Not Sure What I Have, But It Looks Like Everyone Else's
I have two new icons on the desktop (Help & Support and Windows Update). Internet Explorer went berserk. Then windows stopped loading (XP, Pro, SP2). Used the install disk & repaired windows to load.
I loaded HJT to a jump drive from work and ran it. Log is here.
Please help!!!!
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 5:44:27 PM, on 2/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\IA\command.exe
C:\WINDOWS\system32\sdpasvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\iTunes\iTunesHelper.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\windows
C:\WINDOWS\system32\cidaemon.exe
H:\HiJackThis_v2.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www6.comcast.net/a/
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RabioBHO - {1C2E5D27-A17C-4D89-85DD-3553C189380D} - C:\Program Files\RABCO\RABCO.dll
O2 - BHO: (no name) - {45C2A50F-8F4A-496E-AF02-D0207525BF5A} - C:\WINDOWS\system32\xxyvvut.dll
O2 - BHO: (no name) - {5572363F-F2D9-41F5-8B4D-DE96E76FFDE7} - C:\Program Files\folder.js\cymawigu89104.dll (file missing)
O2 - BHO: (no name) - {87526773-6e7b-4187-8aa2-d1221f2213a9} - C:\WINDOWS\system32\gvrgyyw.dll
O2 - BHO: (no name) - {94E7FB49-508F-4BF5-B21B-273DB57B373A} - C:\Program Files\folder.js\cymawigu89104.dll (file missing)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\grxnofvn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C4C75055-666C-4065-81CB-F3F79CF52E4D} - C:\WINDOWS\system32\qopno.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [DVDUpgrade] DVDUpgrd.exe /async
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [2863b2a6] rundll32.exe "C:\WINDOWS\system32\grfrfmxy.dll",b
O4 - HKLM\..\Run: [bM2b50813a] Rundll32.exe "C:\WINDOWS\system32\xlnerxff.dll",s
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.8\webbuying.exe
O4 - HKCU\..\Run: [sUPERAntiSpyware] G:\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O4 - Startup: RABCO - Auto Update.lnk = C:\Program Files\RABCO\RABCOse.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Office\OSA9.EXE
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = 
\Palm\Hotsync.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - G:\SASWINLO.dll
O20 - Winlogon Notify: grxnofvn - C:\WINDOWS\SYSTEM32\grxnofvn.dll
O20 - Winlogon Notify: xxyvvut - C:\WINDOWS\SYSTEM32\xxyvvut.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe
--
End of file - 7330 bytes
Comments
-
o1darcie1o,
You are infected with Trojan.Vundo. This is a nasty virus to get rid of so my instructions may only temporary fix your computer.
Run Hijackthis, do a System Scan Only.
Check and fix the following entires:O2 - BHO: (no name) - {45C2A50F-8F4A-496E-AF02-D0207525BF5A} - C:\WINDOWS\system32\xxyvvut.dll
O2 - BHO: (no name) - {5572363F-F2D9-41F5-8B4D-DE96E76FFDE7} - C:\Program Files\folder.js\cymawigu89104.dll (file missing)
O2 - BHO: (no name) - {87526773-6e7b-4187-8aa2-d1221f2213a9} - C:\WINDOWS\system32\gvrgyyw.dll
O2 - BHO: (no name) - {94E7FB49-508F-4BF5-B21B-273DB57B373A} - C:\Program Files\folder.js\cymawigu89104.dll (file missing)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\grxnofvn.dll
O2 - BHO: (no name) - {C4C75055-666C-4065-81CB-F3F79CF52E4D} - C:\WINDOWS\system32\qopno.dll
O4 - HKLM\..\Run: [2863b2a6] rundll32.exe "C:\WINDOWS\system32\grfrfmxy.dll",b
O4 - HKLM\..\Run: [BM2b50813a] Rundll32.exe "C:\WINDOWS\system32\xlnerxff.dll",s
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.8\webbuying.exe
O20 - Winlogon Notify: grxnofvn - C:\WINDOWS\SYSTEM32\grxnofvn.dll
O20 - Winlogon Notify: xxyvvut - C:\WINDOWS\SYSTEM32\xxyvvut.dll
After you've fix these please download Atribune's VundoFix from this site:
http://www.atribune.org/ccount/click.php?id=4 and place it on your desktop.Double-clickVundoFix.exeto run it.
Click theScanfor Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files,
clickYES
Once you click yes, your desktop will go blank as it starts removing
Vundo.
When completed, it will prompt that it will reboot your computer,
clickOK.
Post a fresh Hijackthis log after you've done all the procedures mentioned above.
Best of luck.
0 -
My post is showing up empty, so I'm trying to split it into a few:
This will be a HUGE post, as I've run a lot of scans, and don't know enough about all of this to know which lines can be removed from the listing to still give a complete picture...
The modem driver on the infected computer was uninstalled by something, so it's not connected to the internet. I'm working off a laptop to post, using a jump drive to transfer any programs and logs back & forth.
After my first post last night, I was given a program by a tech friend: Trend Micro Sysclean Package. This took what seemed like forever to run. I ran it from the flash drive (H:)
Sysclean Log2008-02-27, 19:29:55, Auto-clean mode specified.
2008-02-27, 19:29:55, Running scanner "H:\TSC.BIN"...
2008-02-27, 19:33:11, Scanner "H:\TSC.BIN" has finished running.
2008-02-27, 19:33:11, TSC Log:
2008-02-27, 19:35:00, An error was detected on "G:\System Volume Information\*.*": Access is denied.
