\anming.ocx


    2008-02-26 05:19 . 2005-10-26 13:12 3,772 --a------ C:\WINDOWS\SYSTEM32\AudioFileConvert.tlb


    2008-02-25 21:57 . 2008-02-25 21:57 147,456 --a------ C:\WINDOWS\SYSTEM32\vbzip10.dll


    2008-02-25 21:54 . 2008-02-25 21:54 <DIR> d-------- C:\WINDOWS\SYSTEM32\jk8


    2008-02-25 21:54 . 2008-02-25 21:54 <DIR> d-------- C:\WINDOWS\SYSTEM32\iDlo18


    2008-02-25 21:54 . 2008-02-25 21:54 <DIR> d-------- C:\WINDOWS\SYSTEM32\hc4


    2008-02-25 21:54 . 2008-02-25 21:54 <DIR> d-------- C:\WINDOWS\SYSTEM32\cb2


    2008-02-25 21:54 . 2008-02-25 21:54 <DIR> d-------- C:\WINDOWS\SYSTEM32\ax3


    2008-02-25 21:54 . 2008-02-25 21:54 <DIR> d-------- C:\Temp


    2008-02-22 18:42 . 2008-02-22 18:42 0 --a------ C:\WINDOWS\QuickInstall.INI


    2008-02-22 18:37 . 2008-02-22 18:37 0 --a------ C:\WINDOWS\QUICKI~1.INI


    2008-02-22 18:33 . 2008-02-22 18:33 <DIR> d-------- C:\Documents and Settings\Windows User\Application Data\Leadertech


    2008-02-22 18:23 . 2008-02-22 18:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HotSync


    2008-02-22 18:23 . 2008-02-22 18:20 53,248 --a------ C:\WINDOWS\PalmDevC.dll


    2008-02-22 18:20 . 2008-02-22 18:20 <DIR> d-------- C:\Documents and Settings\Windows User\Application Data\HotSync


    2008-02-19 19:07 . 2004-08-03 23:04 30,080 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\rndismpx.sys


    2008-02-19 19:07 . 2004-08-03 23:04 12,672 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\usb8023x.sys


    2008-02-18 18:10 . 2008-02-18 18:10 24 --a------ C:\WINDOWS\AM_D8.PRF


    2008-02-16 07:16 . 2008-02-16 07:16 <DIR> d-------- C:\Documents and Settings\Windows User\.limewire


    2008-02-14 17:27 . 2008-02-14 17:27 <DIR> d--hs---- C:\FOUND.002


    2008-02-13 20:30 . 2008-02-13 20:30 <DIR> d-------- C:\Documents and Settings\Windows User\Apps


    2008-02-08 16:33 . 2008-02-08 16:33 <DIR> d-------- C:\Program Files\Paint.NET


    2008-02-08 16:33 . 2008-02-08 16:33 <DIR> d-------- C:\Documents and Settings\Windows User\Application Data\Paint.NET


    2008-02-08 15:05 . 2001-08-17 14:06 154,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Icam4USB.sys


    2008-02-08 15:05 . 2001-08-17 22:36 91,136 --a------ C:\WINDOWS\SYSTEM32\icam4com.dll


    2008-02-08 15:05 . 2001-08-17 22:36 61,952 --a------ C:\WINDOWS\SYSTEM32\Icam4EXT.dll


    2008-02-08 13:48 . 2008-02-08 13:48 <DIR> d-------- C:\Documents and Settings\Windows User\Application Data\WMTools Downloaded Files


    2008-02-08 13:40 . 2004-08-03 22:58 5,504 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\MSTEE.sys


    2008-02-08 13:39 . 2004-08-03 23:10 85,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\NABTSFEC.sys


    2008-02-08 13:39 . 2004-08-03 23:10 19,328 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\WSTCODEC.SYS


    2008-02-08 13:38 . 2004-08-04 00:56 90,624 --a------ C:\WINDOWS\SYSTEM32\kswdmcap.ax


