Free Malware Removal Forum

by **Dwight Hebert** » July 15th, 2007, 1:28 pm

I'm working on an older computer of a fellow employee. So far I've cleaned out over 1000 trojans and viri and about 600 adware objects. The computer is running much better now but I still can not open folders or my computer nor run explorer.exe in regular mode. I also can not get into the control panel to uninstall items. However, explorer runs and folders open in safe mode. I've run AVG free, Adaware, Spybot S&D, smitfraudfix.
I'm getting ready to down load and run AVG Spyware.
Here is my Hijack this log. Any suggestions.

Thanks
Dwight

Logfile of HijackThis v1.99.1
Scan saved at 12:13:30 PM, on 7/15/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Documents and Settings\visitor1\Application Data\WinTouch\WinTouch.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\visitor1\Desktop\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe,pytotac.exe,C:\Documents and Settings\visitor1\Application Data\ntos.exe,
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0B8E508D-CAB2-460C-B73F-CA5E834E4408} - \
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINNT\system32\jlabooep.dll (file missing)
O2 - BHO: (no name) - {60E5A847-67D5-3370-A33C-6FE33D9CFF98} - (no file)
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINNT\system32\sstss.dll
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINNT\xhelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {C97E72C8-E809-B9FC-7B91-B59EFB1007CB} - (no file)
O2 - BHO: (no name) - {D6162326-2095-40CC-92A7-0EB5AF6C249B} - C:\WINNT\bargva.dll (file missing)
O2 - BHO: (no name) - {DB999FCE-EFD1-4AA2-8EF0-A1766FD7D7Bb} - C:\WINNT\system32\pxdjydbw.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\visitor1\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\visitor1\Application Data\Microsoft\biodoslw.exe
O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... xdm231YYUS
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O15 - Trusted Zone: http://www.winantivirus.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: http://www.winantiviruspro.com
O15 - Trusted Zone: http://download.cdn.winsoftware.com
O15 - Trusted IP range: http://66.230.*.*
O15 - Trusted IP range: http://66.235.*.*
O15 - Trusted IP range: http://69.31.*.*
O15 - Trusted IP range: http://69.50.*.*
O15 - Trusted IP range: http://205.177.*.*
O16 - DPF: {4B1A4A31-8845-11D5-9769-00B0D071D434} (Avaya ICM Client) - http://iowacniceweb01.ic.ncs.com/icm/caller.cab
O20 - Winlogon Notify: sstss - C:\WINNT\SYSTEM32\sstss.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

by **Vino Rosso** » July 16th, 2007, 1:01 pm

Hi Dwight

Welcome to the Malware Removal forums.

HijackThis logs can take a little time to research so please be patient and I'd be grateful if you would note the following:

I will working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine.
Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Finally, please reply to this thread. Do not start a new topic.

1 - Rename HijackThis
Can you please rename HijackThis.exe to search13.exe

2 - ComboFix
Download ComboFix from >here< to your Desktop
Close all windows
Double click combofix.exe follow the prompts
When finished, the program will produce a log
Please post the log in your next reply

Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash.

3 - Check on status
After you have completed the above, please reboot and provide:

the ComboFix report
a new HijackThis log - using search13.exe

Thanks
Vino

by **Dwight Hebert** » July 18th, 2007, 1:09 pm

Vino

Here are the logs you asked for.

Thanks
Dwight

Logfile of HijackThis v1.99.1
Scan saved at 10:27:28 AM, on 7/18/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Documents and Settings\visitor1\Desktop\search13.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0B8E508D-CAB2-460C-B73F-CA5E834E4408} - \
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {60E5A847-67D5-3370-A33C-6FE33D9CFF98} - (no file)
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINNT\xhelper.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {C97E72C8-E809-B9FC-7B91-B59EFB1007CB} - (no file)
O2 - BHO: (no name) - {D6162326-2095-40CC-92A7-0EB5AF6C249B} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\visitor1\Application Data\Microsoft\biodoslw.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... xdm231YYUS
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O15 - Trusted Zone: http://www.winantivirus.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: http://www.winantiviruspro.com
O15 - Trusted Zone: http://download.cdn.winsoftware.com
O15 - Trusted IP range: http://66.230.*.*
O15 - Trusted IP range: http://66.235.*.*
O15 - Trusted IP range: http://69.31.*.*
O15 - Trusted IP range: http://69.50.*.*
O15 - Trusted IP range: http://205.177.*.*
O16 - DPF: {4B1A4A31-8845-11D5-9769-00B0D071D434} (Avaya ICM Client) - http://iowacniceweb01.ic.ncs.com/icm/caller.cab
O20 - Winlogon Notify: sstss - sstss.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