2008-02-27, 20:57:53, Files Detected:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/27/2008 19:35:03
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 125 (243493 Patterns) (2008/02/26) (512500)
Command Line: H:\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=H:
C:\WINDOWS\SYSTEM\msmsgs.exe [TROJ_ZLOB.GEN]
C:\WINDOWS\SYSTEM32\urqqolk.dll [Mal_Vundo-3]
C:\WINDOWS\SYSTEM32\ssqppno.dll [Mal_Vundo-3]
C:\WINDOWS\SYSTEM32\csatr.exe [TROJ_AGENT.VIX]
C:\WINDOWS\SYSTEM32\ogop.dll [TROJ_STARTPAG.SZ]
C:\WINDOWS\SYSTEM32\ax3\dincomsdll3.exe [TROJ_DLOADER.DTK]
C:\WINDOWS\SYSTEM32\ryyeidyb.dll [TROJ_VUNDO.YEK]
C:\WINDOWS\SYSTEM32\grxnofvn.dll [TROJ_VUNDO.YEK]
C:\WINDOWS\Downloaded Program Files\load.exe [TROJ_SMALL.ITN]
C:\WINDOWS\ac3_0018.exe [TROJ_DLOADER.BRG]
C:\WINDOWS\aff_0006.exe [TSPY_SOFTOMATE.A]
C:\WINDOWS\srvedruxqh.exe [TROJ_DYFUCA.AI]
C:\WINDOWS\uni_e6h.exe [TROJ_VB.VV]
C:\WINDOWS\uninst108.exe [TROJ_VB.BKB]
C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP1\A0000016.exe [TROJ_DLOADER.HGW]
C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP1\A0000017.exe [TROJ_DLOADER.HGW]
C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP3\A0001022.exe [TROJ_AGENT.VIX]
C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP3\A0001023.dll [TROJ_STARTPAG.SZ]
C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP3\A0001024.exe [TROJ_DLOADER.DTK]
C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP3\A0001025.dll [TROJ_VUNDO.YEK]
C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP3\A0001026.exe [TROJ_DLOADER.BRG]
C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP3\A0001027.exe [TSPY_SOFTOMATE.A]
C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP3\A0001028.exe [TROJ_DYFUCA.AI]
C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP3\A0001029.exe [TROJ_VB.VV]
C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP3\A0001030.exe [TROJ_VB.BKB]
C:\ms32.sys [TROJ_SMALL.FES]
83079 files have been read.
83079 files have been checked.
73315 files have been scanned.
103663 files have been scanned. (including files in archived)
26 files containing viruses.
Found 26 viruses totally.
Maybe 0 viruses totally.
Stop At : 2/27/2008 20:57:51
---------*---------*---------*---------*---------*---------*---------*---------*
2008-02-27, 20:57:53, Files Clean:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/27/2008 19:35:03
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 125 (243493 Patterns) (2008/02/26) (512500)
Command Line: H:\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=H:
Success Clean [ TROJ_AGENT.VIX]( 1) from C:\WINDOWS\SYSTEM32\csatr.exe
Success Clean [TROJ_STARTPAG.SZ]( 1) from C:\WINDOWS\SYSTEM32\ogop.dll
Success Clean [TROJ_DLOADER.DTK]( 1) from C:\WINDOWS\SYSTEM32\ax3\dincomsdll3.exe
Success Clean [ TROJ_VUNDO.YEK]( 1) from C:\WINDOWS\SYSTEM32\ryyeidyb.dll
Success Clean [ TROJ_SMALL.ITN]( 1) from C:\WINDOWS\Downloaded Program Files\load.exe
Success Clean [TROJ_DLOADER.BRG]( 1) from C:\WINDOWS\ac3_0018.exe
Success Clean [TSPY_SOFTOMATE.A]( 1) from C:\WINDOWS\aff_0006.exe
Success Clean [ TROJ_DYFUCA.AI]( 1) from C:\WINDOWS\srvedruxqh.exe
Success Clean [ TROJ_VB.VV]( 1) from C:\WINDOWS\uni_e6h.exe
Success Clean [ TROJ_VB.BKB]( 1) from C:\WINDOWS\uninst108.exe
Success Clean [TROJ_DLOADER.HGW]( 1) from C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP1\A0000016.exe
Success Clean [TROJ_DLOADER.HGW]( 1) from C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP1\A0000017.exe
Success Clean [ TROJ_AGENT.VIX]( 1) from C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP3\A0001022.exe
Success Clean [TROJ_STARTPAG.SZ]( 1) from C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP3\A0001023.dll
Success Clean [TROJ_DLOADER.DTK]( 1) from C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP3\A0001024.exe
Success Clean [ TROJ_VUNDO.YEK]( 1) from C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP3\A0001025.dll
Success Clean [TROJ_DLOADER.BRG]( 1) from C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP3\A0001026.exe
Success Clean [TSPY_SOFTOMATE.A]( 1) from C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP3\A0001027.exe
Success Clean [ TROJ_DYFUCA.AI]( 1) from C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP3\A0001028.exe
Success Clean [ TROJ_VB.VV]( 1) from C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP3\A0001029.exe
Success Clean [ TROJ_VB.BKB]( 1) from C:\System Volume Information\_restore{83AB1DBD-1764-458F-85AC-7FD4B0EFCBD8}\RP3\A0001030.exe
Success Clean [ TROJ_SMALL.FES]( 1) from C:\ms32.sys
83079 files have been read.
83079 files have been checked.
73315 files have been scanned.
103663 files have been scanned. (including files in archived)
26 files containing viruses.
Found 26 viruses totally.
Maybe 0 viruses totally.
Stop At : 2/27/2008 20:57:51 1 hour 22 minutes 23 seconds (4943.02 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2008-02-27, 20:57:53, Clean Fail:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/27/2008 19:35:03
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 125 (243493 Patterns) (2008/02/26) (512500)
Command Line: H:\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=H:
83079 files have been read.
83079 files have been checked.
73315 files have been scanned.
103663 files have been scanned. (including files in archived)
26 files containing viruses.