    2008-02-08 13:38 . 2004-08-04 00:56 61,952 --a------ C:\WINDOWS\SYSTEM32\kstvtune.ax


    2008-02-08 13:38 . 2004-08-04 00:56 53,760 --a------ C:\WINDOWS\SYSTEM32\vfwwdm32.dll


    2008-02-08 13:38 . 2004-08-04 00:56 43,008 --a------ C:\WINDOWS\SYSTEM32\ksxbar.ax


    2008-02-08 13:38 . 2004-08-04 00:56 28,672 --a------ C:\WINDOWS\SYSTEM32\vidcap.ax


    2008-02-08 13:38 . 2004-08-03 23:10 17,024 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\CCDECODE.sys


    2008-02-08 13:38 . 2004-08-03 22:58 5,376 --a------ C:\WINDOWS\SYSTEM32\MSPCLOCK.sys


    2008-02-08 13:28 . 2008-02-08 13:28 <DIR> d-------- C:\Drivers


    2008-02-08 13:28 . 2001-11-05 09:23 299,923 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sonyhcs.sys


    2008-02-08 13:28 . 2002-10-15 22:41 102,220 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sonypvs1.sys


    2008-02-08 13:28 . 2001-11-05 09:23 38,739 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sonyhcc.sys


    2008-02-08 13:28 . 2001-11-05 09:23 6,097 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sonyhcb.sys


    2008-02-08 13:28 . 2001-07-03 20:39 3,654 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Sonyhcp.dll


    2008-02-08 13:27 . 2004-03-08 12:55 13,567 --------- C:\WINDOWS\SYSTEM32\DRIVERS\CDRBSDRV.SYS


    2008-02-08 13:27 . 2000-05-19 17:49 1,458 --------- C:\WINDOWS\SYSTEM32\LTOCX12n.INF


    2008-02-08 13:18 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\USBAUDIO.sys


    2008-02-08 11:25 . 2008-02-08 11:25 <DIR> d--hs---- C:\FOUND.001


    2008-02-01 17:33 . 2008-02-01 17:33 <DIR> d-------- C:\Program Files\Water Bugs


    2008-02-01 17:33 . 2008-02-01 17:33 <DIR> d-------- C:\Program Files\Heroes of Hellas


    2008-02-01 17:33 . 2008-02-01 17:33 <DIR> d-------- C:\Program Files\Gold Miner Vegas


    2008-02-01 17:33 . 2008-02-01 17:33 <DIR> d-------- C:\Program Files\Elven Mists


    2008-02-01 17:32 . 2008-02-01 17:32 <DIR> d-------- C:\Program Files\Treasures of the Deep


    2008-02-01 17:32 . 2008-02-01 17:32 <DIR> d-------- C:\Program Files\Top Ten Solitaire


    2008-02-01 17:32 . 2008-02-01 17:32 <DIR> d-------- C:\Program Files\Snowy Treasure Hunter 2


    2008-02-01 17:32 . 2008-02-01 17:32 <DIR> d-------- C:\Program Files\Ozzy Bubbles


    2008-02-01 17:32 . 2008-02-01 17:32 <DIR> d-------- C:\Program Files\Nab-n-Grab


    2008-02-01 17:32 . 2008-02-01 17:32 <DIR> d-------- C:\Program Files\Jewel Quest Solitaire II


    2008-02-01 17:31 . 2008-02-01 17:31 <DIR> d-------- C:\Program Files\Turtle Odyssey 2


    2008-02-01 17:31 . 2008-02-01 17:31 <DIR> d-------- C:\Program Files\Chicken Invaders 3 Christmas Edition


    2008-02-01 17:30 . 2008-02-01 17:30 <DIR> d-------- C:\Program Files\Chicken Invaders 3


    2008-02-01 17:18 . 2008-02-01 17:18 <DIR> d--hs---- C:\FOUND.000


    .


