Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Sinowal Trojan/HelpAssistant


  • Please log in to reply
14 replies to this topic

#1 bbocte

bbocte

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 11 April 2010 - 04:41 PM

I would greatly appreciate any assistance in helping to remove what I believe is a variant of the Sinowal trojan. Below is a summary of my system, the infection symptoms, steps take so far, as well as the requested logs. As suggested in this site's Preparation Guide, I have turned off appropriate portions of McAfee, but left my firewall running.

System: Dell Dimension 8300 with Windows XP, service pack 3. Security software is McAfee Security Center. Primary browser is IE8.

Infection symptoms: My system froze while browsing the web, but I could still move the mouse cursor. Several applications were open. The task manager would not open, so I couldn't kill any apps/processes. I tried to close the top window several times by clicking the "X" at the top, right (that would not work), after which I began hearing a continuous beep from the computer tower. I performed a hard reboot, and when my system came back up, the freezing problems continued (along with the beeping). I noticed that my hard drive was now completely full, which it should not have been, so I searched for all files added on or after the date my problems began. A new user folder, c:\\Documents and Settings\HelpAssistant, had been created, and copies (at least what I think were copies) of my user account files were created for that user (until the hard drive was full). After much searching, it seemed to me I had the Sinowal Trojan, and I ultimately found some help on this forum. I performed what seemed to be generic steps to help rectify the problem, but got to a point where I did not want to proceed without professional help.

Steps take: I downloaded, installed, and ran mbr.exe, which resulted in the following log:
**********************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
copy of MBR has been found in sector 0x0DF83CBD
malicious code @ sector 0x0DF83CC0 !
PE file found in sector at 0x0DF83CD6 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
***********************

I then ran the mbr.exe -f, which generated the following log:
***********************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
copy of MBR has been found in sector 0x0DF83CBD
malicious code @ sector 0x0DF83CC0 !
PE file found in sector at 0x0DF83CD6 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
original MBR restored successfully !
***********************

I then reboot and ran mbr.exe again, which generated the following log:
*************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0DF83CBD
malicious code @ sector 0x0DF83CC0 !
PE file found in sector at 0x0DF83CD6 !
************************

I then downloaded and ran Malwarebytes, which did not find any malware.

I then performed a scan using Kaspersky Online Scanner, which produced the following report.
*****************************
Friday, April 9, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, April 08, 2010 17:27:19
Records in database: 3923499


Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\
F:\
H:\
Y:\
Z:\

Scan statistics
Objects scanned 190653
Threats found 1
Infected objects found 1
Suspicious objects found 0
Scan duration 05:55:33

File name Threat Threats count
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\tXUA.dll Infected: Backdoor.Win32.Sinowal.fox 1

Selected area has been scanned.
*************************

The solutions in other threads seemed to get particular to the computer at issue after that point, so I wasn't sure how to proceed.

My DDS.txt log is below (and attach.txt is attached):
**************************

DDS (Ver_10-03-17.01) - NTFSx86
Run by Chad at 22:25:45.06 on Fri 04/09/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1053 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\OEM03Mon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\DELL\DELL Webcam Manager\DellWMgr.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Skype\Phone\Skype.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CMS Products\BounceBack Express\BBLauncher.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Snapfish PictureMover\PictureMover.exe
C:\Program Files\Citrix\ICA Client\PNAMain.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe
C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chad\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMsgSvc]
uRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.miniclip.com/games/monster-golf/en/"
mRun: [Motive SmartBridge] c:\progra~1\sbcsel~1\smartb~1\MotiveSB.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [OEM03Mon.exe] c:\windows\OEM03Mon.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mExplorerRun: [hedjq] c:\windows\system32\hedjq.exe
StartupFolder: c:\docume~1\chad\startm~1\programs\startup\bhodem~1.lnk - c:\program files\bhodemon 2\BHODemon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bounce~1.lnk - c:\program files\cms products\bounceback express\BBLauncher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\progra~1.lnk - c:\windows\installer\{2624b680-02bc-4cbc-839c-da20df6ef6ec}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sbcsel~1.lnk - c:\program files\sbc self support tool\bin\matcli.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\snapfi~1.lnk - c:\program files\snapfish picturemover\PictureMover.exe
uPolicies-explorer: SpecifyDefaultButtons = 0 (0x0)
mPolicies-explorer: <NO NAME> =
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: turbotax.com
Trusted Zone: westlaw.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxp://www.stonyfield.com/coupons/scriptX/smsx.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - hxxp://a1540.g.akamai.net/7/1540/52/20031010/qtinstall.info.apple.com/mickey/us/win/QuickTimeFullInstaller.exe
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155188700562
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxps://mail.rvreddy.com/Remote/msrdp.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://www.shockwave.com/content/luxor2/sis/mjolauncher.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38095.5498263889
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - hxxp://www.pacimedia.com/install/pcs_0008.exe
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} - hxxp://www.miniclip.com/igloader/igloader.CAB
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: CShellExecuteHookImpl Object: {57b86673-276a-48b2-bae7-c6dbb3020eb8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

