Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan called Win32:Delf-HPR [Trj]


  • This topic is locked This topic is locked
19 replies to this topic

#1 akire

akire

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 08 April 2009 - 11:06 AM

Hi everyone! I used to come on here a lot a couple years ago, but for the life of me I can't recall the user name I had. Anyway, the people who sorted out my mess years ago helped me so much, so thought it would be best to ask this forum.
My problem is my pc at work. I noticed that this computer took forever to open a site and I had a feeling it was infected. Adaware (I think it's called) didn't find no problems. Spybot S&D found a few spywares including the trojan, Win32:Delf-HPR [Trj], and after scanning for what felt like HOURS it was supposedly clean/fixed (it wasn't). But my Avast keeps warning me about this trojan. I try to move the file or just temporarily disable it, but didn't work. My only other open is to delete it, but I'm afraid I may mess it all up. Here is the DDS log. I hope someone could help me. :thumbup2: :)


DDS (Ver_09-03-16.01) - NTFSx86
Run by Joe Bonanno at 11:40:39.10 on Wed 04/08/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.54 [GMT -7:00]

AV: avast! antivirus 4.8.1335 [VPS 090408-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Joe Bonanno\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.yahoo.com/search/ie.html
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.msn.com
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
BHO: : {e0c68cb5-8eab-4e2d-acfa-69257649b468} - c:\windows\system32\xilumqi.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Aim6]
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [AdwareAlert] c:\program files\adwarealert\AdwareAlert.exe -boot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_06\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Yjizojik] rundll32.exe "c:\windows\ugobezud.dll",e
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {049A470D-F818-4E34-B14D-E4E237DADCF8} - hxxp://games.bigfishgames.com/en_fashion-dash/online/fashiondashweb.1.0.0.21.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - hxxp://w4s2.work4sure.com/c/ge/w4sgeen9.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} - hxxp://games.bigfishgames.com/en_cooking-dash/online/CookingDashWeb.1.0.0.9.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {26E6B759-DEEB-42A1-A21C-78CD29098411} - hxxp://games.bigfishgames.com/en_fitness-dash/online/FitnessDashWeb.1.0.0.11.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {528C14CD-CF9E-489C-A365-5999F17B69B9} - hxxp://pictures.sprintpcs.com/activex/LightSurfUploadControl.cab
DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - hxxp://games.bigfishgames.com/en_dinerdash2restaura/online/DinerDash2.1.0.0.48.cab
DPF: {74EF5274-F439-2168-B543-14745B625C72} - hxxp://gameyard.com/online_games/wedding_dash2_online/WeddingDash2Web.1.0.0.11.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl.sun.com/webapps/download/AutoDL?BundleId=20613
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://games.bigfishgames.com/en_burger-shop/online/GoBitGamesPlayer_v4.cab
DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} - hxxp://games.bigfishgames.com/en_dinerdashfloontheg/online/ddfotg.1.0.0.33.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} - hxxp://games.bigfishgames.com/en_dinerdash/online/DinerDash.1.0.0.58.cab
DPF: {EF732B7C-BFF6-49B1-A32C-3C74C318FDCC} - hxxp://www.thesecret.tv/movie/player/player_ocx.jpeg
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: nvhelovj - xilumqi.dll
LSA: Notification Packages = scecli dsedfscn.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-4-7 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-4-7 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-4-7 138680]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-1-10 24652]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-4-7 254040]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-4-23 224896]
S2 rcuguvmt;Disk Helper;c:\windows\system32\svchost.exe -k netsvcs [2006-2-28 14336]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-4-7 352920]

=============== Created Last 30 ================

2009-04-08 11:23 0 a------- c:\windows\Ftovivanoqiqurih.bin
2009-04-08 11:23 408 a------- c:\windows\Rzuwahatewisucej.dat
2009-04-08 11:19 276 a------- c:\windows\wininit.ini
2009-04-08 10:26 <DIR> --d----- c:\docume~1\joebon~1\applic~1\biqiaqop
2009-04-08 10:11 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-08 10:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-07 12:28 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-04-06 14:32 <DIR> --dsh--- c:\windows\system32\lowsec
2009-03-12 10:48 26,368 ac------ c:\windows\system32\dllcache\usbstor.sys
2009-03-11 08:49 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-03-11 08:49 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-11 08:48 <DIR> --d----- c:\program files\iPod
2009-03-11 08:48 <DIR> --d----- c:\program files\iTunes
2009-03-11 08:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-03-11 08:47 <DIR> --d----- c:\program files\Bonjour

==================== Find3M ====================

2009-04-02 08:50 1,744 a------- c:\windows\system32\d3d9caps.dat
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2008-05-16 14:17 16,760 a------- c:\docume~1\joebon~1\applic~1\GDIPFONTCACHEV1.DAT
2007-04-23 15:21 269,824 a------- c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-04-23 15:11 224,896 a------- c:\windows\inf\wg111v3\wg111v3.sys
2006-12-15 12:30 315,392 a------- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 12:30 212,992 a------- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 12:30 98,304 a------- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 12:30 66,048 a------- c:\windows\inf\wg111v3\EAPPkt.sys
2006-12-15 12:30 28,672 a------- c:\windows\inf\wg111v3\SetDrv.exe
2006-12-15 12:30 20,480 a------- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 12:30 19,968 a------- c:\windows\inf\wg111v3\RTWREFU.EXE

============= FINISH: 11:41:45.92 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:02:34 AM

Posted 20 April 2009 - 12:19 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 akire

akire
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 22 April 2009 - 07:48 AM

Hi and thank you so much for getting back to me. Here is the new DDS info along with the attached txt file. Still having the same problem with a/v letting me know about virus' and spyware and unable to delete it.