"visitor1" - 2007-07-18 9:25:22 - ComboFix 07-07-17.8 - Service Pack 4 FAT32

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINNT\system32\tdhwvxik.dll
C:\WINNT\system32\rpdolxun.dll
C:\WINNT\system32\qxbtlkgt.dll
C:\WINNT\system32\bljapymn.dll
C:\WINNT\system32\lwowvahs.dll
C:\WINNT\system32\dtdaewmr.dll
C:\WINNT\system32\ovorxury.dll
C:\WINNT\system32\lixiblsh.dll
C:\WINNT\system32\qpmveebh.dll
C:\WINNT\system32\pxdjydbw.dll
C:\WINNT\system32\vqgqnvxi.dll
C:\WINNT\system32\hemhgykb.dll
C:\WINNT\system32\khdnrngr.dll
C:\WINNT\system32\anugmlaf.dll
C:\WINNT\system32\jmdeupcx.dll
C:\WINNT\system32\vbcnpuae.dll
C:\WINNT\system32\rwjvrgto.dll
C:\WINNT\system32\semkphnw.dll
C:\WINNT\system32\yokqqkmm.dll
C:\WINNT\system32\wspoxavn.dll
C:\WINNT\system32\gkiujkwp.dll
C:\WINNT\system32\skxkouom.dll
C:\WINNT\system32\offqekvh.dll
C:\WINNT\system32\dydiosap.dll
C:\WINNT\system32\ujuqswxa.dll
C:\WINNT\system32\jbvxsumg.dll
C:\WINNT\system32\gxvknhux.dll
C:\WINNT\system32\utcbincx.dll
C:\WINNT\system32\ybjbpbfw.dll
C:\WINNT\system32\ukmmpyxx.dll
C:\WINNT\system32\tqgvsbkj.dll
C:\WINNT\system32\ncvhtlog.dll
C:\WINNT\system32\aikgkfxh.dll
C:\WINNT\system32\mwaofwif.dll
C:\WINNT\system32\osvcysnj.dll
C:\WINNT\system32\kyytyfvi.dll
C:\WINNT\system32\kixvwhdt.ini
C:\WINNT\system32\nuxlodpr.ini
C:\WINNT\system32\tgkltbxq.ini
C:\WINNT\system32\nmypajlb.ini
C:\WINNT\system32\shavwowl.ini
C:\WINNT\system32\rmweadtd.ini
C:\WINNT\system32\yruxrovo.ini
C:\WINNT\system32\hslbixil.ini
C:\WINNT\system32\hbeevmpq.ini
C:\WINNT\system32\ixvnqgqv.ini
C:\WINNT\system32\bkyghmeh.ini
C:\WINNT\system32\rgnrndhk.ini
C:\WINNT\system32\falmguna.ini
C:\WINNT\system32\xcpuedmj.ini
C:\WINNT\system32\eaupncbv.ini
C:\WINNT\system32\otgrvjwr.ini
C:\WINNT\system32\mmkqqkoy.ini
C:\WINNT\system32\nvaxopsw.ini
C:\WINNT\system32\pwkjuikg.ini
C:\WINNT\system32\mouokxks.ini
C:\WINNT\system32\hvkeqffo.ini
C:\WINNT\system32\pasoidyd.ini
C:\WINNT\system32\axwsquju.ini
C:\WINNT\system32\gmusxvbj.ini
C:\WINNT\system32\xuhnkvxg.ini
C:\WINNT\system32\xcnibctu.ini
C:\WINNT\system32\wfbpbjby.ini
C:\WINNT\system32\xxypmmku.ini
C:\WINNT\system32\jkbsvgqt.ini
C:\WINNT\system32\golthvcn.ini
C:\WINNT\system32\hxfkgkia.ini
C:\WINNT\system32\fiwfoawm.ini
C:\WINNT\system32\jnsycvso.ini
C:\WINNT\system32\ivfytyyk.ini