============= SERVICES / DRIVERS ===============

R1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [2006-9-28 4096]
R1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\AvgAsCln.sys [2006-10-15 3968]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-1-17 214664]
R2 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard;c:\program files\grisoft\avg anti-spyware 7.5\guard.exe [2006-9-28 204800]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-1-17 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-1-17 144704]
R2 portD;CMS PortIO Service;c:\windows\system32\drivers\portd2k.sys [2007-5-18 7424]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-1-17 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-1-17 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-1-17 34248]
R3 OEM03Afx;Provides a software interface to control audio effects of OEM003 camera.;c:\windows\system32\drivers\OEM03Afx.sys [2007-10-6 141376]
R3 OEM03Vfx;Creative Camera OEM003 Video VFX Driver;c:\windows\system32\drivers\OEM03Vfx.sys [2007-10-6 7424]
R3 OEM03Vid;Creative Camera OEM003 Driver;c:\windows\system32\drivers\OEM03Vid.sys [2007-10-6 235808]
R3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\system32\drivers\livecamv.sys [2007-10-6 31616]
S2 ENCMXQLO;ENCMXQLO;\??\c:\windows\system32\encmxqlo.sey --> c:\windows\system32\encmxqlo.sey [?]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-1-17 40552]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [2004-12-12 15576]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-1-17 606736]

=============== Created Last 30 ================

2010-04-09 04:26:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-09 04:26:57 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-09 03:19:46 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 03:27:17 77312 ----a-w- C:\mbr.exe
2010-04-07 03:06:01 0 d-----w- c:\windows\system32\NtmsData
2010-04-05 03:18:01 0 d-----w- c:\program files\SpeedFan
2010-04-05 03:17:59 45 ----a-w- c:\windows\system32\initdebug.nfo
2010-03-29 14:17:21 3248 ----a-w- c:\windows\system32\wbem\Outlook_01cacf4a8bb94f6c.mof
2010-03-24 06:15:31 0 d-----w- c:\docume~1\chad\applic~1\Malwarebytes
2010-03-24 06:15:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-24 05:02:38 0 d-----w- c:\program files\Trend Micro
2010-03-22 04:43:36 0 d-----w- c:\program files\iPod
2010-03-14 08:51:13 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-14 00:14:57 0 d-----w- c:\program files\Western Digital
2010-03-14 00:14:46 20992 ------w- c:\windows\jestertb.dll

==================== Find3M ====================

2010-03-24 04:47:08 61508 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-25 16:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 15:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 09:54:25 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2006-10-08 03:01:40 9276 ------w- c:\program files\hijackthis.log
2005-02-16 16:06:16 218112 ------w- c:\program files\HijackThis.exe
2007-10-06 06:19:14 75 --sh--r- c:\windows\CT4CET.bin
2009-04-12 04:21:32 245760 --sh--w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2008-10-05 05:51:54 32768 --sh--w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100520081006\index.dat

============= FINISH: 22:26:30.42 ===============
*******************

My system crashed while running GMER, which was taking a really long time, so I'd rather not run that again if it is unnecessary (but will be happy to if you need it).

Thanks so much, and I will appreciate any assistance. This seems like a pretty nasty piece of malware.

EDIT: Moved to more appropriate malware forum from XP ~ Hamluis.

Attached Files


Edited by hamluis, 11 April 2010 - 04:46 PM.


BC AdBot (Login to Remove)

 


#2 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:11:49 PM

Posted 14 April 2010 - 12:13 PM

Hello, bbocte

Welcome to the Bleeping Computer Forums. My name is Jat, and I will be helping you with your situation.

If you do not make a reply in 5 days, we will have to close your topic.


You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.


Mebroot Fix

Please download HelpAsst_mebroot_fix.exe by noahdfear and save it to your desktop.
  • Close out all other open programs and windows.
  • Double click the file to run it and follow any prompts.
  • If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
  • Upon restarting, please wait about 5 minutes,
  • Click Start
  • Then Run and type helpasst -mbrt, then hit Enter.
Note: Make sure you leave a space between helpasst and -mbrt

When it completes, a log will open.
Please post the contents of that log.

*In the event the tool does not detect an mbr infection and completes:
  • Click Start
  • Then Run
  • Type mbr -f
  • Then hit Enter.
  • Now, please do the Start>Run>mbr -f command a second time.
  • Shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
  • Give it about 5 minutes, then click Start>Run
  • Type helpasst -mbrt, then hit Enter.

Note: Make sure you leave a space between helpasst and -mbrt

When it completes, a log will open.
Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#3 bbocte

bbocte
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 15 April 2010 - 12:41 AM

Hi, Jat90. Thanks so much for responding. HelpAsst mebroot fix.exe did not detect an mbr infection, so I followed your later instructions. The log generated by helpasst -mbrt is as follows:

C:\Documents and Settings\Chad\Desktop\HelpAsst_mebroot_fix.exe
Thu 04/15/2010 at 0:14:34.18

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
Remove on reboot: C:\WINDOWS\system32\termsrv32.dll

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"3638:TCP"=-
"5776:TCP"=-
"3389:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"3389:TCP"=-
"65533:TCP"=-
"52344:TCP"=-
"3638:TCP"=-
"5776:TCP"=-

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-3410301828-1063297115-1856903921-1007
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant.DF2W1N41 ~ attempting to remove

~ Not all HelpAssistant files sucessfully removed ~
Remove on reboot: C:\DOCUME~1\HELPAS~1.DF2\Cookies
Remove on reboot: C:\DOCUME~1\HELPAS~1.DF2\APPLIC~1\Mozilla
Remove on reboot: C:\DOCUME~1\HELPAS~1.DF2\APPLIC~1
Remove on reboot: C:\Documents and Settings\HelpAssistant.DF2W1N41