DDS (Ver_09-03-16.01) - NTFSx86
Run by Joe Bonanno at 8:40:57.04 on Wed 04/22/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.155 [GMT -7:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Security Suite Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Joe Bonanno\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.yahoo.com/search/ie.html
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.msn.com
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
BHO: : {e0c68cb5-8eab-4e2d-acfa-69257649b468} - c:\windows\system32\xilumqi.dll
TB: ZoneAlarm Spy Blocker Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [AdwareAlert] c:\program files\adwarealert\AdwareAlert.exe -boot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_06\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Yjizojik] rundll32.exe "c:\windows\ugobezud.dll",e
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
DPF: {049A470D-F818-4E34-B14D-E4E237DADCF8} - hxxp://games.bigfishgames.com/en_fashion-dash/online/fashiondashweb.1.0.0.21.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - hxxp://w4s2.work4sure.com/c/ge/w4sgeen9.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} - hxxp://games.bigfishgames.com/en_cooking-dash/online/CookingDashWeb.1.0.0.9.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {26E6B759-DEEB-42A1-A21C-78CD29098411} - hxxp://games.bigfishgames.com/en_fitness-dash/online/FitnessDashWeb.1.0.0.11.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {528C14CD-CF9E-489C-A365-5999F17B69B9} - hxxp://pictures.sprintpcs.com/activex/LightSurfUploadControl.cab
DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - hxxp://games.bigfishgames.com/en_dinerdash2restaura/online/DinerDash2.1.0.0.48.cab
DPF: {74EF5274-F439-2168-B543-14745B625C72} - hxxp://gameyard.com/online_games/wedding_dash2_online/WeddingDash2Web.1.0.0.11.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl.sun.com/webapps/download/AutoDL?BundleId=20613
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://games.bigfishgames.com/en_burger-shop/online/GoBitGamesPlayer_v4.cab
DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} - hxxp://games.bigfishgames.com/en_dinerdashfloontheg/online/ddfotg.1.0.0.33.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} - hxxp://games.bigfishgames.com/en_dinerdash/online/DinerDash.1.0.0.58.cab
DPF: {EF732B7C-BFF6-49B1-A32C-3C74C318FDCC} - hxxp://www.thesecret.tv/movie/player/player_ocx.jpeg
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: nvhelovj - xilumqi.dll
LSA: Notification Packages = scecli dsedfscn.dll

============= SERVICES / DRIVERS ===============

R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-4-9 148496]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-4-9 353672]
R2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-4-9 464264]
R2 rcuguvmt;Terminal Server Device Redirector Helper;c:\windows\system32\svchost.exe -k netsvcs [2006-2-28 14336]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-1-10 24652]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-4-23 224896]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

=============== Created Last 30 ================

2009-04-17 08:32 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-17 08:32 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-17 08:32 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-17 08:32 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-17 08:32 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 08:32 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 08:32 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 08:32 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-17 08:32 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-17 08:24 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-17 08:23 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-17 08:23 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-09 09:29 3,510 a------- C:\rollback.ini
2009-04-09 09:14 <DIR> --d----- c:\docume~1\joebon~1\applic~1\MailFrontier
2009-04-09 09:02 51,408,928 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-04-09 09:02 683,132 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-04-09 08:58 <DIR> --d----- c:\program files\AskBarDis
2009-04-09 08:55 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-04-09 08:55 72,584 a------- c:\windows\zllsputility.exe
2009-04-09 08:52 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-04-09 08:52 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-04-09 08:52 <DIR> --d----- c:\program files\Zone Labs
2009-04-09 08:52 350,210 a------- c:\windows\system32\vsconfig.xml
2009-04-09 08:50 <DIR> --d----- c:\windows\Internet Logs
2009-04-08 11:23 0 a------- c:\windows\Ftovivanoqiqurih.bin
2009-04-08 11:23 408 a------- c:\windows\Rzuwahatewisucej.dat
2009-04-08 11:19 276 a------- c:\windows\wininit.ini
2009-04-08 10:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-07 12:28 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-04-06 14:32 <DIR> --dsh--- c:\windows\system32\lowsec

==================== Find3M ====================

2009-04-02 08:50 1,744 a------- c:\windows\system32\d3d9caps.dat
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-02-20 01:10 666,112 a------- c:\windows\system32\wininet.dll
2009-02-20 01:10 81,920 a------- c:\windows\system32\ieencode.dll
2009-02-09 05:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 05:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 05:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 05:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 04:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 04:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 03:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-03 12:59 56,832 a------- c:\windows\system32\secur32.dll
2008-05-16 14:17 16,760 a------- c:\docume~1\joebon~1\applic~1\GDIPFONTCACHEV1.DAT
2007-04-23 15:21 269,824 a------- c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-04-23 15:11 224,896 a------- c:\windows\inf\wg111v3\wg111v3.sys
2006-12-15 12:30 315,392 a------- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 12:30 212,992 a------- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 12:30 98,304 a------- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 12:30 66,048 a------- c:\windows\inf\wg111v3\EAPPkt.sys
2006-12-15 12:30 28,672 a------- c:\windows\inf\wg111v3\SetDrv.exe
2006-12-15 12:30 20,480 a------- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 12:30 19,968 a------- c:\windows\inf\wg111v3\RTWREFU.EXE

============= FINISH: 8:42:01.59 ===============

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:34 AM

Posted 22 April 2009 - 07:19 PM

Hello.

You have a nasty infection. Let me know if you wish to continue to remove this infection or format.

Posted ImageBackdoor Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 akire

akire
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 22 April 2009 - 07:52 PM

Hi extremeboy, thanks for your reply and willingness to help. I would like to try and get rid of it as much as possible. Thankfully, I haven't been banking on that computer, but I have checked my email and there isn't any important information in that specific computer. It is mainly used for the internet. So, I'm ready for a step by step instruction. I was also wondering that being that it is a backdoor trojan ... will a firewall help prevent that specific trojan from doing anything at all?

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:34 AM

Posted 22 April 2009 - 08:00 PM

Hello.

I was also wondering that being that it is a backdoor trojan ... will a firewall help prevent that specific trojan from doing anything at all?

Yes, but the computer is already compromised so even having a firewall right now won't help too much. Right now the course of action is to disconnect from the internet as mentioned already. We will start off with Combofix. Please read instructions on downloading it and then running it.

Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

If you have any problems feel free to ask :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 akire

akire
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 22 April 2009 - 08:14 PM

I really appreciate youre help, extremeboy. Just want you to know I'll have to do this first thing tmrw morning while in the office. I'm actually printing this right now from home to take with me since I don't have one connected to that computer.

Edited by akire, 22 April 2009 - 08:14 PM.


#8 akire

akire
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 23 April 2009 - 08:00 AM

Good morning. I am posting the Combo Fix log.