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINNT\system32\winlogon.exe . . . is infected!!
C:\DOCUME~1\visitor1\APPLIC~1.\crosof~1
C:\DOCUME~1\visitor1\APPLIC~1.\fnts~1
C:\DOCUME~1\visitor1\APPLIC~1.\fnts~2
C:\DOCUME~1\visitor1\APPLIC~1\Dxcknwrd.dll
C:\DOCUME~1\visitor1\APPLIC~1\WinTouch
C:\DOCUME~1\visitor1\APPLIC~1\WinTouch\wintouch.cfg
C:\DOCUME~1\visitor1\APPLIC~1\WinTouch\wintouch.cfg.147839767609dac0f91bbd39572996ce
C:\DOCUME~1\visitor1\APPLIC~1\WinTouch\WinTouch.exe
C:\DOCUME~1\visitor1\APPLIC~1\WinTouch\WTUninstaller.exe
C:\DOCUME~1\visitor1\MYDOCU~1.\scurit~1
C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Program Files\Common Files\{363E1~1
C:\Program Files\Common Files\{463E1~1
C:\Program Files\Common Files\{463E1~2
C:\Program Files\Common Files\{463E1~3
C:\Program Files\Common Files\mantec~1
C:\Program Files\outerinfo
C:\Program Files\padsysassistant
C:\Program Files\padsysassistant\desktop.ini
C:\Program Files\padsysassistant\Uninstall.exe
C:\Program Files\sstem3~1
C:\Program Files\Ultimate Cleaner
C:\Program Files\winpop
C:\sstray.exe
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\accessories\dirty_dishes.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\accessories\foodtray.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\accessories\heart1.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\accessories\heart2.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\accessories\heart3.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\accessories\menu_down.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\accessories\menu_up.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\accessories\mop_prop.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\accessories\ticket.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\music\cafe\cafe_music_a1.ogg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\music\cafe\cafe_music_a2.ogg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\music\cafe\cafe_music_a3.ogg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\music\cafe\cafe_music_a4.ogg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\music\mainmenumusic.ogg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\baby_cry.ogg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\chef_cook1.ogg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\closing_time.ogg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\customer_ditch.ogg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\dialog_down.ogg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\dialog_up.ogg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\drink_table.ogg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\expert.ogg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\highchair_deliver.ogg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\highchair_pickup.ogg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\keystroke2.ogg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\level_lose.ogg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\level_win.ogg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\menu_click.ogg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\menu_rollover.ogg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\mop_pickup.ogg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\mop_spill.ogg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_bring_check_1_snd.ogg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_deliver_food_1_snd.ogg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_dish_dropoff_1_snd.ogg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_dropoff_drinks_1.ogg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_food_ready_1_snd.ogg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_gain_heart_1.ogg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_get_drinks_1_snd.ogg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_menu_down.ogg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_party_arrive_1_snd.ogg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_pencil_write_2.ogg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_pickup_food_1_snd.ogg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_seat_people_snd.ogg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\spill.ogg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\table_drink.ogg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\tip_2.ogg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\backgrounds\flo_lose.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\backgrounds\flo_win.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\backgrounds\fullscreendialog.jpg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\backgrounds\high_score_menu_bg.jpg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\backgrounds\levelintro.jpg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\backgrounds\levelintro.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\backgrounds\levelover.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\backgrounds\longdialog.jpg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\backgrounds\longdialog.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\backgrounds\mainmenu.jpg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\backgrounds\mainmenu_logo.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\backgrounds\popup.jpg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\backgrounds\popup.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\backgrounds\textfield.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\backgrounds\upgrade_lines.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\arrowdown_a.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\arrowdown_b.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\arrowdown_c.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\arrowup_a.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\arrowup_b.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\arrowup_c.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\checkbox_a.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\checkbox_b.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\checkbox_rotated_a.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\checkbox_rotated_b.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\decor_highlight.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\decor_normal.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\decor_selected.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\dialog_button_a_large_1.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\dialog_button_a_large_2.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\dialog_button_a_large_3.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\dialog_button_a_small_1.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\dialog_button_a_small_2.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\dialog_button_a_small_3.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\dialog_button_a1.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\dialog_button_a2.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\dialog_button_a3.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\left_arrow_a.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\left_arrow_b.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\left_arrow_c.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\main_menu_button1_a.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\main_menu_button1_b.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\main_menu_button1_c.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\main_menu_button1_mask.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\main_menu_button2_a.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\main_menu_button2_b.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\main_menu_button2_c.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\main_menu_button2_mask.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\map_button_a.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\map_button_b.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\map_button_c.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\right_arrow_a.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\right_arrow_b.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\right_arrow_c.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\upgrade_down.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\upgrade_over.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\upgrade_up.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\welcome_player.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\config\actionpoints.bin