~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Thu 04/15/2010 at 0:36:30.28

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0DF83CBD
malicious code @ sector 0x0DF83CC0 !
PE file found in sector at 0x0DF83CD6 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~


Thanks,
Chad

#4 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:11:49 PM

Posted 15 April 2010 - 04:31 AM

Hello,

I think the infection may still persist, please do this:

Mebroot Check

Download and run HAMeb_check.exe
Post the contents of the resulting log.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#5 bbocte

bbocte
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 15 April 2010 - 08:31 AM

Jat90,

Below is the log generated by HAMeb_check.exe. I should note that the HelpAssistant folder is still listed under c:\Documents and Settings\, and I did not attempt to delete it after running the items I mentioned in my original post == figured I would wait for you to ask me to do that.

Thanks.




C:\Documents and Settings\Chad\Desktop\HAMeb_check.exe
Thu 04/15/2010 at 8:26:02.37

Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0DF83CBD
malicious code @ sector 0x0DF83CC0 !
PE file found in sector at 0x0DF83CD6 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll was not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~


#6 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:11:49 PM

Posted 15 April 2010 - 11:40 AM

Hello,

Looks like the initial scan didn't remove it completely, could you please repeat the steps outlined in Post #2

Edited by Jat90, 15 April 2010 - 11:40 AM.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#7 bbocte

bbocte
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 15 April 2010 - 10:22 PM

Hi. I repeated the steps from post 2. HelpAsst_mebroot_fix.exe again did not detect an infection. The log generated by helpasst -mbrt (as run from the Start>Run prompt) is below.

Thanks for your continued assistance.



C:\Documents and Settings\Chad\Desktop\HelpAsst_mebroot_fix.exe
Thu 04/15/2010 at 22:01:11.51

HelpAssistant account Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Thu 04/15/2010 at 22:18:30.17

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0DF83CBD
malicious code @ sector 0x0DF83CC0 !
PE file found in sector at 0x0DF83CD6 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~


#8 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:11:49 PM

Posted 16 April 2010 - 06:50 AM

Hmm,

Still persists. Let's use the Recovery Console to tackle it.

Mebroot Fix via Recovery Console

For this fix be sure you have the Recovery Console installed, if not then see HERE for instructions on how to install it.

Do the following:
  1. Restart your computer
  2. Before Windows loads, you will be prompted to choose which Operating System to start
  3. Use the up and down arrow key to select Microsoft Windows Recovery Console
  4. You must enter which Windows installation to log onto. Type 1 and press enter.
  5. At the C:\Windows prompt, type the following bolded text, and press Enter:

    mbr -f

  6. At the next prompt type the following bolded text, and press Enter:

    exit
Windows will now begin loading.

Once Windows has loaded, please click Start-> Run and type the following:

helpasst -mbrt

A log will appear, please paste the contents of it in your next reply.

Edited by Jat90, 16 April 2010 - 06:51 AM.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#9 bbocte

bbocte
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 19 April 2010 - 11:26 AM

Thanks. I'm having some issues getting a copy of the Recovery Console installed. My XP installation disc is SP1, while my running copy is SP3. SP3 won't let me install the old recovery console from my installation disc (and I assume that old version wouldn't work with SP3 anyway). I'm working on slipstreaming the SP3 installation files into my XP, SP1 version.

#10 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:11:49 PM

Posted 19 April 2010 - 02:16 PM

Hello,

Let's use ComboFix, it may target the infection as well as downloading the recovery console:

ComboFix

Please download ComboFix from one of these locations (If you already have it, delete it and download again):

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found here
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Note** ComboFix was designed only to be used under the supervision of a helper, not for general use.

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Edited by Jat90, 19 April 2010 - 02:21 PM.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#11 bbocte

bbocte
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 19 April 2010 - 10:03 PM

Hi,

Thanks for the new suggestion. I downloaded and ran combofix. The Recovery Console successfully installed and produced the following log (I noticed the HelpAssistant folder is listed). The log is attached, as well.

Thanks.