ComboFix 09-04-23.A1 - Joe Bonanno 04/23/2009 8:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.100 [GMT -7:00]
Running from: c:\documents and settings\Joe Bonanno\Desktop\ComboFix.exe
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Security Suite Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\DinerDash.1.0.0.58
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\accessories\cup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\accessories\customer_cup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\accessories\heart.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\accessories\menu_down.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\accessories\menu_up.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\accessories\plates.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\accessories\ticket.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\accessories\tray.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\music\mainmenumusic.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_bring_check_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_deliver_food_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_deliver_order_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_diner.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_dish_dropoff_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_food_ready_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_gain_heart_1.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_get_drinks_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_party_arrive_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_pencil_write_2.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_pickup_food_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_rollover_1.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\audio\sfx\sfx_seat_people_snd.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\choosedifficulty.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\credits.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\flo_lose.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\flo_win.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\help1.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\help2.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\highscores.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\levelintro.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\levelintro_mask.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\levelover.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\levelover_mask.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\mainmenu.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\popup.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\popup_mask.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\upgradegrid.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\upgradetitle.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\backgrounds\upsell.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\arrowleft_blue.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\arrowleft_yellow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\arrowright_blue.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\arrowright_yellow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\back_blue.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\back_yellow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\backchalk.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\backchalkup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\backtomenu_blue.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\backtomenu_yellow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\cancel.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\cancelup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\career.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\career_over.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\close.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\closeup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\continue.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\continueover.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\credits_blue.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\credits_yellow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\download_blue.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\download_yellow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\easy.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\easy_over.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\endlessshift.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\endlessshift_over.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\hard.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\hard_over.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\help.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\help_over.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\highscores.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\highscores_over.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\instructions_blue.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\instructions_yellow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\letsplay.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\letsplayover.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\medium.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\medium_over.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\moreinfo.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\moreinfoup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\off.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\off_on.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\on.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\on_on.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\pause.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\pauseover.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\quit.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\quitgame.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\quitgameover.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\quitover.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\resumegame.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\resumegameover.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\submit.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\submitup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\tryagain.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\tryagainover.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\upgrade_over.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\upgrade_up.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\viewglobal.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\viewglobalup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\viewhighscore.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\viewhighscoreon.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\viewlocal.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\buttons\viewlocalup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\comics\webcomic.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\config\career.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\config\customer.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\config\endless.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\config\global.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\config\powerups.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\cook\cook.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\cook\cook.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\cook\stove.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\cursor\arrow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\cursor\click.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\cursor\click2.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\cursor\grab.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\cursor\open.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\blue\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\blue\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\blue\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\green\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\green\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\green\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\purple\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\purple\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\purple\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\red\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\red\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\red\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\yellow\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\yellow\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\old_male\yellow\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\blue\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\blue\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\blue\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\green\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\green\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\green\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\purple\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\purple\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\purple\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\red\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\red\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\red\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\yellow\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\yellow\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\customers\young_female\yellow\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\flo\idle.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\flo\idle.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\flo\lower.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\flo\lower.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\flo\upper.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\flo\upper.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\fonts\arial.mvec
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\fonts\komikaaxis.mvec
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\furniture\chair.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\furniture\chair.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\furniture\dirt2top.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\furniture\dirt4top.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\furniture\dishcart.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\furniture\dishcart.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\furniture\drinkstation_off.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\furniture\drinkstation_on1.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\furniture\drinkstation_on2.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\furniture\ticketstation.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\furniture\ticketstation.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\hiscore\arrowdown.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\hiscore\arrowdownon.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\hiscore\arrowleft.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\hiscore\arrowlefton.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\hiscore\arrowright.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\hiscore\arrowrighton.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\hiscore\arrowup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\hiscore\arrowupon.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\hiscore\p1icon.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\hiscore\textedit.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\hiscore\title.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_1.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_1_a.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_1_b.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_1_c.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_2.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_2_a.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_2_b.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_2_c.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_2_d.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_3.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_3_a.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_3_b.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_3_c.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\endless_1_3_d.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\fifth_level_diner.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\first_level_diner.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\fourth_level_diner.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\layouts\second_level_diner.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\playfirst_logo.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\background.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\food\food1.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\food\food1.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\food\food2.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\food\food2.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\food\food3.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\food\food3.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\frames\upgrade_0001.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\tables\2top.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\tables\2top.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\tables\4top.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\tables\4top.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\diner\upgrades.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\restaurants\tableshadow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\choosedifficulty.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\chooseplayer.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\chooserestaurant.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\credits.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\game.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\gothighscore.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\help.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\help2.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\hiscore.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\hiscoreinfo.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\hiscoresubmit.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\levelintro.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\levelover.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\loading.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\mainloop.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\mainmenu.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\ok.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\pause.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\style.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\tutorialintro.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\upgrade.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\upsell.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\webcomic.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\scripts\yesno.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\splash\gamelabsplash.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\splash\playfirst_logo.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\strings.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\angersmoke.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\angersmoke.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\chairflags.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\chairflags.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\check.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\checkmark.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\clock.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\closed.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\closingtime.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\coinflip.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\coinflip.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\dollar.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\doodles\coffee.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\doodles\tables.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\doodles\wallpaper.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\expert.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\expertscore.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\foodpoof.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\foodpoof.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\fork_timer.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\goalcompleted.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\heartgrow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\heartgrow.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\jar.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\jar.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\level.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\level_career.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\score.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\sound.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\staroff.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\staron.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\tablenumber.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\tablenumberup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\traynumber.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\tutorial_character.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\tutorialarrow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\tutorialbox.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\upgradeanim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\upgradeanim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\upgrades\drinks.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\upgrades\maitred.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\upgrades\oven.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\upgrades\select.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\upgrades\shoes.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\upgrades\stereo.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\assets\ui\upgrades\table.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.58\dinerdash.exe