Found 26 viruses totally.
Maybe 0 viruses totally.
Stop At : 2/27/2008 20:57:51 1 hour 22 minutes 23 seconds (4943.02 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2008-02-27, 20:57:53, Scanner "H:\VSCANTM.BIN" has finished running.
2008-02-27, 21:12:41, Files Detected:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/27/2008 20:58:04
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 125 (243493 Patterns) (2008/02/26) (512500)
Command Line: H:\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5\*.* /P=H:
26914 files have been read.
26914 files have been checked.
22826 files have been scanned.
52874 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 2/27/2008 21:12:39
---------*---------*---------*---------*---------*---------*---------*---------*
2008-02-27, 21:12:42, Files Clean:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/27/2008 20:58:04
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 125 (243493 Patterns) (2008/02/26) (512500)
Command Line: H:\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5\*.* /P=H:
26914 files have been read.
26914 files have been checked.
22826 files have been scanned.
52874 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 2/27/2008 21:12:39 14 minutes 17 seconds (857.15 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2008-02-27, 21:12:42, Clean Fail:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/27/2008 20:58:04
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 125 (243493 Patterns) (2008/02/26) (512500)
Command Line: H:\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5\*.* /P=H:
26914 files have been read.
26914 files have been checked.
22826 files have been scanned.
52874 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 2/27/2008 21:12:39 14 minutes 17 seconds (857.15 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2008-02-27, 21:12:42, Scanner "H:\VSCANTM.BIN" has finished running.
2008-02-27, 21:14:59, Files Detected:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/27/2008 21:12:56
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 125 (243493 Patterns) (2008/02/26) (512500)
Command Line: H:\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 E:\*.* /P=H:
2516 files have been read.
2516 files have been checked.
1473 files have been scanned.
9402 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 2/27/2008 21:14:58
---------*---------*---------*---------*---------*---------*---------*---------*
2008-02-27, 21:14:59, Files Clean:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/27/2008 21:12:56
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 125 (243493 Patterns) (2008/02/26) (512500)
Command Line: H:\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 E:\*.* /P=H:
2516 files have been read.
2516 files have been checked.
1473 files have been scanned.
9402 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 2/27/2008 21:14:58 1 minute 47 seconds (106.96 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2008-02-27, 21:14:59, Clean Fail:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/27/2008 21:12:56
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 125 (243493 Patterns) (2008/02/26) (512500)
Command Line: H:\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 E:\*.* /P=H:
2516 files have been read.
2516 files have been checked.
1473 files have been scanned.
9402 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 2/27/2008 21:14:58 1 minute 47 seconds (106.96 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2008-02-27, 21:14:59, Scanner "H:\VSCANTM.BIN" has finished running.
2008-02-27, 21:15:30, Files Detected:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/27/2008 21:15:17
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 125 (243493 Patterns) (2008/02/26) (512500)
Command Line: H:\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 F:\*.* /P=H:
10 files have been read.
10 files have been checked.
9 files have been scanned.
9 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 2/27/2008 21:15:30
---------*---------*---------*---------*---------*---------*---------*---------*
2008-02-27, 21:15:30, Files Clean:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/27/2008 21:15:16
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 125 (243493 Patterns) (2008/02/26) (512500)
Command Line: H:\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 F:\*.* /P=H:
10 files have been read.
10 files have been checked.
9 files have been scanned.
9 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 2/27/2008 21:15:30 1 second (0.59 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2008-02-27, 21:15:30, Clean Fail:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/27/2008 21:15:17
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 125 (243493 Patterns) (2008/02/26) (512500)
Command Line: H:\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 F:\*.* /P=H:
10 files have been read.
10 files have been checked.
9 files have been scanned.
9 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 2/27/2008 21:15:30 1 second (0.59 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2008-02-27, 21:15:30, Scanner "H:\VSCANTM.BIN" has finished running.
2008-02-27, 21:17:34, Files Detected:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/27/2008 21:15:39
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 125 (243493 Patterns) (2008/02/26) (512500)
Command Line: H:\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 G:\*.* /P=H:
3729 files have been read.
3729 files have been checked.
3412 files have been scanned.
3413 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 2/27/2008 21:17:31
---------*---------*---------*---------*---------*---------*---------*---------*
2008-02-27, 21:17:35, Files Clean:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/27/2008 21:15:39
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 125 (243493 Patterns) (2008/02/26) (512500)
Command Line: H:\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 G:\*.* /P=H:
3729 files have been read.
3729 files have been checked.
3412 files have been scanned.
3413 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 2/27/2008 21:17:31 1 minute 45 seconds (105.82 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2008-02-27, 21:17:35, Clean Fail:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/27/2008 21:15:39
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 125 (243493 Patterns) (2008/02/26) (512500)
Command Line: H:\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 G:\*.* /P=H:
3729 files have been read.
3729 files have been checked.
3412 files have been scanned.
3413 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 2/27/2008 21:17:31 1 minute 45 seconds (105.82 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2008-02-27, 21:17:35, Scanner "H:\VSCANTM.BIN" has finished running.
Then we went to bed & ran HiJack first thing this morning.