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\config\career.bin
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\config\customer.bin
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\config\endless.bin
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\config\global.bin
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\config\powerups.bin
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\cook\stove.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\cursor\arrow.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\cursor\click.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\cursor\click2.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\cursor\grab.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\cursor\open.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\dad_male\anim.anm
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\dad_male\anim.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\dad_male\blue.pal
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\dad_male\blue_legs.pal
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\dad_male\legs.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\dad_male\red.pal
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\dad_male\red_legs.pal
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\kid_male\anim.anm
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\kid_male\anim.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\kid_male\blue.pal
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\kid_male\blue_legs.pal
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\kid_male\legs.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\kid_male\red.pal
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\kid_male\red_legs.pal
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\mom_female\anim.anm
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\mom_female\anim.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\mom_female\baby.anm
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\mom_female\baby.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\mom_female\blue.pal
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\mom_female\blue_baby.pal
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\mom_female\blue_legs.pal
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\mom_female\legs.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\mom_female\red.pal
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\mom_female\red_baby.pal
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\mom_female\red_legs.pal
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\young_female\anim.anm
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\young_female\anim.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\young_female\blue.pal
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\young_female\blue_legs.pal
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\young_female\legs.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\young_female\red.pal
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\young_female\red_legs.pal
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\flo\idle.anm
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\flo\idle.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\flo\lower.anm
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\flo\lower.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\flo\upper.anm
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\flo\upper.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\fonts\mercurius.mvec
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\bench.anm
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\bench.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\blue_highchairbaby.pal
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\chair.anm
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\chair.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\dirt2top.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\dirt4top.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\dishcart.anm
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\dishcart.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\green_highchairbaby.pal
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\highchair_prop_a.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\highchair_prop_b.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\highchairbaby.anm
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\highchairbaby.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\luxury_bench.anm
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\luxury_bench.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\mop_station_a.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\mop_station_b.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\mop_station_c.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\podium.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\podium_heart.anm
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\podium_heart.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\purple_highchairbaby.pal
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\radio.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\red_highchairbaby.pal
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\spill.anm
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\spill.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\stereo.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\ticketstation.anm
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\ticketstation.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\yellow_highchairbaby.pal
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\help\family.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\help\help_dividerline.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\help\help1_colormatch1.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\help\help1_colormatch2.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\help\help1_noise.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\help\help1_score.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\help\help2_cleardishes.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\help\help2_givecheck.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\help\help2_pickupfood.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\help\help2_servefood.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\help\help2_takeorder.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\hiscore\local-hs-bb.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\hiscore\p1icon.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\layouts\career_1_1.bin
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\layouts\career_1_2.bin
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\layouts\career_1_3.bin
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\layouts\career_1_4.bin
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\layouts\career_1_5.bin
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\layouts\career_1_6.bin
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\layouts\endless_1_1.bin
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\layouts\endless_1_1_a.bin
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\layouts\endless_1_1_b.bin
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\layouts\endless_1_1_c.bin
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\playfirstlogo.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\background.jpg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\chairs\blue.pal
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\chairs\green.anm
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\chairs\green.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\chairs\grey.pal
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\chairs\red.pal
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\food\cup1.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\food\food.anm