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\accessories\dirty_dishes.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\accessories\foodtray.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\accessories\heart1.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\accessories\heart2.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\accessories\heart3.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\accessories\menu_down.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\accessories\menu_up.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\accessories\mop_prop.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\accessories\ticket.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\audio\music\cafe\cafe_music_a1.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\audio\music\cafe\cafe_music_a2.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\audio\music\cafe\cafe_music_a3.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\audio\music\cafe\cafe_music_a4.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\audio\music\mainmenumusic.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\audio\sfx\baby_cry.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\audio\sfx\chef_cook1.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\audio\sfx\closing_time.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\audio\sfx\customer_ditch.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\audio\sfx\dialog_down.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\audio\sfx\dialog_up.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\audio\sfx\drink_table.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\audio\sfx\expert.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\audio\sfx\highchair_deliver.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\audio\sfx\highchair_pickup.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\audio\sfx\keystroke2.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\audio\sfx\level_lose.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\audio\sfx\level_win.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\audio\sfx\menu_click.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\audio\sfx\menu_rollover.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\audio\sfx\mop_pickup.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\audio\sfx\mop_spill.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\audio\sfx\sfx_bring_check_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\audio\sfx\sfx_deliver_food_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\audio\sfx\sfx_dish_dropoff_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\audio\sfx\sfx_dropoff_drinks_1.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\audio\sfx\sfx_food_ready_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\audio\sfx\sfx_gain_heart_1.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\audio\sfx\sfx_get_drinks_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\audio\sfx\sfx_menu_down.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\audio\sfx\sfx_party_arrive_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\audio\sfx\sfx_pencil_write_2.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\audio\sfx\sfx_pickup_food_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\audio\sfx\sfx_seat_people_snd.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\audio\sfx\spill.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\audio\sfx\table_drink.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\audio\sfx\tip_2.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\backgrounds\flo_lose.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\backgrounds\flo_win.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\backgrounds\fullscreendialog.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\backgrounds\high_score_menu_bg.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\backgrounds\levelintro.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\backgrounds\levelintro.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\backgrounds\levelover.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\backgrounds\longdialog.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\backgrounds\longdialog.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\backgrounds\mainmenu.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\backgrounds\mainmenu_logo.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\backgrounds\popup.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\backgrounds\popup.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\backgrounds\textfield.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\backgrounds\upgrade_lines.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\arrowdown_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\arrowdown_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\arrowdown_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\arrowup_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\arrowup_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\arrowup_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\checkbox_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\checkbox_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\checkbox_rotated_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\checkbox_rotated_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\decor_highlight.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\decor_normal.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\decor_selected.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\dialog_button_a_large_1.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\dialog_button_a_large_2.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\dialog_button_a_large_3.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\dialog_button_a_small_1.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\dialog_button_a_small_2.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\dialog_button_a_small_3.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\dialog_button_a1.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\dialog_button_a2.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\dialog_button_a3.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\left_arrow_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\left_arrow_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\left_arrow_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\main_menu_button1_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\main_menu_button1_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\main_menu_button1_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\main_menu_button1_mask.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\main_menu_button2_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\main_menu_button2_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\main_menu_button2_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\main_menu_button2_mask.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\map_button_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\map_button_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\map_button_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\right_arrow_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\right_arrow_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\right_arrow_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\upgrade_down.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\upgrade_over.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\upgrade_up.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\buttons\welcome_player.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\config\actionpoints.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\config\career.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\config\customer.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\config\endless.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\config\global.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\config\powerups.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\cook\stove.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\cursor\arrow.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\cursor\click.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\cursor\click2.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\cursor\grab.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\cursor\open.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\customers\dad_male\anim.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\customers\dad_male\anim.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\customers\dad_male\blue.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\customers\dad_male\blue_legs.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\customers\dad_male\legs.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\customers\dad_male\red.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\customers\dad_male\red_legs.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\customers\kid_male\anim.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\customers\kid_male\anim.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\customers\kid_male\blue.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\customers\kid_male\blue_legs.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\customers\kid_male\legs.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\customers\kid_male\red.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\customers\kid_male\red_legs.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\customers\mom_female\anim.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\customers\mom_female\anim.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\customers\mom_female\baby.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\customers\mom_female\baby.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\customers\mom_female\blue.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\customers\mom_female\blue_baby.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\customers\mom_female\blue_legs.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\customers\mom_female\legs.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\customers\mom_female\red.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\customers\mom_female\red_baby.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\customers\mom_female\red_legs.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\customers\young_female\anim.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\customers\young_female\anim.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\customers\young_female\blue.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\customers\young_female\blue_legs.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\customers\young_female\legs.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\customers\young_female\red.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\customers\young_female\red_legs.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\flo\idle.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\flo\idle.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\flo\lower.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\flo\lower.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\flo\upper.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\flo\upper.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\fonts\mercurius.mvec
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\furniture\bench.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\furniture\bench.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\furniture\blue_highchairbaby.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\furniture\chair.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\furniture\chair.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\furniture\dirt2top.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\furniture\dirt4top.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\furniture\dishcart.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\furniture\dishcart.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\furniture\green_highchairbaby.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\furniture\highchair_prop_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\furniture\highchair_prop_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\furniture\highchairbaby.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\furniture\highchairbaby.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\furniture\luxury_bench.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\furniture\luxury_bench.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\furniture\mop_station_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\furniture\mop_station_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\furniture\mop_station_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\furniture\podium.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\furniture\podium_heart.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\furniture\podium_heart.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\furniture\purple_highchairbaby.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\furniture\radio.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\furniture\red_highchairbaby.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\furniture\spill.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\furniture\spill.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\furniture\stereo.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\furniture\ticketstation.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\furniture\ticketstation.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\furniture\yellow_highchairbaby.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\help\family.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\help\help_dividerline.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\help\help1_colormatch1.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\help\help1_colormatch2.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\help\help1_noise.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\help\help1_score.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\help\help2_cleardishes.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\help\help2_givecheck.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\help\help2_pickupfood.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\help\help2_servefood.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\help\help2_takeorder.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\hiscore\local-hs-bb.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\hiscore\p1icon.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\layouts\career_1_1.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\layouts\career_1_2.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\layouts\career_1_3.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\layouts\career_1_4.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\layouts\career_1_5.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\layouts\career_1_6.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\layouts\endless_1_1.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\layouts\endless_1_1_a.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\layouts\endless_1_1_b.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\layouts\endless_1_1_c.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\playfirstlogo.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\restaurants\cafe\background.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\restaurants\cafe\chairs\blue.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\restaurants\cafe\chairs\green.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\restaurants\cafe\chairs\green.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\restaurants\cafe\chairs\grey.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\restaurants\cafe\chairs\red.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\restaurants\cafe\food\cup1.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\restaurants\cafe\food\food.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\restaurants\cafe\food\food.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\restaurants\cafe\frames\2_0.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\restaurants\cafe\frames\2_1.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\restaurants\cafe\furniture\drinkstation1_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\restaurants\cafe\furniture\drinkstation1_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\restaurants\cafe\furniture\drinkstation1_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\restaurants\cafe\people\cook.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\restaurants\cafe\people\cook.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\restaurants\cafe\props\cup_prop1.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\restaurants\cafe\tables\2top.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\restaurants\cafe\tables\2top.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\restaurants\cafe\tables\4top.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\restaurants\cafe\tables\4top.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\restaurants\cafe\upgrade_icons\cafe_icon_2_0.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\restaurants\cafe\upgrade_icons\cafe_icon_2_1.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\restaurants\cafe\upgrades.xml
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\restaurants\tableshadow.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\scripts\careerupgrade.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\scripts\choosedifficulty.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\scripts\closeconfirm.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\scripts\entername.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\scripts\game.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\scripts\getmoregames.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\scripts\help1.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\scripts\help2.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\scripts\hiscore.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\scripts\hiscoreinfo.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\scripts\hiscoresubmit.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\scripts\levelintro.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\scripts\levelover.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\scripts\loading.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\scripts\mainloop.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\scripts\mainmenu.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\scripts\ok.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\scripts\pause.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\scripts\style.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\scripts\upgrade.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\scripts\upsell.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\scripts\yesno.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\splash\aol_logo.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\splash\playfirst_logo.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\strings.xml
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\angersmoke.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\angersmoke.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\bubbles\request_bubble.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\bubbles\request_mop.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\bubbles\request_rejectmeal.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\chairflags.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\chairflags.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\check.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\checkmark.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\closed.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\coinflip.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\coinflip.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\decor_lines.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\dollar.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\expert.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\foodpoof.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\foodpoof.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\heartgrow.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\heartgrow.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\jar.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\jar.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\lives_icon.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\noisering.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\notes\music_boost_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\notes\music_boost_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\notes\music_boost_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\notes\music_boost_d.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\notes\music_boost_e.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\notes\music_boost_f.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\tablenumber_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\tablenumber_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\traynumber.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\tutorialarrow.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\tutorialbox.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\ui_base.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\ui_hand.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\ui_timer_off.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\ui_timer_on.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\upgradeanim.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_bench_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_bench_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_bench_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_drink_station1_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_drink_station1_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_drink_station1_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_luxury_bench_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_luxury_bench_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_luxury_bench_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_oven_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_oven_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_oven_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_podium_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_podium_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_podium_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_powerbars_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_powerbars_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_powerbars_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_radio_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_radio_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_radio_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_stereo_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_stereo_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_stereo_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_table_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_table_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_table_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\upsell\dd1.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\upsell\dd2.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\upsell\dd3.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\assets\upsell\dd4.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.48\dinerdash2.exe
c:\windows\dsedfscn.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe
c:\windows\system32\xilumqi.dll
c:\windows\ugobezud.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RCUGUVMT
-------\Service_rcuguvmt