ComboFix 10-04-18.04 - Chad 04/19/2010 21:32:08.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1257 [GMT -5:00]
Running from: c:\documents and settings\Chad\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Chad\Local Settings\Temporary Internet Files\4Yic7.jpg
c:\documents and settings\Chad\Local Settings\Temporary Internet Files\540VXPqww.jpg
c:\documents and settings\Chad\Local Settings\Temporary Internet Files\PtjydoM.jpg
c:\documents and settings\Chad\Local Settings\Temporary Internet Files\RA6su.jpg
c:\program files\Common Files\SLMSS
c:\program files\Common Files\SLMSS\acp1.dat
c:\windows\consol32.exe
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\accessories\dirty_dishes.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\accessories\foodtray.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\accessories\heart1.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\accessories\heart2.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\accessories\heart3.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\accessories\menu_down.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\accessories\menu_up.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\accessories\mop_prop.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\accessories\ticket.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\music\cafe\cafe_music_a1.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\music\cafe\cafe_music_a2.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\music\cafe\cafe_music_a3.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\music\cafe\cafe_music_a4.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\music\mainmenumusic.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\baby_cry.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\chef_cook1.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\closing_time.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\customer_ditch.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\dialog_down.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\dialog_up.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\drink_table.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\expert.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\highchair_deliver.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\highchair_pickup.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\keystroke2.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\level_lose.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\level_win.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\menu_click.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\menu_rollover.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\mop_pickup.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\mop_spill.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_bring_check_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_deliver_food_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_dish_dropoff_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_dropoff_drinks_1.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_food_ready_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_gain_heart_1.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_get_drinks_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_menu_down.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_party_arrive_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_pencil_write_2.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_pickup_food_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_seat_people_snd.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\spill.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\table_drink.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\tip_2.ogg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\backgrounds\flo_lose.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\backgrounds\flo_win.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\backgrounds\fullscreendialog.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\backgrounds\high_score_menu_bg.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\backgrounds\levelintro.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\backgrounds\levelintro.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\backgrounds\levelover.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\backgrounds\longdialog.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\backgrounds\longdialog.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\backgrounds\mainmenu.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\backgrounds\mainmenu_logo.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\backgrounds\popup.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\backgrounds\popup.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\backgrounds\textfield.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\backgrounds\upgrade_lines.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\arrowdown_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\arrowdown_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\arrowdown_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\arrowup_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\arrowup_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\arrowup_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\checkbox_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\checkbox_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\checkbox_rotated_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\checkbox_rotated_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\decor_highlight.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\decor_normal.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\decor_selected.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\dialog_button_a_large_1.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\dialog_button_a_large_2.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\dialog_button_a_large_3.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\dialog_button_a_small_1.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\dialog_button_a_small_2.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\dialog_button_a_small_3.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\dialog_button_a1.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\dialog_button_a2.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\dialog_button_a3.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\left_arrow_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\left_arrow_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\left_arrow_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\main_menu_button1_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\main_menu_button1_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\main_menu_button1_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\main_menu_button1_mask.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\main_menu_button2_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\main_menu_button2_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\main_menu_button2_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\main_menu_button2_mask.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\map_button_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\map_button_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\map_button_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\right_arrow_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\right_arrow_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\right_arrow_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\upgrade_down.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\upgrade_over.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\upgrade_up.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\welcome_player.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\config\actionpoints.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\config\career.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\config\customer.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\config\endless.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\config\global.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\config\powerups.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\cook\stove.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\cursor\arrow.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\cursor\click.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\cursor\click2.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\cursor\grab.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\cursor\open.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\dad_male\anim.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\dad_male\anim.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\dad_male\blue.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\dad_male\blue_legs.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\dad_male\legs.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\dad_male\red.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\dad_male\red_legs.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\kid_male\anim.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\kid_male\anim.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\kid_male\blue.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\kid_male\blue_legs.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\kid_male\legs.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\kid_male\red.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\kid_male\red_legs.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\mom_female\anim.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\mom_female\anim.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\mom_female\baby.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\mom_female\baby.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\mom_female\blue.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\mom_female\blue_baby.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\mom_female\blue_legs.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\mom_female\legs.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\mom_female\red.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\mom_female\red_baby.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\mom_female\red_legs.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\young_female\anim.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\young_female\anim.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\young_female\blue.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\young_female\blue_legs.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\young_female\legs.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\young_female\red.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\young_female\red_legs.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\flo\idle.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\flo\idle.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\flo\lower.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\flo\lower.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\flo\upper.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\flo\upper.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\fonts\mercurius.mvec
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\bench.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\bench.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\blue_highchairbaby.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\chair.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\chair.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\dirt2top.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\dirt4top.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\dishcart.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\dishcart.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\green_highchairbaby.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\highchair_prop_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\highchair_prop_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\highchairbaby.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\highchairbaby.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\luxury_bench.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\luxury_bench.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\mop_station_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\mop_station_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\mop_station_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\podium.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\podium_heart.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\podium_heart.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\purple_highchairbaby.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\radio.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\red_highchairbaby.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\spill.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\spill.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\stereo.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\ticketstation.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\ticketstation.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\yellow_highchairbaby.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\help\family.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\help\help_dividerline.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\help\help1_colormatch1.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\help\help1_colormatch2.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\help\help1_noise.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\help\help1_score.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\help\help2_cleardishes.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\help\help2_givecheck.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\help\help2_pickupfood.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\help\help2_servefood.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\help\help2_takeorder.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\hiscore\local-hs-bb.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\hiscore\p1icon.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\layouts\career_1_1.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\layouts\career_1_2.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\layouts\career_1_3.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\layouts\career_1_4.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\layouts\career_1_5.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\layouts\career_1_6.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\layouts\endless_1_1.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\layouts\endless_1_1_a.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\layouts\endless_1_1_b.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\layouts\endless_1_1_c.bin
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\playfirstlogo.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\background.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\chairs\blue.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\chairs\green.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\chairs\green.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\chairs\grey.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\chairs\red.pal
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\food\cup1.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\food\food.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\food\food.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\frames\2_0.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\frames\2_1.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\furniture\drinkstation1_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\furniture\drinkstation1_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\furniture\drinkstation1_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\people\cook.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\people\cook.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\props\cup_prop1.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\tables\2top.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\tables\2top.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\tables\4top.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\tables\4top.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\upgrade_icons\cafe_icon_2_0.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\upgrade_icons\cafe_icon_2_1.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\upgrades.xml
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\tableshadow.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\careerupgrade.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\choosedifficulty.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\closeconfirm.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\entername.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\game.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\getmoregames.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\help1.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\help2.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\hiscore.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\hiscoreinfo.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\hiscoresubmit.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\levelintro.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\levelover.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\loading.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\mainloop.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\mainmenu.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\ok.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\pause.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\style.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\upgrade.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\upsell.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\yesno.lua
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\splash\aol_logo.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\splash\playfirst_logo.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\strings.xml
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\angersmoke.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\angersmoke.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\bubbles\request_bubble.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\bubbles\request_mop.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\bubbles\request_rejectmeal.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\chairflags.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\chairflags.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\check.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\checkmark.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\closed.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\coinflip.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\coinflip.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\decor_lines.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\dollar.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\expert.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\foodpoof.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\foodpoof.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\heartgrow.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\heartgrow.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\jar.anm
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\jar.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\lives_icon.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\noisering.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\notes\music_boost_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\notes\music_boost_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\notes\music_boost_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\notes\music_boost_d.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\notes\music_boost_e.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\notes\music_boost_f.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\tablenumber_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\tablenumber_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\traynumber.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\tutorialarrow.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\tutorialbox.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\ui_base.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\ui_hand.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\ui_timer_off.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\ui_timer_on.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgradeanim.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_bench_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_bench_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_bench_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_drink_station1_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_drink_station1_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_drink_station1_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_luxury_bench_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_luxury_bench_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_luxury_bench_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_oven_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_oven_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_oven_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_podium_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_podium_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_podium_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_powerbars_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_powerbars_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_powerbars_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_radio_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_radio_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_radio_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_stereo_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_stereo_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_stereo_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_table_a.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_table_b.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_table_c.png
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\upsell\dd1.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\upsell\dd2.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\upsell\dd3.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\upsell\dd4.jpg
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\dinerdash2.exe
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\jestertb.dll
c:\windows\patch.exe
c:\windows\system32\office.exe
c:\windows\system32\xehru.dll
c:\windows\system32\yfefb.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ZESOFT