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    2008-02-27 11:52 39,848 ----a-w C:\Documents and Settings\Windows User\Application Data\GDIPFONTCACHEV1.DAT


    2008-02-26 03:11 278,534 ----a-w C:\WINDOWS\FONTS\Setup.exe


    2008-02-22 23:20 16,694 ----a-w C:\WINDOWS\system32\drivers\PalmUSBD.sys


    2008-02-08 19:29 284 ----a-w C:\Documents and Settings\Windows User\Application Data\ViewerApp.dat


    2008-01-19 22:56 --------- d-----w C:\Documents and Settings\Windows User\Application Data\LimeWire


    2008-01-15 11:16 --------- d-----w C:\Program Files\2nd Story Software


    2008-01-12 14:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\ScreenSeven


    2008-01-07 21:23 --------- d-----w C:\Documents and Settings\Windows User\Application Data\iWin


    2008-01-03 23:34 --------- d-----w C:\Program Files\Datel


    2008-01-02 10:26 --------- d-----w C:\Program Files\iPod


    2008-01-02 10:22 --------- d-----w C:\Program Files\QuickTime


    2005-12-26 13:54 774,144 ----a-w C:\Program Files\RngInterstitial.dll


    2000-06-16 17:26 271 --sh--w C:\Program Files\desktop.ini


    2000-06-16 17:26 23,357 ---ha-w C:\Program Files\folder.htt


    1989-12-12 15:10 1,148,784 --sha-r C:\WINDOWS\eqshigw.exe


    .


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    .


    *Note* empty entries & legit default entries are not shown


    REGEDIT4


    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:56 15360]


    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]


    "SUPERAntiSpyware"="G:\SUPERAntiSpyware.exe" [ ]


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]


    "MOSearch"="C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe" [2001-01-19 15:28 69632]


    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]


    "ctfmon.exe"="ctfmon.exe" [2004-08-03 22:56 15360 C:\WINDOWS\SYSTEM32\ctfmon.exe]


    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\


    Microsoft Office.lnk - G:\Office\OSA9.EXE [1999-02-17 14:05:56 65588]


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]


    "NoBandCustomize"= 0 (0x0)


    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]


    "NoBandCustomize"= 0 (0x0)


    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]


    "LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme


    "HPScanPatch"=C:\WINDOWS\SYSTEM32\HPScanFix.exe


    "hpsysdrv"=C:\WINDOWS\SYSTEM32\hpsysdrv.exe


    "Delay"=C:\WINDOWS\delayrun.exe


    "HPDJ Taskbar Utility"=C:\WINDOWS\SYSTEM32\hpztsb05.exe


    "PP3100b"=C:\WINDOWS\twain_32\paprport\3100b\flatbed.exe


    "yaemu.exe"=C:\WINDOWS\SYSTEM\yaemu.exe


    "OmgStartup"=C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe


    "SsAAD.exe"=C:\PROGRA~1\SONY\SONICS~1\SSAAD.EXE


    "QuickTime Task"="C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime


    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot


    "dmseq.exe"=C:\WINDOWS\SYSTEM\dmseq.exe


    "csldh.exe"=csldh.exe


    "LoadQM"=loadqm.exe


    "HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe


    "IgfxTray"=C:\WINDOWS\SYSTEM32\IGFXTRAY.EXE


    "HotKeysCmds"=C:\WINDOWS\SYSTEM32\HKCMD.EXE


    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]


    "%windir%\\system32\\sessmgr.exe"=


    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=


    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=


    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=


    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=


    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=


    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=


    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=


    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=


    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=


    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=


    "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=


    "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=


    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=


    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=


    "C:\\Program Files\\Internet Explorer\\iexplore.exe"=


    "E:\\StubInstaller.exe"=


    "E:\\LimeWire\\LimeWire.exe"=


    "E:\\iTunes\\iTunes.exe"=


    R2 SDPASVC;SDPAUMS server service;C:\WINDOWS\system32\sdpasvc.exe [2001-08-07 14:27]


    S3 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows []


    S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 22:41]


    S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01]


    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]


    "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install


    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]


    "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install


    "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install


    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]


    "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install


    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]


    "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install


    "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install


    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]


    C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl


    .