((((((((((((((((((((((((( Files Created from 2009-05-23 to 2009-4-23 )))))))))))))))))))))))))))))))
.

2009-04-17 15:32 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-17 15:32 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 15:32 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-17 15:32 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 15:32 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 15:32 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 15:32 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 15:32 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 15:32 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-17 15:24 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-17 15:23 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-17 15:23 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 21:13 . 2009-04-15 21:13 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\biqiaqop
2009-04-09 16:29 . 2009-04-22 15:25 3510 ----a-w C:\rollback.ini
2009-04-09 16:14 . 2009-04-09 20:06 -------- d-----w c:\documents and settings\Joe Bonanno\Application Data\MailFrontier
2009-04-09 16:02 . 2009-04-23 15:49 64650016 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-09 16:02 . 2009-04-23 15:42 865772 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-09 15:55 . 2009-04-09 16:08 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-04-09 15:55 . 2009-02-16 07:10 72584 ----a-w c:\windows\zllsputility.exe
2009-04-09 15:52 . 2009-02-16 07:10 1221512 ----a-w c:\windows\system32\zpeng25.dll
2009-04-09 15:52 . 2009-04-22 15:38 -------- d-----w c:\windows\system32\ZoneLabs
2009-04-09 15:52 . 2009-04-23 15:43 350210 ----a-w c:\windows\system32\vsconfig.xml
2009-04-09 15:50 . 2009-04-23 15:45 -------- d-----w c:\windows\Internet Logs
2009-04-08 18:23 . 2009-04-23 15:23 0 ----a-w c:\windows\Ftovivanoqiqurih.bin
2009-04-08 18:23 . 2009-04-16 21:41 408 ----a-w c:\windows\Rzuwahatewisucej.dat
2009-04-08 18:19 . 2009-04-08 18:19 276 ----a-w c:\windows\wininit.ini
2009-04-08 17:11 . 2009-04-09 20:05 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-07 22:00 . 2009-04-08 16:56 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-07 19:28 . 2003-03-18 20:20 1060864 ----a-w c:\windows\system32\MFC71.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-22 22:11 . 2009-04-09 21:06 -------- d-----w c:\program files\Trillian
2009-04-22 20:45 . 2008-03-11 21:32 1744 ----a-w c:\windows\system32\d3d9caps.dat
2009-04-20 22:16 . 2009-04-21 19:14 286208 ----a-w c:\windows\Internet Logs\xDB6.tmp
2009-04-15 22:13 . 2009-04-16 15:13 311296 ----a-w c:\windows\Internet Logs\xDB5.tmp
2009-04-14 22:12 . 2009-04-15 15:15 215040 ----a-w c:\windows\Internet Logs\xDB4.tmp
2009-04-09 22:16 . 2009-04-13 19:11 83968 ----a-w c:\windows\Internet Logs\xDB3.tmp
2009-04-09 20:59 . 2009-04-09 21:00 130560 ----a-w c:\windows\Internet Logs\xDB2.tmp
2009-04-09 20:55 . 2008-01-10 20:07 -------- d-----w c:\program files\Common Files\AOL
2009-04-09 20:11 . 2009-03-11 15:43 -------- d-----w c:\program files\Common Files\Apple
2009-04-09 20:03 . 2009-04-09 20:03 175637 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_09_12_56_00_small.dmp.zip
2009-04-09 18:32 . 2009-04-09 18:33 224256 ----a-w c:\windows\Internet Logs\xDB1.tmp
2009-04-09 15:58 . 2009-04-09 15:58 -------- d-----w c:\program files\AskBarDis
2009-04-09 15:52 . 2009-04-09 15:52 -------- d-----w c:\program files\Zone Labs
2009-03-11 15:49 . 2009-03-11 15:49 -------- d-----w c:\documents and settings\Joe Bonanno\Application Data\Apple Computer
2009-03-11 15:49 . 2009-03-11 15:48 -------- d-----w c:\program files\iTunes
2009-03-11 15:49 . 2009-03-11 15:48 -------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-03-11 15:48 . 2009-03-11 15:48 -------- d-----w c:\program files\iPod
2009-03-11 15:48 . 2009-03-11 15:46 -------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-03-11 15:47 . 2008-03-11 21:31 -------- d-----w c:\program files\QuickTime
2009-03-06 14:22 . 2006-02-28 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2006-02-28 12:00 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2006-02-28 12:00 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2006-02-28 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2006-02-28 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2006-02-28 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2006-02-28 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2006-02-28 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 02:02 . 2004-08-03 22:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2006-02-28 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2006-02-28 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2006-02-28 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2006-02-28 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2008-09-09 18:58 . 2008-02-05 19:45 18096 ----a-w c:\documents and settings\Joe Bonanno\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-05-16 21:17 . 2008-05-16 21:17 16760 ----a-w c:\documents and settings\Joe Bonanno\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-10-17 01:22 333192 ----a-w c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-17 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-17 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2006-5-29 1527808]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli dsedfscn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=