HJT Log 5:14AM, 2-28-08
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 5:34:46 AM, on 2/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\IA\command.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\sdpasvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\iTunes\iTunesHelper.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Messenger\msmsgs.exe\Palm\Hotsync.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\windows
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Windows User\Desktop\moon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www6.comcast.net/a/
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RabioBHO - {1C2E5D27-A17C-4D89-85DD-3553C189380D} - C:\Program Files\RABCO\RABCO.dll
O2 - BHO: (no name) - {377C2660-3320-4CCB-917B-6671A3E55888} - C:\WINDOWS\system32\qopno.dll
O2 - BHO: (no name) - {45C2A50F-8F4A-496E-AF02-D0207525BF5A} - C:\WINDOWS\system32\xxyvvut.dll
O2 - BHO: (no name) - {5572363F-F2D9-41F5-8B4D-DE96E76FFDE7} - (no file)
O2 - BHO: (no name) - {87526773-6e7b-4187-8aa2-d1221f2213a9} - C:\WINDOWS\system32\gvrgyyw.dll
O2 - BHO: (no name) - {94E7FB49-508F-4BF5-B21B-273DB57B373A} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\grxnofvn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [bM2b50813a] Rundll32.exe "C:\WINDOWS\system32\xlnerxff.dll",s
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [2863b2a6] rundll32.exe "C:\WINDOWS\system32\grfrfmxy.dll",b
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.8\webbuying.exe
O4 - HKCU\..\Run: [sUPERAntiSpyware] G:\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O4 - Startup: RABCO - Auto Update.lnk = C:\Program Files\RABCO\RABCOse.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Office\OSA9.EXE
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk =\Palm\Hotsync.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - G:\SASWINLO.dll
O20 - Winlogon Notify: grxnofvn - C:\WINDOWS\SYSTEM32\grxnofvn.dll
O20 - Winlogon Notify: xxyvvut - C:\WINDOWS\SYSTEM32\xxyvvut.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe
--
End of file - 6748 bytes
Then I found the post, installed & ran VundoFix.exe. Started running at 5:47am; it said (Not Responding) in the title bar at 7:28am, so I ended task. As it was running, it listed the following files in the window:
grfrfmwy.dll
grxnofvn.dll
qopno.dll
xlnerxff.dll
xxyawtt.dll
xxyvvut.dll
ssqppno.dll
urqqolk.dll0 -
I ran HJT again.[/color]
HJT Log 7:29AM, 2-28-08
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:29:56 AM, on 2/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\IA\command.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\sdpasvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe\Palm\Hotsync.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\windows
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Documents and Settings\Windows User\Desktop\moon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www6.comcast.net/a/
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RabioBHO - {1C2E5D27-A17C-4D89-85DD-3553C189380D} - C:\Program Files\RABCO\RABCO.dll
O2 - BHO: (no name) - {377C2660-3320-4CCB-917B-6671A3E55888} - C:\WINDOWS\system32\qopno.dll
O2 - BHO: (no name) - {45C2A50F-8F4A-496E-AF02-D0207525BF5A} - C:\WINDOWS\system32\xxyvvut.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\grxnofvn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [sUPERAntiSpyware] G:\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O4 - Startup: RABCO - Auto Update.lnk = C:\Program Files\RABCO\RABCOse.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Office\OSA9.EXE
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk =\Palm\Hotsync.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - G:\SASWINLO.dll
O20 - Winlogon Notify: grxnofvn - C:\WINDOWS\SYSTEM32\grxnofvn.dll
O20 - Winlogon Notify: xxyvvut - C:\WINDOWS\SYSTEM32\xxyvvut.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe
--
End of file - 5979 bytes
I checked to repair the following, based on the Vundo listing:
O2 - BHO: (no name) - {377C2660-3320-4CCB-917B-6671A3E55888} - C:\WINDOWS\system32\qopno.dll
O2 - BHO: (no name) - {45C2A50F-8F4A-496E-AF02-D0207525BF5A} - C:\WINDOWS\system32\xxyvvut.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\grxnofvn.dll
O20 - Winlogon Notify: grxnofvn - C:\WINDOWS\SYSTEM32\grxnofvn.dll
O20 - Winlogon Notify: xxyvvut - C:\WINDOWS\SYSTEM32\xxyvvut.dll
Based on other posts, I ran ComboFix. The post said it may need to reboot, which it did, but it didn't restart after the reboot, and there were two new folders on the desktop: backups and Catchme.zip. The catchme folder had three files in it: grxnofvn.dll, qopno.dll, and xxyvvut.dll.
I did some looking around & didn't recognize the folder RABCO. Found a setup log, and it listed a registry line with Internet Settings... Rabco Search Enhancer. I've never added a search enhancer, so I used Add/Remove Programs and got rid of it. I did a search on the C: drive and found two files with the name in the prefetch folder and a folder and a file in the Recent folder. I deleted all of them as well.
I then ran HJT again:
HJT Log 8:14AM, 2-28-08
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 08:15, on 2008-02-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\sdpasvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe\Palm\Hotsync.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Windows User\Desktop\moon.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www6.comcast.net/a/
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [sUPERAntiSpyware] G:\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = G:\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe
--
End of file - 4677 bytes0 -
After that, I ran ComboFix again:
ComboFix Log 8:30AM, 2-28-08
ComboFix 08-02-25.3 - Windows User 2008-02-28 8:19:45.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.34 [GMT -5:00]
Running from: C:\Documents and Settings\Windows User\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\Fonts\'
.
---- Previous Run -------
.