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\food\food.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\frames\2_0.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\frames\2_1.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\furniture\drinkstation1_a.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\furniture\drinkstation1_b.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\furniture\drinkstation1_c.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\people\cook.anm
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\people\cook.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\props\cup_prop1.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\tables\2top.anm
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\tables\2top.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\tables\4top.anm
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\tables\4top.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\upgrade_icons\cafe_icon_2_0.jpg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\upgrade_icons\cafe_icon_2_1.jpg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\upgrades.xml
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\tableshadow.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\careerupgrade.lua
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\choosedifficulty.lua
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\closeconfirm.lua
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\entername.lua
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\game.lua
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\getmoregames.lua
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\help1.lua
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\help2.lua
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\hiscore.lua
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\hiscoreinfo.lua
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\hiscoresubmit.lua
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\levelintro.lua
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\levelover.lua
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\loading.lua
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\mainloop.lua
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\mainmenu.lua
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\ok.lua
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\pause.lua
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\style.lua
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\upgrade.lua
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\upsell.lua
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\yesno.lua
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\splash\aol_logo.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\splash\playfirst_logo.jpg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\strings.xml
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\angersmoke.anm
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\angersmoke.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\bubbles\request_bubble.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\bubbles\request_mop.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\bubbles\request_rejectmeal.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\chairflags.anm
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\chairflags.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\check.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\checkmark.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\closed.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\coinflip.anm
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\coinflip.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\decor_lines.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\dollar.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\expert.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\foodpoof.anm
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\foodpoof.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\heartgrow.anm
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\heartgrow.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\jar.anm
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\jar.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\lives_icon.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\noisering.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\notes\music_boost_a.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\notes\music_boost_b.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\notes\music_boost_c.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\notes\music_boost_d.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\notes\music_boost_e.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\notes\music_boost_f.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\tablenumber_a.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\tablenumber_b.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\traynumber.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\tutorialarrow.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\tutorialbox.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\ui_base.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\ui_hand.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\ui_timer_off.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\ui_timer_on.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgradeanim.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_bench_a.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_bench_b.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_bench_c.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_drink_station1_a.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_drink_station1_b.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_drink_station1_c.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_luxury_bench_a.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_luxury_bench_b.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_luxury_bench_c.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_oven_a.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_oven_b.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_oven_c.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_podium_a.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_podium_b.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_podium_c.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_powerbars_a.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_powerbars_b.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_powerbars_c.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_radio_a.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_radio_b.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_radio_c.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_stereo_a.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_stereo_b.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_stereo_c.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_table_a.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_table_b.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_table_c.png
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\upsell\dd1.jpg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\upsell\dd2.jpg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\upsell\dd3.jpg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\assets\upsell\dd4.jpg
C:\WINNT\DOWNLO~1.\DinerDash2.1.0.0.53\dinerdash2.exe
C:\WINNT\httpconf.dat
C:\WINNT\mirarsetup_876075.exe
C:\WINNT\rau001978.exe
C:\WINNT\system32\24987.exe
C:\WINNT\system32\3_exception.nls
C:\WINNT\system32\armrfc.sys
C:\WINNT\system32\bund1
C:\WINNT\system32\bund1\temp.txt
C:\WINNT\system32\cmd.com
C:\WINNT\system32\components
C:\WINNT\system32\components\flx0.dll
C:\WINNT\system32\components\flx33.dll
C:\WINNT\system32\components\flx35.dll
C:\WINNT\system32\components\flx36.dll
C:\WINNT\system32\components\flx38.dll
C:\WINNT\system32\components\flx39.dll
C:\WINNT\system32\components\flx40.dll
C:\WINNT\system32\drivers\core.cache.dsk
C:\WINNT\system32\explorer.exe
C:\WINNT\system32\kernels8.exe
C:\WINNT\system32\mmccrd.sys
C:\WINNT\system32\netstat.com
C:\WINNT\system32\ping.com
C:\WINNT\system32\RunOnce2.t__
C:\WINNT\system32\RunOnce2.tm_
C:\WINNT\system32\taskkill.com
C:\WINNT\system32\tasklist.com
C:\WINNT\system32\tracert.com
C:\WINNT\system32\winpfz32.sys
C:\WINNT\win320839117847292007.exe
C:\WINNT\xhelper.dll