S2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [2008-10-17 464264]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\DRIVERS\wg111v3.sys [2007-04-23 224896]

.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{E0C68CB5-8EAB-4E2D-ACFA-69257649B468} - c:\windows\system32\xilumqi.dll
HKCU-Run-AdwareAlert - c:\program files\AdwareAlert\AdwareAlert.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.msn.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: {049A470D-F818-4E34-B14D-E4E237DADCF8} - hxxp://games.bigfishgames.com/en_fashion-dash/online/fashiondashweb.1.0.0.21.cab
DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} - hxxp://games.bigfishgames.com/en_cooking-dash/online/CookingDashWeb.1.0.0.9.cab
DPF: {26E6B759-DEEB-42A1-A21C-78CD29098411} - hxxp://games.bigfishgames.com/en_fitness-dash/online/FitnessDashWeb.1.0.0.11.cab
DPF: {74EF5274-F439-2168-B543-14745B625C72} - hxxp://gameyard.com/online_games/wedding_dash2_online/WeddingDash2Web.1.0.0.11.cab
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://games.bigfishgames.com/en_burger-shop/online/GoBitGamesPlayer_v4.cab
DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} - hxxp://games.bigfishgames.com/en_dinerdash/online/DinerDash.1.0.0.58.cab
DPF: {EF732B7C-BFF6-49B1-A32C-3C74C318FDCC} - hxxp://www.thesecret.tv/movie/player/player_ocx.jpeg
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-23 08:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-23 8:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-23 15:52

Pre-Run: 14,731,776,000 bytes free
Post-Run: 14,684,438,528 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

798 --- E O F --- 2009-04-17 22:21

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:34 AM

Posted 23 April 2009 - 03:21 PM

Hello.

Let's continue.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    File::
    c:\windows\Ftovivanoqiqurih.bin
    c:\windows\Rzuwahatewisucej.dat
    Registry::
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Adware Toolbar (AskBarDis) Warning

You have ASkBarDis installed. Some people consider this program Adware and spyware. I suggest you uninstall it unless you really need it or want it.

AskBarDis Information

Information over here and here

View Point Programs Warning

Viewpoint Manager and Viewpoint Media Player is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Additional instructions on removing program can be found here.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Post back with:
-Combofix log
-MBAM log

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 akire

akire
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 24 April 2009 - 08:31 AM

Hello extremeboy. I deleted AskBarDis (it was installed with Zone Alarm). I also deleted View Point Media Player.
Here is the ComboFix w/ CFScript log:

ComboFix 09-04-24.01 - Joe Bonanno 04/24/2009 9:03.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.100 [GMT -7:00]
Running from: c:\documents and settings\Joe Bonanno\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Joe Bonanno\Desktop\CFScript.txt
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Security Suite Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\Ftovivanoqiqurih.bin
c:\windows\Rzuwahatewisucej.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Ftovivanoqiqurih.bin
c:\windows\Rzuwahatewisucej.dat

.
((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-4-24 )))))))))))))))))))))))))))))))
.

2009-04-17 15:32 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-17 15:32 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 15:32 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-17 15:32 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 15:32 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 15:32 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 15:32 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 15:32 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 15:32 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-17 15:24 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-17 15:23 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-17 15:23 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 21:13 . 2009-04-15 21:13 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\biqiaqop
2009-04-15 21:13 . 2009-04-15 21:13 -------- d-----w c:\documents and settings\NetworkService\Application Data\biqiaqop
2009-04-09 16:29 . 2009-04-24 15:21 4023 ----a-w C:\rollback.ini
2009-04-09 16:14 . 2009-04-09 20:06 -------- d-----w c:\documents and settings\Joe Bonanno\Application Data\MailFrontier
2009-04-09 16:02 . 2009-04-24 16:07 77736992 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-09 16:02 . 2009-04-23 22:13 1014932 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-09 15:55 . 2009-04-09 16:08 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-04-09 15:55 . 2009-02-16 07:10 72584 ----a-w c:\windows\zllsputility.exe
2009-04-09 15:52 . 2009-02-16 07:10 1221512 ----a-w c:\windows\system32\zpeng25.dll
2009-04-09 15:52 . 2009-04-24 15:24 -------- d-----w c:\windows\system32\ZoneLabs
2009-04-09 15:52 . 2009-04-24 15:14 350210 ----a-w c:\windows\system32\vsconfig.xml
2009-04-09 15:50 . 2009-04-24 15:54 -------- d-----w c:\windows\Internet Logs
2009-04-08 18:19 . 2009-04-08 18:19 276 ----a-w c:\windows\wininit.ini
2009-04-08 17:11 . 2009-04-09 20:05 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-07 22:00 . 2009-04-08 16:56 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-07 19:28 . 2003-03-18 20:20 1060864 ----a-w c:\windows\system32\MFC71.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-24 15:49 . 2008-01-10 20:07 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-04-23 22:11 . 2009-04-09 21:06 -------- d-----w c:\program files\Trillian
2009-04-22 20:45 . 2008-03-11 21:32 1744 ----a-w c:\windows\system32\d3d9caps.dat
2009-04-20 22:16 . 2009-04-21 19:14 286208 ----a-w c:\windows\Internet Logs\xDB6.tmp
2009-04-15 22:13 . 2009-04-16 15:13 311296 ----a-w c:\windows\Internet Logs\xDB5.tmp
2009-04-14 22:12 . 2009-04-15 15:15 215040 ----a-w c:\windows\Internet Logs\xDB4.tmp
2009-04-09 22:16 . 2009-04-13 19:11 83968 ----a-w c:\windows\Internet Logs\xDB3.tmp
2009-04-09 20:59 . 2009-04-09 21:00 130560 ----a-w c:\windows\Internet Logs\xDB2.tmp
2009-04-09 20:55 . 2008-01-10 20:07 -------- d-----w c:\program files\Common Files\AOL
2009-04-09 20:11 . 2009-03-11 15:43 -------- d-----w c:\program files\Common Files\Apple
2009-04-09 20:03 . 2009-04-09 20:03 175637 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_09_12_56_00_small.dmp.zip
2009-04-09 18:32 . 2009-04-09 18:33 224256 ----a-w c:\windows\Internet Logs\xDB1.tmp
2009-04-09 15:52 . 2009-04-09 15:52 -------- d-----w c:\program files\Zone Labs
2009-03-11 15:49 . 2009-03-11 15:49 -------- d-----w c:\documents and settings\Joe Bonanno\Application Data\Apple Computer
2009-03-11 15:49 . 2009-03-11 15:48 -------- d-----w c:\program files\iTunes
2009-03-11 15:49 . 2009-03-11 15:48 -------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-03-11 15:48 . 2009-03-11 15:48 -------- d-----w c:\program files\iPod
2009-03-11 15:48 . 2009-03-11 15:46 -------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-03-11 15:47 . 2008-03-11 21:31 -------- d-----w c:\program files\QuickTime
2009-03-06 14:22 . 2006-02-28 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2006-02-28 12:00 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2006-02-28 12:00 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2006-02-28 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2006-02-28 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2006-02-28 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2006-02-28 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2006-02-28 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 02:02 . 2004-08-03 22:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2006-02-28 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2006-02-28 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2006-02-28 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2006-02-28 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2008-09-09 18:58 . 2008-02-05 19:45 18096 ----a-w c:\documents and settings\Joe Bonanno\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-05-16 21:17 . 2008-05-16 21:17 16760 ----a-w c:\documents and settings\Joe Bonanno\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-04-23_15.49.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-09 16:03 . 2009-04-24 15:23 23128 c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2009-04-09 16:03 . 2009-04-23 15:48 23128 c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2009-04-09 15:55 . 2009-04-24 15:24 11942322 c:\windows\system32\ZoneLabs\spyware.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2006-5-29 1527808]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=