C:\24612699.exe
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\folder.js
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\Program Files\outlook
C:\Program Files\TTC.dll
C:\Program Files\web buying
C:\Program Files\web buying\v1.8.8\wbuninst.exe
C:\Program Files\web buying\v1.8.8\webbuying.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\b.exe
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\accessories\cup.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\accessories\customer_cup.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\accessories\heart.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\accessories\menu_down.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\accessories\menu_up.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\accessories\plates.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\accessories\ticket.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\accessories\tray.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\music\mainmenumusic.ogg
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_bring_check_1_snd.ogg
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_deliver_food_1_snd.ogg
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_deliver_order_1_snd.ogg
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_diner.ogg
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_dish_dropoff_1_snd.ogg
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_food_ready_1_snd.ogg
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_gain_heart_1.ogg
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_get_drinks_1_snd.ogg
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_party_arrive_1_snd.ogg
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_pencil_write_2.ogg
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_pickup_food_1_snd.ogg
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_rollover_1.ogg
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_seat_people_snd.ogg
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\choosedifficulty.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\credits.jpg
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\flo_lose.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\flo_win.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\help1.jpg
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\help2.jpg
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\highscores.jpg
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\levelintro.jpg
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\levelintro_mask.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\levelover.jpg
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\levelover_mask.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\mainmenu.jpg
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\popup.jpg
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\popup_mask.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\upgradegrid.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\upgradetitle.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\upsell.jpg
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\arrowleft_blue.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\arrowleft_yellow.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\arrowright_blue.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\arrowright_yellow.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\back_blue.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\back_yellow.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\backchalk.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\backchalkup.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\backtomenu_blue.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\backtomenu_yellow.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\cancel.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\cancelup.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\career.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\career_over.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\close.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\closeup.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\continue.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\continueover.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\credits_blue.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\credits_yellow.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\download_blue.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\download_yellow.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\easy.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\easy_over.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\endlessshift.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\endlessshift_over.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\hard.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\hard_over.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\help.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\help_over.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\highscores.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\highscores_over.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\instructions_blue.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\instructions_yellow.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\letsplay.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\letsplayover.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\medium.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\medium_over.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\moreinfo.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\moreinfoup.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\off.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\off_on.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\on.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\on_on.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\pause.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\pauseover.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\quit.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\quitgame.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\quitgameover.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\quitover.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\resumegame.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\resumegameover.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\submit.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\submitup.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\tryagain.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\tryagainover.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\upgrade_over.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\upgrade_up.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\viewglobal.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\viewglobalup.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\viewhighscore.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\viewhighscoreon.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\viewlocal.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\viewlocalup.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\comics\webcomic.jpg
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\config\career.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\config\customer.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\config\endless.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\config\global.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\config\powerups.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\cook\cook.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\cook\cook.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\cook\stove.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\cursor\arrow.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\cursor\click.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\cursor\click2.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\cursor\grab.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\cursor\open.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\anim.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\blue\anim.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\blue\anim.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\blue\sit_legs.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\green\anim.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\green\anim.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\green\sit_legs.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\purple\anim.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\purple\anim.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\purple\sit_legs.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\red\anim.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\red\anim.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\red\sit_legs.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\yellow\anim.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\yellow\anim.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\yellow\sit_legs.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\anim.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\blue\anim.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\blue\anim.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\blue\sit_legs.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\green\anim.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\green\anim.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\green\sit_legs.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\purple\anim.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\purple\anim.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\purple\sit_legs.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\red\anim.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\red\anim.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\red\sit_legs.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\yellow\anim.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\yellow\anim.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\yellow\sit_legs.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\flo\idle.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\flo\idle.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\flo\lower.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\flo\lower.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\flo\upper.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\flo\upper.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\fonts\arial.mvec
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\fonts\komikaaxis.mvec
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\furniture\chair.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\furniture\chair.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\furniture\dirt2top.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\furniture\dirt4top.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\furniture\dishcart.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\furniture\dishcart.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\furniture\drinkstation_off.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\furniture\drinkstation_on1.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\furniture\drinkstation_on2.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\furniture\ticketstation.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\furniture\ticketstation.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\hiscore\arrowdown.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\hiscore\arrowdownon.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\hiscore\arrowleft.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\hiscore\arrowlefton.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\hiscore\arrowright.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\hiscore\arrowrighton.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\hiscore\arrowup.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\hiscore\arrowupon.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\hiscore\p1icon.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\hiscore\textedit.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\hiscore\title.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_1.txt
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_1_a.txt
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_1_b.txt
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_1_c.txt
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_2.txt
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_2_a.txt
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_2_b.txt
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_2_c.txt
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_2_d.txt
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_3.txt
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_3_a.txt
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_3_b.txt
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_3_c.txt
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_3_d.txt
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\fifth_level_diner.txt
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\first_level_diner.txt
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\fourth_level_diner.txt
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\second_level_diner.txt
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\playfirst_logo.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\background.jpg
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\food\food1.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\food\food1.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\food\food2.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\food\food2.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\food\food3.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\food\food3.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\frames\upgrade_0001.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\tables\2top.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\tables\2top.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\tables\4top.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\tables\4top.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\upgrades.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\tableshadow.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\choosedifficulty.lua
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\chooseplayer.lua
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\chooserestaurant.lua
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\credits.lua
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\game.lua
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\gothighscore.lua
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\help.lua
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\help2.lua
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\hiscore.lua
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\hiscoreinfo.lua
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\hiscoresubmit.lua
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\levelintro.lua
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\levelover.lua
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\loading.lua
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\mainloop.lua
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\mainmenu.lua
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\ok.lua
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\pause.lua
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\style.lua
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\tutorialintro.lua
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\upgrade.lua
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\upsell.lua
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\webcomic.lua
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\yesno.lua
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\splash\gamelabsplash.jpg
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\splash\playfirst_logo.jpg
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\strings.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\angersmoke.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\angersmoke.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\chairflags.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\chairflags.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\check.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\checkmark.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\clock.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\closed.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\closingtime.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\coinflip.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\coinflip.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\dollar.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\doodles\coffee.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\doodles\tables.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\doodles\wallpaper.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\expert.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\expertscore.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\foodpoof.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\foodpoof.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\fork_timer.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\goalcompleted.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\heartgrow.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\heartgrow.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\jar.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\jar.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\level.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\level_career.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\score.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\sound.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\staroff.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\staron.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\tablenumber.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\tablenumberup.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\traynumber.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\tutorial_character.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\tutorialarrow.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\tutorialbox.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\upgradeanim.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\upgradeanim.xml
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\upgrades\drinks.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\upgrades\maitred.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\upgrades\oven.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\upgrades\select.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\upgrades\######.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\upgrades\stereo.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\upgrades\table.png
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\dinerdash.exe
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.58\logfile.txt
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\IA
C:\WINDOWS\IA\asappsrv.dll
C:\WINDOWS\IA\command.exe
C:\WINDOWS\IA\KE.vbs
C:\WINDOWS\start.exe
C:\WINDOWS\system\msmsgs.exe
C:\WINDOWS\system32\{92A5FCA1-D047-4B05-88D1-76863E87C6E5}.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\grfrfmxy.dll
C:\WINDOWS\system32\grxnofvn.dllbox
C:\WINDOWS\SYSTEM32\onpoq.ini
C:\WINDOWS\SYSTEM32\onpoq.ini2
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\ssqppno.dll
C:\WINDOWS\system32\urqqolk.dll
C:\WINDOWS\system32\windows
C:\WINDOWS\system32\windows.scr
C:\WINDOWS\system32\xlnerxff.dll
C:\WINDOWS\system32\xxyawtt.dll
C:\WINDOWS\SYSTEM32\yxmfrfrg.ini
C:\WINDOWS\uninst2.htm
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\unist1.htm
C:\WINDOWS\Web\default.htt
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\Network Monitor
((((((((((((((((((((((((( Files Created from 2008-01-28 to 2008-02-28 )))))))))))))))))))))))))))))))
.