    Contents of the 'Scheduled Tasks' folder


    "2008-02-28 11:07:24 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job"


    - C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE


    "2008-02-25 13:48:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"


    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe


    .


    **************************************************************************


    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net


    Rootkit scan 2008-02-28 08:25:34


    Windows 5.1.2600 Service Pack 2 FAT NTAPI


    scanning hidden processes ...


    scanning hidden autostart entries ...


    scanning hidden files ...


    scan completed successfully


    hidden files: 0


    **************************************************************************


    .


    ------------------------ Other Running Processes ------------------------


    .


    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


    C:\WINDOWS\system32\HPZipm12.exe


    C:\WINDOWS\system32\MsPMSPSv.exe


    C:\WINDOWS\system32\wscntfy.exe


    .


    **************************************************************************


    .


    Completion time: 2008-02-28 8:27:37 - machine was rebooted [Windows User]


    ComboFix-quarantined-files.txt 2008-02-28 13:27:32


    .


    2008-02-14 23:10:47 --- E O F ---


    I then ran RenV.exe


    RenV.exe Log 8:33AM, 2-28-08


    Ran on Thu 02/28/2008 -  8:32:11.78

    Entries:                0  (0)
    Directories:            0  Files:             0
    Bytes:                  0  Blocks:            0


    Then, of course, HJT again:


    ComboFix Log 8:30AM, 2-28-08


    Logfile of Trend Micro HijackThis v2.0.0 (BETA)


    Scan saved at 8:33:50 AM, on 2/28/2008


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


    C:\WINDOWS\system32\HPZipm12.exe


    C:\WINDOWS\system32\sdpasvc.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\MsPMSPSv.exe


    C:\WINDOWS\system32\wscntfy.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\Program Files\Messenger\msmsgs.exe


    C:\WINDOWS\explorer.exe


    C:\Documents and Settings\Windows User\Desktop\moon.exe


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www6.comcast.net/a/


    O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll


    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll


    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll


    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)


    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll


    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll


    O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background


    O4 - HKCU\..\Run: [sUPERAntiSpyware] G:\SUPERAntiSpyware.exe


    O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')


    O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')


    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')


    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')


    O4 - Global Startup: Microsoft Office.lnk = G:\Office\OSA9.EXE


    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html


    O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html


    O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html


    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html


    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000


    O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html


    O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html


    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll


    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll


    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe


    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe


    O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)


    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


    O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe


    --


    End of file - 4595 bytes


    Hopefully, I didn't mess anything up too badly. The other posts listed scripts to write then drag into both ComboFix and RenV, but the scripts were very specific to the other user's systems, and my deleted/bad files are listed differently than theirs were.


    I was able to delete the two original desktop items, and neither of them has come back.


    Any further help would be most appreciated!!!! THANK YOU!!!

  • Newest HJT Log; I think I'm clean, finally, but not completely sure:


    Logfile of Trend Micro HijackThis v2.0.0 (BETA)


    Scan saved at 9:28:31 PM, on 2/28/2008


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


    C:\WINDOWS\system32\HPZipm12.exe


    C:\WINDOWS\system32\sdpasvc.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\MsPMSPSv.exe


    C:\WINDOWS\system32\wscntfy.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\Program Files\Messenger\msmsgs.exe


    C:\WINDOWS\explorer.exe


    C:\Documents and Settings\Windows User\Desktop\Happy.exe


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www6.comcast.net/a/


    O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll


    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll


    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll


    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)


    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll


    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll


    O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background


    O4 - HKCU\..\Run: [sUPERAntiSpyware] G:\SUPERAntiSpyware.exe


    O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')


    O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')


    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')


    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')


    O4 - Global Startup: Microsoft Office.lnk = G:\Office\OSA9.EXE


    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html


    O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html


    O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html


    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html


    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000


    O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html


    O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html


    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll


    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll


    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe


    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe


    O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)


    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


    O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe


    --


    End of file - 4596 bytes