S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\DRIVERS\wg111v3.sys [2007-04-23 224896]

.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.msn.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: {049A470D-F818-4E34-B14D-E4E237DADCF8} - hxxp://games.bigfishgames.com/en_fashion-dash/online/fashiondashweb.1.0.0.21.cab
DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} - hxxp://games.bigfishgames.com/en_cooking-dash/online/CookingDashWeb.1.0.0.9.cab
DPF: {26E6B759-DEEB-42A1-A21C-78CD29098411} - hxxp://games.bigfishgames.com/en_fitness-dash/online/FitnessDashWeb.1.0.0.11.cab
DPF: {74EF5274-F439-2168-B543-14745B625C72} - hxxp://gameyard.com/online_games/wedding_dash2_online/WeddingDash2Web.1.0.0.11.cab
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://games.bigfishgames.com/en_burger-shop/online/GoBitGamesPlayer_v4.cab
DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} - hxxp://games.bigfishgames.com/en_dinerdash/online/DinerDash.1.0.0.58.cab
DPF: {EF732B7C-BFF6-49B1-A32C-3C74C318FDCC} - hxxp://www.thesecret.tv/movie/player/player_ocx.jpeg
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-24 09:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-24 9:09
ComboFix-quarantined-files.txt 2009-04-24 16:09
ComboFix2.txt 2009-04-23 15:52

Pre-Run: 14,688,075,776 bytes free
Post-Run: 14,686,031,872 bytes free

149 --- E O F --- 2009-04-17 22:21




Now here is the MBAM log (pleasantly surprised):

Malwarebytes' Anti-Malware 1.36
Database version: 2036
Windows 5.1.2600 Service Pack 3

4/24/2009 9:21:32 AM
mbam-log-2009-04-24 (09-21-32).txt

Scan type: Quick Scan
Objects scanned: 68769
Time elapsed: 3 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by akire, 24 April 2009 - 08:39 AM.


#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:34 AM

Posted 24 April 2009 - 02:46 PM

Hello again.

Now here is the MBAM log (pleasantly surprised):

Why are you so surprised? That was why I wanted to see. I am not surprised at all. :thumbup2:

Let's continue here..

Create and Run batch script
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "quote".

    @Echo off

    RD /s /q "c:\documents and settings\All Users\Application Data\Viewpoint"
    Dir "c:\documents and settings\NetworkService\Application Data\biqiaqop" >> C:\look.txt
    Notepad C:\look.txt

  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input LFix.bat.
  • Hit OK.
When done properly, the icon should look like Posted Image for the .bat file.

Double click on LFix.bat to run it. If you are using Windows Vista, please right-click and Run As Administrator...

A Black DOS window shall appear and then notepad shall open. Please post the contents of notepad in your next reply.

Update Java to Version 6 Update 12

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 13.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
*If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
** If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
*** The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Download and Run ATFCleaner

Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser also...
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

Re-run DDS and post back with the log.

For your next reply I would like to see:
-Look log (notepad contents of the batch file)
-Kaspersky log
-New set of DDS logs

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 akire

akire
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 24 April 2009 - 03:18 PM

Hi extremeboy! I just want to let you know that I won't be able to do anything on the computer we're working on until Monday morning when I get back into the office. Just letting you know so you don't think I forgot or changed my mind. I still need your help, so I'll be back with those results on Monday. :thumbup2: Until then have a lovely weekend.

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:34 AM

Posted 24 April 2009 - 03:28 PM

Thanks for letting me know.

Hope to hear from you on Monday or Tuesday then :thumbup2:

It may take a while especially with the online scan

Have a great weekend as well.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 akire

akire
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 27 April 2009 - 02:08 PM

Hello extremeboy. Hope you had a relaxing weekend. I deleted all older versions of Java into my pc and installed the newest version. I come prepared with the 3 things you asked for. :thumbup2:

Look:
Volume in drive C has no label.
Volume Serial Number is 8C7E-77F0

Directory of c:\documents and settings\NetworkService\Application Data\biqiaqop

04/15/2009 02:13 PM <DIR> .
04/15/2009 02:13 PM <DIR> ..
04/15/2009 02:13 PM <DIR> Profiles
04/15/2009 02:13 PM 111 profiles.ini
1 File(s) 111 bytes
3 Dir(s) 14,658,646,016 bytes free



Kaspersky:
In the scan settings I couldn't select or unselect "Viruses, Worms, Trojan Horses, Rootkits".
Posted Image

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, April 27, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, April 27, 2009 18:06:07
Records in database: 2083698
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 30173
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:27:09

No malware has been detected. The scan area is clean.