2008-02-28 05:47 . 2008-02-28 05:47 <DIR> d-------- C:\VundoFix Backups
2008-02-27 18:00 . 2002-07-17 07:42 577,536 --a------ C:\WINDOWS\SYSTEM32\igfxres.dll
2008-02-27 17:04 . 2008-02-27 17:04 <DIR> d-------- C:\Documents and Settings\Windows User\Application Data\SUPERAntiSpyware.com
2008-02-27 17:04 . 2008-02-27 17:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-27 16:56 . 2008-02-27 16:56 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-27 06:45 . 2008-02-27 18:22 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-27 06:30 . 2001-08-23 07:00 1,875,968 --a------ C:\WINDOWS\SYSTEM32\dllcache\msir3jp.lex
2008-02-27 06:29 . 2001-08-23 07:00 13,463,552 --a------ C:\WINDOWS\SYSTEM32\dllcache\hwxjpn.dll
2008-02-27 06:28 . 2004-08-03 17:56 2,134,528 --a------ C:\WINDOWS\SYSTEM32\dllcache\smtpsnap.dll
2008-02-27 06:27 . 2004-08-03 17:56 829,440 --a------ C:\WINDOWS\SYSTEM32\dllcache\inetmgr.dll
2008-02-27 06:23 . 2008-02-27 06:23 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-02-27 06:23 . 2008-02-27 06:23 749 -rah----- C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest
2008-02-27 06:23 . 2008-02-27 06:23 749 -rah----- C:\WINDOWS\SYSTEM32\sapi.cpl.manifest
2008-02-27 06:23 . 2008-02-27 06:23 749 -rah----- C:\WINDOWS\SYSTEM32\nwc.cpl.manifest
2008-02-27 06:23 . 2008-02-27 06:23 749 -rah----- C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest
2008-02-27 06:23 . 2008-02-27 06:23 488 -rah----- C:\WINDOWS\SYSTEM32\logonui.exe.manifest
2008-02-27 06:03 . 2004-08-03 22:31 20,992 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\RTL8139.sys
2008-02-27 05:58 . 2004-08-03 18:57 1,086,058 -ra------ C:\WINDOWS\SET9B.tmp
2008-02-27 05:58 . 2004-08-03 19:03 1,042,903 -ra------ C:\WINDOWS\SET9A.tmp
2008-02-27 05:58 . 2004-08-03 18:58 13,753 -ra------ C:\WINDOWS\SET9F.tmp
2008-02-27 05:56 . 2008-02-27 05:56 <DIR> d--hs---- C:\FOUND.004
2008-02-26 20:15 . 2004-08-04 00:56 185,856 --a------ C:\WINDOWS\SYSTEM32\framedyn.dll
2008-02-26 17:48 . 2008-02-26 17:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-02-26 16:58 . 2008-02-26 16:58 <DIR> d-------- C:\Temp\sanR24
2008-02-26 16:55 . 2008-02-26 16:55 <DIR> d--hs---- C:\FOUND.003
2008-02-26 10:06 . 2008-02-27 18:22 22 --a------ C:\WINDOWS\pskt.ini
2008-02-26 05:19 . 2004-08-04 20:46 520,192 --a------ C:\WINDOWS\SYSTEM32\wscma2u.exe
2008-02-26 05:19 . 2005-10-21 20:20 278,528 --a------ C:\WINDOWS\SYSTEM32\ammpp.dll
2008-02-26 05:19 . 2005-10-18 11:14 144,896 --a------ C:\WINDOWS\SYSTEM32\lame_dshow.ax
2008-02-26 05:19 . 2006-12-24 07:36 73,728 --a------ C:\WINDOWS\SYSTEM32\a1.dll
2008-02-26 05:19 . 2005-10-26 13:12 70,144 --a------ C:\WINDOWS\SYSTEM32\AudioFileConvert.ocx
2008-02-26 05:19 . 2005-09-18 13:17 61,440 --a------ C:\WINDOWS\SYSTEM32\anming.ocx
2008-02-26 05:19 . 2005-10-26 13:12 3,772 --a------ C:\WINDOWS\SYSTEM32\AudioFileConvert.tlb
2008-02-25 21:57 . 2008-02-25 21:57 147,456 --a------ C:\WINDOWS\SYSTEM32\vbzip10.dll
2008-02-25 21:54 . 2008-02-25 21:54 <DIR> d-------- C:\WINDOWS\SYSTEM32\jk8
2008-02-25 21:54 . 2008-02-25 21:54 <DIR> d-------- C:\WINDOWS\SYSTEM32\iDlo18
2008-02-25 21:54 . 2008-02-25 21:54 <DIR> d-------- C:\WINDOWS\SYSTEM32\hc4
2008-02-25 21:54 . 2008-02-25 21:54 <DIR> d-------- C:\WINDOWS\SYSTEM32\cb2
2008-02-25 21:54 . 2008-02-25 21:54 <DIR> d-------- C:\WINDOWS\SYSTEM32\ax3
2008-02-25 21:54 . 2008-02-25 21:54 <DIR> d-------- C:\Temp
2008-02-22 18:42 . 2008-02-22 18:42 0 --a------ C:\WINDOWS\QuickInstall.INI
2008-02-22 18:37 . 2008-02-22 18:37 0 --a------ C:\WINDOWS\QUICKI~1.INI
2008-02-22 18:33 . 2008-02-22 18:33 <DIR> d-------- C:\Documents and Settings\Windows User\Application Data\Leadertech
2008-02-22 18:23 . 2008-02-22 18:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HotSync
2008-02-22 18:23 . 2008-02-22 18:20 53,248 --a------ C:\WINDOWS\PalmDevC.dll
2008-02-22 18:20 . 2008-02-22 18:20 <DIR> d-------- C:\Documents and Settings\Windows User\Application Data\HotSync
2008-02-19 19:07 . 2004-08-03 23:04 30,080 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\rndismpx.sys
2008-02-19 19:07 . 2004-08-03 23:04 12,672 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\usb8023x.sys
2008-02-18 18:10 . 2008-02-18 18:10 24 --a------ C:\WINDOWS\AM_D8.PRF
2008-02-16 07:16 . 2008-02-16 07:16 <DIR> d-------- C:\Documents and Settings\Windows User\.limewire