((((((((((((((((((((((((( Files Created from 2010-03-20 to 2010-04-20 )))))))))))))))))))))))))))))))
.

2010-04-15 05:14 . 2010-04-15 05:14 -------- d-----w- C:\HelpAsst_backup
2010-04-13 00:18 . 2002-07-29 17:59 73728 ----a-r- c:\windows\system32\CNMCP4b.exe
2010-04-09 04:26 . 2010-03-30 05:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-09 04:26 . 2010-03-30 05:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-09 03:19 . 2010-04-09 04:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 03:27 . 2010-04-07 03:26 77312 ----a-w- C:\mbr.exe
2010-04-07 03:06 . 2010-04-07 03:06 -------- d-----w- c:\windows\system32\NtmsData
2010-04-05 03:18 . 2010-04-09 06:55 -------- d-----w- c:\program files\SpeedFan
2010-04-04 02:37 . 2010-04-04 02:37 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-04-04 02:18 . 2010-04-04 02:18 -------- d-----w- c:\documents and settings\HelpAssistant\igLoader Files
2010-04-04 02:18 . 2010-04-04 02:18 -------- d-----w- c:\documents and settings\HelpAssistant\IETldCache
2010-04-04 02:18 . 2010-04-04 02:18 -------- d-----w- c:\documents and settings\HelpAssistant\IECompatCache
2010-04-04 02:18 . 2007-10-06 05:53 60968 ----a-w- c:\documents and settings\HelpAssistant\GoToAssistDownloadHelper.exe
2010-04-04 02:11 . 2010-04-04 02:11 -------- d-----w- c:\documents and settings\HelpAssistant\.viv
2010-04-04 02:11 . 2010-04-04 02:11 -------- d-----w- c:\documents and settings\HelpAssistant\.narya
2010-04-04 02:11 . 2010-04-04 02:11 -------- d-----w- c:\documents and settings\HelpAssistant\.housecall6.6
2010-03-24 06:15 . 2010-03-24 06:15 -------- d-----w- c:\documents and settings\Chad\Application Data\Malwarebytes
2010-03-24 06:15 . 2010-03-24 06:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-24 05:02 . 2010-03-24 05:02 -------- d-----w- c:\program files\Trend Micro
2010-03-22 04:43 . 2010-03-22 04:43 -------- d-----w- c:\program files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-17 07:04 . 2004-12-13 03:12 -------- d-----w- c:\program files\BHODemon 2
2010-04-17 07:01 . 2006-12-07 06:49 -------- d-----w- c:\program files\MSN Games
2010-04-17 06:58 . 2009-02-08 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-04-17 06:57 . 2009-02-08 02:50 -------- d-----w- c:\documents and settings\Chad\Application Data\Skype
2010-04-09 16:42 . 2002-09-03 14:58 79319 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2010-04-03 22:51 . 2005-04-30 11:16 -------- d-----w- c:\program files\McAfee
2010-03-24 04:47 . 2007-09-15 04:04 61508 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-22 04:44 . 2007-08-08 05:18 -------- d-----w- c:\program files\iTunes
2010-03-22 04:43 . 2007-07-06 06:02 -------- d-----w- c:\program files\Common Files\Apple
2010-03-22 04:40 . 2004-04-03 04:48 -------- d-----w- c:\program files\QuickTime
2010-03-22 04:26 . 2007-06-20 03:33 -------- d-----w- c:\program files\Safari
2010-03-19 00:56 . 2004-04-03 02:24 78984 ------w- c:\documents and settings\Chad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-18 12:35 . 2007-06-23 09:09 664 ------w- c:\windows\system32\d3d9caps.dat
2010-03-14 00:14 . 2010-03-14 00:14 -------- d-----w- c:\program files\Western Digital
2010-03-10 06:15 . 2004-08-10 02:27 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 22:05 . 2009-02-08 02:52 -------- d-----w- c:\documents and settings\Chad\Application Data\skypePM
2010-02-25 06:24 . 2005-02-18 21:19 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 15:16 . 2009-10-03 13:12 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11 . 2002-08-29 11:00 455680 ------w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 1980-01-01 06:00 2146304 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 1980-01-01 06:00 2024448 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2002-08-29 11:00 100864 ------w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2002-08-29 11:00 226880 ------w- c:\windows\system32\drivers\tcpip6.sys
2006-10-08 03:01 . 2006-10-08 03:01 9276 ------w- c:\program files\hijackthis.log
2005-02-16 16:06 . 2005-02-16 16:06 218112 ------w- c:\program files\HijackThis.exe
2007-10-06 06:19 . 2007-10-06 06:19 75 --sh--r- c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DELL Webcam Manager"="c:\program files\DELL\DELL Webcam Manager\DellWMgr.exe" [2007-06-07 118784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe" [2009-04-29 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 380928]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"OEM03Mon.exe"="c:\windows\OEM03Mon.exe" [2007-05-18 36864]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-04-01 151597]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-10-06 118784]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-06 53248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BounceBack Launcher.lnk - c:\program files\CMS Products\BounceBack Express\BBLauncher.exe [2007-5-18 90112]
Program Neighborhood Agent.lnk - c:\windows\Installer\{2624B680-02BC-4CBC-839C-DA20DF6EF6EC}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe [2009-10-7 61440]
SBC Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2004-12-11 217088]
Snapfish PictureMover.lnk - c:\program files\Snapfish PictureMover\PictureMover.exe [2007-11-6 475136]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Western Digital\\WD Discovery Software\\WD Discovery.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Bonjour