The selected area was scanned.



DDS:
DDS (Ver_09-03-16.01) - NTFSx86
Run by Joe Bonanno at 14:48:43.82 on Mon 04/27/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.122 [GMT -7:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\Joe Bonanno\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.msn.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {049A470D-F818-4E34-B14D-E4E237DADCF8} - hxxp://games.bigfishgames.com/en_fashion-dash/online/fashiondashweb.1.0.0.21.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} - hxxp://games.bigfishgames.com/en_cooking-dash/online/CookingDashWeb.1.0.0.9.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {26E6B759-DEEB-42A1-A21C-78CD29098411} - hxxp://games.bigfishgames.com/en_fitness-dash/online/FitnessDashWeb.1.0.0.11.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {528C14CD-CF9E-489C-A365-5999F17B69B9} - hxxp://pictures.sprintpcs.com/activex/LightSurfUploadControl.cab
DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - hxxp://games.bigfishgames.com/en_dinerdash2restaura/online/DinerDash2.1.0.0.48.cab
DPF: {74EF5274-F439-2168-B543-14745B625C72} - hxxp://gameyard.com/online_games/wedding_dash2_online/WeddingDash2Web.1.0.0.11.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://games.bigfishgames.com/en_burger-shop/online/GoBitGamesPlayer_v4.cab
DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} - hxxp://games.bigfishgames.com/en_dinerdashfloontheg/online/ddfotg.1.0.0.33.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} - hxxp://games.bigfishgames.com/en_dinerdash/online/DinerDash.1.0.0.58.cab
DPF: {EF732B7C-BFF6-49B1-A32C-3C74C318FDCC} - hxxp://www.thesecret.tv/movie/player/player_ocx.jpeg
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

============= SERVICES / DRIVERS ===============

R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-4-9 148496]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-4-9 353672]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-4-23 224896]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

=============== Created Last 30 ================

2009-04-27 12:40 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-27 12:40 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-24 09:14 <DIR> --d----- c:\docume~1\joebon~1\applic~1\Malwarebytes
2009-04-24 09:14 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-24 09:14 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-24 09:14 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-24 09:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-24 09:02 161,792 a------- c:\windows\SWREG.exe
2009-04-24 09:02 98,816 a------- c:\windows\sed.exe
2009-04-23 08:33 <DIR> a-dshr-- C:\cmdcons
2009-04-17 08:32 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-17 08:32 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-17 08:32 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-17 08:32 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-17 08:32 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 08:32 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 08:32 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 08:32 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-17 08:32 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-17 08:24 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-17 08:23 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-17 08:23 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-09 09:29 4,023 a------- C:\rollback.ini
2009-04-09 09:14 <DIR> --d----- c:\docume~1\joebon~1\applic~1\MailFrontier
2009-04-09 09:02 93,063,968 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-04-09 09:02 1,202,036 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-04-09 08:55 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-04-09 08:55 72,584 a------- c:\windows\zllsputility.exe
2009-04-09 08:52 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-04-09 08:52 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-04-09 08:52 <DIR> --d----- c:\program files\Zone Labs
2009-04-09 08:52 350,211 a------- c:\windows\system32\vsconfig.xml
2009-04-09 08:50 <DIR> --d----- c:\windows\Internet Logs
2009-04-08 11:19 276 a------- c:\windows\wininit.ini
2009-04-08 10:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-07 12:28 1,060,864 a------- c:\windows\system32\MFC71.dll

==================== Find3M ====================

2009-04-27 12:45 1,744 a------- c:\windows\system32\d3d9caps.dat
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-02-20 01:10 666,112 a------- c:\windows\system32\wininet.dll
2009-02-20 01:10 81,920 a------- c:\windows\system32\ieencode.dll
2009-02-09 05:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 05:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 05:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 05:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 04:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 04:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 03:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-03 12:59 56,832 a------- c:\windows\system32\secur32.dll
2008-05-16 14:17 16,760 a------- c:\docume~1\joebon~1\applic~1\GDIPFONTCACHEV1.DAT
2007-04-23 15:21 269,824 a------- c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-04-23 15:11 224,896 a------- c:\windows\inf\wg111v3\wg111v3.sys
2006-12-15 12:30 315,392 a------- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 12:30 212,992 a------- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 12:30 98,304 a------- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 12:30 66,048 a------- c:\windows\inf\wg111v3\EAPPkt.sys
2006-12-15 12:30 28,672 a------- c:\windows\inf\wg111v3\SetDrv.exe
2006-12-15 12:30 20,480 a------- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 12:30 19,968 a------- c:\windows\inf\wg111v3\RTWREFU.EXE
2009-04-27 14:49 93,071,136 a--sh--- c:\windows\system32\drivers\fidbox.dat

============= FINISH: 14:49:57.76 ===============


#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:34 AM

Posted 27 April 2009 - 02:43 PM

Hello.

Hope you had a relaxing weekend.

Yes I did. Thank you. I hope you had a great weekend too.

In the scan settings I couldn't select or unselect "Viruses, Worms, Trojan Horses, Rootkits".

Don't worry about it then. as long as it was checked.. :step5:

Looks good. Let's help you remove some unneeded items/dead entries to cleanup a bit :step1:

Download and Run OTMoveIT3
  • Please download OTMoveIt3 by OldTimer and save it to your desktop. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Double click the Posted Image (OTMoveIT3)icon on your desktop.
  • Paste the following code under the Posted Image (Paste Instructions for Items to be Moved) area. Do not include the word "Code".
    :files
    c:\documents and settings\NetworkService\Application Data\biqiaqop
    :reg
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar]
    "{A057A204-BACC-4D26-9990-79A187E2698E}"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
    "{A057A204-BACC-4D26-9990-79A187E2698E}"=-
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{0CCA191D-13A6-4E29-B746-314DEE697D83}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{639658F3-B141-4D6B-B936-226F75A5EAC3}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{74EF5274-F439-2168-B543-14745B625C72}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6}]
    :commands
    [EmptyTemp]
    [Reboot]
  • Click the large Posted Image (MoveIT!) button.
  • Copy/Paste the contents under the Posted Image (Results) line here in your next reply.
Note:If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

How is your computer running now? Any more symptoms?

If all is okay, we will cleanup and give you some prevention tips next post :thumbup2:

BTW, I love this simile, didn't realize there was a simile like this: :)

With regards,
Extremeboy :step4:
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users