2008-02-14 17:27 . 2008-02-14 17:27 <DIR> d--hs---- C:\FOUND.002
2008-02-13 20:30 . 2008-02-13 20:30 <DIR> d-------- C:\Documents and Settings\Windows User\Apps
2008-02-08 16:33 . 2008-02-08 16:33 <DIR> d-------- C:\Program Files\Paint.NET
2008-02-08 16:33 . 2008-02-08 16:33 <DIR> d-------- C:\Documents and Settings\Windows User\Application Data\Paint.NET
2008-02-08 15:05 . 2001-08-17 14:06 154,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Icam4USB.sys
2008-02-08 15:05 . 2001-08-17 22:36 91,136 --a------ C:\WINDOWS\SYSTEM32\icam4com.dll
2008-02-08 15:05 . 2001-08-17 22:36 61,952 --a------ C:\WINDOWS\SYSTEM32\Icam4EXT.dll
2008-02-08 13:48 . 2008-02-08 13:48 <DIR> d-------- C:\Documents and Settings\Windows User\Application Data\WMTools Downloaded Files
2008-02-08 13:40 . 2004-08-03 22:58 5,504 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\MSTEE.sys
2008-02-08 13:39 . 2004-08-03 23:10 85,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\NABTSFEC.sys
2008-02-08 13:39 . 2004-08-03 23:10 19,328 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\WSTCODEC.SYS
2008-02-08 13:38 . 2004-08-04 00:56 90,624 --a------ C:\WINDOWS\SYSTEM32\kswdmcap.ax
2008-02-08 13:38 . 2004-08-04 00:56 61,952 --a------ C:\WINDOWS\SYSTEM32\kstvtune.ax
2008-02-08 13:38 . 2004-08-04 00:56 53,760 --a------ C:\WINDOWS\SYSTEM32\vfwwdm32.dll
2008-02-08 13:38 . 2004-08-04 00:56 43,008 --a------ C:\WINDOWS\SYSTEM32\ksxbar.ax
2008-02-08 13:38 . 2004-08-04 00:56 28,672 --a------ C:\WINDOWS\SYSTEM32\vidcap.ax
2008-02-08 13:38 . 2004-08-03 23:10 17,024 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\CCDECODE.sys
2008-02-08 13:38 . 2004-08-03 22:58 5,376 --a------ C:\WINDOWS\SYSTEM32\MSPCLOCK.sys
2008-02-08 13:28 . 2008-02-08 13:28 <DIR> d-------- C:\Drivers
2008-02-08 13:28 . 2001-11-05 09:23 299,923 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sonyhcs.sys
2008-02-08 13:28 . 2002-10-15 22:41 102,220 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sonypvs1.sys
2008-02-08 13:28 . 2001-11-05 09:23 38,739 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sonyhcc.sys
2008-02-08 13:28 . 2001-11-05 09:23 6,097 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sonyhcb.sys
2008-02-08 13:28 . 2001-07-03 20:39 3,654 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Sonyhcp.dll
2008-02-08 13:27 . 2004-03-08 12:55 13,567 --------- C:\WINDOWS\SYSTEM32\DRIVERS\CDRBSDRV.SYS
2008-02-08 13:27 . 2000-05-19 17:49 1,458 --------- C:\WINDOWS\SYSTEM32\LTOCX12n.INF
2008-02-08 13:18 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\USBAUDIO.sys
2008-02-08 11:25 . 2008-02-08 11:25 <DIR> d--hs---- C:\FOUND.001
2008-02-01 17:33 . 2008-02-01 17:33 <DIR> d-------- C:\Program Files\Water Bugs
2008-02-01 17:33 . 2008-02-01 17:33 <DIR> d-------- C:\Program Files\Heroes of Hellas
2008-02-01 17:33 . 2008-02-01 17:33 <DIR> d-------- C:\Program Files\Gold Miner Vegas
2008-02-01 17:33 . 2008-02-01 17:33 <DIR> d-------- C:\Program Files\Elven Mists
2008-02-01 17:32 . 2008-02-01 17:32 <DIR> d-------- C:\Program Files\Treasures of the Deep
2008-02-01 17:32 . 2008-02-01 17:32 <DIR> d-------- C:\Program Files\Top Ten Solitaire
2008-02-01 17:32 . 2008-02-01 17:32 <DIR> d-------- C:\Program Files\Snowy Treasure Hunter 2
2008-02-01 17:32 . 2008-02-01 17:32 <DIR> d-------- C:\Program Files\Ozzy Bubbles
2008-02-01 17:32 . 2008-02-01 17:32 <DIR> d-------- C:\Program Files\Nab-n-Grab
2008-02-01 17:32 . 2008-02-01 17:32 <DIR> d-------- C:\Program Files\Jewel Quest Solitaire II
2008-02-01 17:31 . 2008-02-01 17:31 <DIR> d-------- C:\Program Files\Turtle Odyssey 2
2008-02-01 17:31 . 2008-02-01 17:31 <DIR> d-------- C:\Program Files\Chicken Invaders 3 Christmas Edition
2008-02-01 17:30 . 2008-02-01 17:30 <DIR> d-------- C:\Program Files\Chicken Invaders 3
2008-02-01 17:18 . 2008-02-01 17:18 <DIR> d--hs---- C:\FOUND.000
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-27 11:52 39,848 ----a-w C:\Documents and Settings\Windows User\Application Data\GDIPFONTCACHEV1.DAT
2008-02-26 03:11 278,534 ----a-w C:\WINDOWS\FONTS\Setup.exe
2008-02-22 23:20 16,694 ----a-w C:\WINDOWS\system32\drivers\PalmUSBD.sys
2008-02-08 19:29 284 ----a-w C:\Documents and Settings\Windows User\Application Data\ViewerApp.dat
2008-01-19 22:56 --------- d-----w C:\Documents and Settings\Windows User\Application Data\LimeWire