R2 portD;CMS PortIO Service;c:\windows\SYSTEM32\DRIVERS\portd2k.sys [5/18/2007 9:04 PM 7424]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 OEM03Afx;Provides a software interface to control audio effects of OEM003 camera.;c:\windows\SYSTEM32\DRIVERS\OEM03Afx.sys [10/6/2007 1:17 AM 141376]
R3 OEM03Vfx;Creative Camera OEM003 Video VFX Driver;c:\windows\SYSTEM32\DRIVERS\OEM03Vfx.sys [10/6/2007 1:17 AM 7424]
R3 OEM03Vid;Creative Camera OEM003 Driver;c:\windows\SYSTEM32\DRIVERS\OEM03Vid.sys [10/6/2007 1:17 AM 235808]
R3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\SYSTEM32\DRIVERS\livecamv.sys [10/6/2007 1:17 AM 31616]
S2 ENCMXQLO;ENCMXQLO;\??\c:\windows\system32\encmxqlo.sey --> c:\windows\system32\encmxqlo.sey [?]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\SYSTEM32\DRIVERS\usbbc.sys [12/12/2004 5:48 AM 15576]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon
.
Contents of the 'Scheduled Tasks' folder

2010-04-16 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2004\SystemOptimizer.exe [2004-11-10 03:11]

2010-04-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

2010-04-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-01-17 17:22]

2010-02-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-01-17 17:22]

2010-04-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: turbotax.com
Trusted Zone: westlaw.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MSMsgSvc - (no file)
HKLM-Explorer_Run-hedjq - c:\windows\system32\hedjq.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-19 21:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\TMP0000003F320C0414A9D73FE8 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ENCMXQLO]
"ImagePath"="\??\c:\windows\system32\encmxqlo.sey"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3644)
c:\windows\system32\WININET.dll
c:\progra~1\SBCSEL~1\SMARTB~1\SBHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\CTsvcCDA.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\System32\MsPMSPSv.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\msiexec.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\SBC Self Support Tool\bin\mpbtn.exe
.
**************************************************************************
.
Completion time: 2010-04-19 21:54:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-20 02:54

Pre-Run: 75,187,986,432 bytes free
Post-Run: 75,378,814,976 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 60AFF9D0AA54242744DC7DEC2F085F08

Attached Files



#12 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:11:49 PM

Posted 20 April 2010 - 05:17 AM

Hello,

CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
Driver::
ENCMXQLO

File::
c:\windows\CT4CET.bin
c:\windows\system32\encmxqlo.sey

Folder::
c:\windows\TEMP\TMP0000003F320C0414A9D73FE8


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Then follow the instructions in Post #8 and post the log.


In your next reply, please post:
  • Combofix log
  • MBR log

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#13 bbocte

bbocte
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 20 April 2010 - 10:26 PM

Thanks, Jat. I ran the steps suggested, and the two logs are posted below (combofix log first). Note that when I entered the "mbr -f" command at the c:\Windows prompt in the recovery console, a message indicated that this command is not supported (and to confirm, I did use a space before the -f). I then typed exit, allowed windows to load, and ran helpasst -mbrt as suggested. While the helpasst log seems to indicate that there is no HelpAssistant profile present, the folder still appears in the Documents and Settings folder (I still have not attempted to delete it and will not until you suggest it).

Thanks for the ongoing support.


ComboFix 10-04-19.08 - Chad 04/20/2010 21:42:32.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1555 [GMT -5:00]
Running from: c:\documents and settings\Chad\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Chad\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\CT4CET.bin"
"c:\windows\system32\encmxqlo.sey"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\CT4CET.bin

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ENCMXQLO
-------\Service_ENCMXQLO


((((((((((((((((((((((((( Files Created from 2010-03-21 to 2010-04-21 )))))))))))))))))))))))))))))))
.

2010-04-21 00:49 . 2010-01-05 23:04 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-21 00:49 . 2010-01-05 23:04 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-04-21 00:49 . 2010-01-05 23:04 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-21 00:49 . 2010-01-05 23:04 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-04-21 00:49 . 2010-01-05 23:04 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-21 00:49 . 2010-01-05 23:04 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-04-21 00:49 . 2010-01-05 23:04 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-21 00:49 . 2010-01-05 23:04 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-21 00:49 . 2010-01-05 23:04 312584 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-21 00:49 . 2010-01-05 23:04 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-15 05:14 . 2010-04-15 05:14 -------- d-----w- C:\HelpAsst_backup
2010-04-13 00:18 . 2002-07-29 17:59 73728 ----a-r- c:\windows\system32\CNMCP4b.exe
2010-04-09 04:26 . 2010-03-30 05:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-09 04:26 . 2010-03-30 05:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-09 03:19 . 2010-04-09 04:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 03:27 . 2010-04-07 03:26 77312 ----a-w- C:\mbr.exe
2010-04-07 03:06 . 2010-04-07 03:06 -------- d-----w- c:\windows\system32\NtmsData
2010-04-05 03:18 . 2010-04-09 06:55 -------- d-----w- c:\program files\SpeedFan
2010-04-04 02:37 . 2010-04-04 02:37 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-04-04 02:18 . 2010-04-04 02:18 -------- d-----w- c:\documents and settings\HelpAssistant\igLoader Files
2010-04-04 02:18 . 2010-04-04 02:18 -------- d-----w- c:\documents and settings\HelpAssistant\IETldCache
2010-04-04 02:18 . 2010-04-04 02:18 -------- d-----w- c:\documents and settings\HelpAssistant\IECompatCache
2010-04-04 02:18 . 2007-10-06 05:53 60968 ----a-w- c:\documents and settings\HelpAssistant\GoToAssistDownloadHelper.exe
2010-04-04 02:11 . 2010-04-04 02:11 -------- d-----w- c:\documents and settings\HelpAssistant\.viv
2010-04-04 02:11 . 2010-04-04 02:11 -------- d-----w- c:\documents and settings\HelpAssistant\.narya
2010-04-04 02:11 . 2010-04-04 02:11 -------- d-----w- c:\documents and settings\HelpAssistant\.housecall6.6
2010-03-24 06:15 . 2010-03-24 06:15 -------- d-----w- c:\documents and settings\Chad\Application Data\Malwarebytes
2010-03-24 06:15 . 2010-03-24 06:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-24 05:02 . 2010-03-24 05:02 -------- d-----w- c:\program files\Trend Micro
2010-03-22 04:43 . 2010-03-22 04:43 -------- d-----w- c:\program files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-21 02:30 . 2005-04-30 11:16 -------- d-----w- c:\program files\McAfee
2010-04-21 02:30 . 2007-01-17 16:39 -------- d-----w- c:\program files\Common Files\McAfee
2010-04-17 07:04 . 2004-12-13 03:12 -------- d-----w- c:\program files\BHODemon 2
2010-04-17 07:01 . 2006-12-07 06:49 -------- d-----w- c:\program files\MSN Games
2010-04-17 06:58 . 2009-02-08 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-04-17 06:57 . 2009-02-08 02:50 -------- d-----w- c:\documents and settings\Chad\Application Data\Skype
2010-04-09 16:42 . 2002-09-03 14:58 79319 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2010-03-24 04:47 . 2007-09-15 04:04 61508 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-22 04:44 . 2007-08-08 05:18 -------- d-----w- c:\program files\iTunes
2010-03-22 04:43 . 2007-07-06 06:02 -------- d-----w- c:\program files\Common Files\Apple
2010-03-22 04:40 . 2004-04-03 04:48 -------- d-----w- c:\program files\QuickTime
2010-03-22 04:26 . 2007-06-20 03:33 -------- d-----w- c:\program files\Safari
2010-03-19 00:56 . 2004-04-03 02:24 78984 ------w- c:\documents and settings\Chad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-18 12:35 . 2007-06-23 09:09 664 ------w- c:\windows\system32\d3d9caps.dat
2010-03-14 00:14 . 2010-03-14 00:14 -------- d-----w- c:\program files\Western Digital
2010-03-10 06:15 . 2004-08-10 02:27 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 22:05 . 2009-02-08 02:52 -------- d-----w- c:\documents and settings\Chad\Application Data\skypePM
2010-02-25 06:24 . 2005-02-18 21:19 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 15:16 . 2009-10-03 13:12 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11 . 2002-08-29 11:00 455680 ------w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 1980-01-01 06:00 2146304 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 1980-01-01 06:00 2024448 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2002-08-29 11:00 100864 ------w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2002-08-29 11:00 226880 ------w- c:\windows\system32\drivers\tcpip6.sys
2006-10-08 03:01 . 2006-10-08 03:01 9276 ------w- c:\program files\hijackthis.log
2005-02-16 16:06 . 2005-02-16 16:06 218112 ------w- c:\program files\HijackThis.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DELL Webcam Manager"="c:\program files\DELL\DELL Webcam Manager\DellWMgr.exe" [2007-06-07 118784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe" [2009-04-29 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 380928]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"OEM03Mon.exe"="c:\windows\OEM03Mon.exe" [2007-05-18 36864]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-04-01 151597]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-10-06 118784]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-06 53248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-02 1180976]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BounceBack Launcher.lnk - c:\program files\CMS Products\BounceBack Express\BBLauncher.exe [2007-5-18 90112]
Program Neighborhood Agent.lnk - c:\windows\Installer\{2624B680-02BC-4CBC-839C-DA20DF6EF6EC}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe [2009-10-7 61440]
SBC Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2004-12-11 217088]
Snapfish PictureMover.lnk - c:\program files\Snapfish PictureMover\PictureMover.exe [2007-11-6 475136]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Western Digital\\WD Discovery Software\\WD Discovery.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Bonjour