2008-01-15 11:16 --------- d-----w C:\Program Files\2nd Story Software
2008-01-12 14:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\ScreenSeven
2008-01-07 21:23 --------- d-----w C:\Documents and Settings\Windows User\Application Data\iWin
2008-01-03 23:34 --------- d-----w C:\Program Files\Datel
2008-01-02 10:26 --------- d-----w C:\Program Files\iPod
2008-01-02 10:22 --------- d-----w C:\Program Files\QuickTime
2005-12-26 13:54 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2000-06-16 17:26 271 --sh--w C:\Program Files\desktop.ini
2000-06-16 17:26 23,357 ---ha-w C:\Program Files\folder.htt
1989-12-12 15:10 1,148,784 --sha-r C:\WINDOWS\eqshigw.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"SUPERAntiSpyware"="G:\SUPERAntiSpyware.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"MOSearch"="C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe" [2001-01-19 15:28 69632]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [2004-08-03 22:56 15360 C:\WINDOWS\SYSTEM32\ctfmon.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - G:\Office\OSA9.EXE [1999-02-17 14:05:56 65588]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"HPScanPatch"=C:\WINDOWS\SYSTEM32\HPScanFix.exe
"hpsysdrv"=C:\WINDOWS\SYSTEM32\hpsysdrv.exe
"Delay"=C:\WINDOWS\delayrun.exe
"HPDJ Taskbar Utility"=C:\WINDOWS\SYSTEM32\hpztsb05.exe
"PP3100b"=C:\WINDOWS\twain_32\paprport\3100b\flatbed.exe
"yaemu.exe"=C:\WINDOWS\SYSTEM\yaemu.exe
"OmgStartup"=C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
"SsAAD.exe"=C:\PROGRA~1\SONY\SONICS~1\SSAAD.EXE
"QuickTime Task"="C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"dmseq.exe"=C:\WINDOWS\SYSTEM\dmseq.exe
"csldh.exe"=csldh.exe
"LoadQM"=loadqm.exe
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
"IgfxTray"=C:\WINDOWS\SYSTEM32\IGFXTRAY.EXE
"HotKeysCmds"=C:\WINDOWS\SYSTEM32\HKCMD.EXE
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"E:\\StubInstaller.exe"=
"E:\\LimeWire\\LimeWire.exe"=
"E:\\iTunes\\iTunes.exe"=
R2 SDPASVC;SDPAUMS server service;C:\WINDOWS\system32\sdpasvc.exe [2001-08-07 14:27]
S3 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows []
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 22:41]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2008-02-28 11:07:24 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job"
- C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE
"2008-02-25 13:48:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-28 08:25:34
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-28 8:27:37 - machine was rebooted [Windows User]
ComboFix-quarantined-files.txt 2008-02-28 13:27:32
.
2008-02-14 23:10:47 --- E O F ---
I then ran RenV.exe
RenV.exe Log 8:33AM, 2-28-08Ran on Thu 02/28/2008 - 8:32:11.78
Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0
Then, of course, HJT again:
ComboFix Log 8:30AM, 2-28-08
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:33:50 AM, on 2/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\sdpasvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Windows User\Desktop\moon.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www6.comcast.net/a/
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [sUPERAntiSpyware] G:\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = G:\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe
--
End of file - 4595 bytes
Hopefully, I didn't mess anything up too badly. The other posts listed scripts to write then drag into both ComboFix and RenV, but the scripts were very specific to the other user's systems, and my deleted/bad files are listed differently than theirs were.
I was able to delete the two original desktop items, and neither of them has come back.
Any further help would be most appreciated!!!! THANK YOU!!!0 -
Newest HJT Log; I think I'm clean, finally, but not completely sure:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:28:31 PM, on 2/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\sdpasvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Windows User\Desktop\Happy.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www6.comcast.net/a/
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [sUPERAntiSpyware] G:\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = G:\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe
--
End of file - 4596 bytes0