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\SYSTEM32\DRIVERS\mfetdi2k.sys [4/20/2010 7:49 PM 82952]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/20/2010 7:49 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/20/2010 7:49 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/20/2010 7:49 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [4/20/2010 7:49 PM 141792]
R2 portD;CMS PortIO Service;c:\windows\SYSTEM32\DRIVERS\portd2k.sys [5/18/2007 9:04 PM 7424]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 cfwids;McAfee Inc. cfwids;c:\windows\SYSTEM32\DRIVERS\cfwids.sys [4/20/2010 7:49 PM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\SYSTEM32\DRIVERS\mfefirek.sys [4/20/2010 7:49 PM 312584]
R3 mfendiskmp;mfendiskmp;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [4/20/2010 7:49 PM 88480]
R3 OEM03Afx;Provides a software interface to control audio effects of OEM003 camera.;c:\windows\SYSTEM32\DRIVERS\OEM03Afx.sys [10/6/2007 1:17 AM 141376]
R3 OEM03Vfx;Creative Camera OEM003 Video VFX Driver;c:\windows\SYSTEM32\DRIVERS\OEM03Vfx.sys [10/6/2007 1:17 AM 7424]
R3 OEM03Vid;Creative Camera OEM003 Driver;c:\windows\SYSTEM32\DRIVERS\OEM03Vid.sys [10/6/2007 1:17 AM 235808]
R3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\SYSTEM32\DRIVERS\livecamv.sys [10/6/2007 1:17 AM 31616]
S2 0075781271817397mcinstcleanup;McAfee Application Installer Cleanup (0075781271817397);c:\windows\TEMP\007578~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\007578~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [4/20/2010 7:49 PM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\SYSTEM32\DRIVERS\mferkdet.sys [4/20/2010 7:49 PM 83496]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\SYSTEM32\DRIVERS\usbbc.sys [12/12/2004 5:48 AM 15576]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - 0075781271817397MCINSTCLEANUP
*Deregistered* - IPVNMon
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-04-16 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2004\SystemOptimizer.exe [2004-11-10 03:11]

2010-04-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

2010-04-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: turbotax.com
Trusted Zone: westlaw.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-20 21:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2188)
c:\windows\system32\WININET.dll
c:\progra~1\SBCSEL~1\SMARTB~1\SBHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\CTsvcCDA.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\System32\MsPMSPSv.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\msiexec.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\SBC Self Support Tool\bin\mpbtn.exe
.
**************************************************************************
.
Completion time: 2010-04-20 22:10:00 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-21 03:09
ComboFix2.txt 2010-04-20 02:54

Pre-Run: 75,220,074,496 bytes free
Post-Run: 75,180,023,808 bytes free

- - End Of File - - 60AF90E9096C5E3B04B8C9E2324AB37C



C:\Documents and Settings\Chad\Desktop\HelpAsst_mebroot_fix.exe
Thu 04/15/2010 at 22:01:11.51

HelpAssistant account Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Thu 04/15/2010 at 22:18:30.17

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0DF83CBD
malicious code @ sector 0x0DF83CC0 !
PE file found in sector at 0x0DF83CD6 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Tue 04/20/2010 at 22:18:39.71

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0DF83CBD
malicious code @ sector 0x0DF83CC0 !
PE file found in sector at 0x0DF83CD6 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~



#14 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:11:49 PM

Posted 21 April 2010 - 06:52 PM

Hello,

See if you can run GMER now:

Gmer

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#15 bbocte

bbocte
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 23 April 2010 - 11:29 PM

No luck with GMER. I attempted to run it in normal mode, and the system crashed to a blue screen that read:

A problem was detected and Windows has been shut down to prevent damage to your comptuer. PFN_List_Corrupt
[detailed text I can't remember]
*** stop: 0x0000004E (0x00000007, 0x000061CB, 0x00000002, 0x00000000)
Beginning dump of physical memory.
Physical memory dump complete.

I then performed a hard shutdown and restarted into Safe Mode. I ran GMER in Safe Mode, which completed and generated a message that read "GMER did not find any modifications."

I then restarted in normal mode and attempted to run GMER. It again crashed the system. Not sure what's going on.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users