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_ARMRFC
-------\LEGACY_CLIENT_IP-IPX
-------\LEGACY_CMDSERVICE
-------\LEGACY_COM+_MESSAGES
-------\LEGACY_CORE
-------\LEGACY_EXAMPLE
-------\LEGACY_MMCCRD
-------\LEGACY_NDNET1
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NET_AGENT
-------\LEGACY_NEW_DRV
-------\LEGACY_NTLDR.SYS
-------\LEGACY_POOF
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\cmdService
-------\kprof
-------\Net Agent
-------\new_drv
-------\ntldr.sys
-------\poof

((((((((((((((((((((((((( Files Created from 2007-06-18 to 2007-07-18 )))))))))))))))))))))))))))))))

2007-07-18 07:41 51,200 --a------ C:\WINNT\nircmd.exe
2007-07-15 15:12 <DIR> d-------- C:\Program Files\CCleaner
2007-07-15 12:51 10,872 --a------ C:\WINNT\system32\drivers\AvgAsCln.sys
2007-07-14 21:16 499,712 --a------ C:\WINNT\system32\msvcp71.dll
2007-07-14 21:16 26,944 --a------ C:\WINNT\system32\drivers\avg7rsnt.sys
2007-07-14 19:40 145,408 --a------ C:\WINNT\MSCONFIG.EXE
2007-07-14 19:25 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-14 19:09 3,840 --a------ C:\WINNT\system32\drivers\BANTExt.sys
2007-07-14 19:09 <DIR> d-------- C:\Program Files\Belarc
2007-07-14 16:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-14 15:57 <DIR> d-------- C:\WINNT\pss
2007-07-12 08:59 <DIR> d-------- C:\FOUND.202
2007-07-12 08:43 <DIR> d-------- C:\FOUND.201
2007-07-08 15:15 <DIR> d-------- C:\FOUND.200
2007-07-08 14:28 126 --a------ C:\WINNT\mocna.dll
2007-07-04 23:13 <DIR> d-------- C:\Program Files\TuneUp Utilities 2007
2007-07-04 23:13 <DIR> d-------- C:\DOCUME~1\visitor1\APPLIC~1\TuneUp Software
2007-07-04 16:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TuneUp Software
2007-07-04 15:50 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-03 19:13 <DIR> d-------- C:\FOUND.199
2007-07-03 19:03 159,744 --a------ C:\WINNT\system32\rm.exe
2007-07-03 19:02 32,768 --a------ C:\WINNT\system32\setup9x.exe
2007-07-03 18:59 <DIR> d-------- C:\FOUND.198
2007-07-03 18:31 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\Yahoo!
2007-07-03 18:30 <DIR> d-------- C:\FOUND.197
2007-07-03 18:21 <DIR> d-------- C:\FOUND.196
2007-07-03 17:58 <DIR> d-------- C:\FOUND.195
2007-07-03 17:28 <DIR> d-------- C:\FOUND.194
2007-07-02 01:22 <DIR> d-------- C:\FOUND.193
2007-07-02 00:58 <DIR> d-------- C:\WINNT\BDOSCAN8
2007-07-02 00:35 549,720 --a------ C:\WINNT\system32\wuapi.dll
2007-07-02 00:35 43,352 --a------ C:\WINNT\system32\wups2.dll
2007-07-02 00:35 33,624 --a------ C:\WINNT\system32\wups.dll
2007-07-02 00:35 325,976 --a------ C:\WINNT\system32\wucltui.dll
2007-06-28 22:10 <DIR> d-------- C:\FOUND.192
2007-06-28 20:12 <DIR> d-------- C:\FOUND.191
2007-06-27 14:43 <DIR> d-------- C:\FOUND.190
2007-06-26 22:05 <DIR> d-------- C:\FOUND.189
2007-06-26 21:42 <DIR> d-------- C:\FOUND.188
2007-06-26 20:42 <DIR> d-------- C:\FOUND.187
2007-06-26 20:21 <DIR> d-------- C:\FOUND.186

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-08 04:45:56 181,008 ----a-w C:\WINNT\system32\winlogon.exe
2007-05-24 22:37:36 46,592 ----a-w C:\WINNT\zlbw.dll
2007-05-15 02:11:22 16,384 ----a-w C:\WINNT\system32\itdurpfm.dll
2007-04-30 04:18:48 167 ----a-w C:\5407.bat
2007-04-30 04:18:24 32,768 ----a-w C:\setup9x.exe
2007-04-30 03:46:34 1,516,850 --sh--w C:\WINNT\system32\vplyinbx.ini2
2007-04-30 03:11:30 167 ----a-w C:\6591.bat
2007-04-30 02:05:14 167 ----a-w C:\9758.bat
2007-04-28 07:22:58 339 ----a-w C:\WINNT\rrict.dll
2007-04-23 21:24:38 0 ----a-w C:\WINNT\system32\moviesdvds1176.exe
2007-04-23 21:18:14 25,637 ----a-w C:\WINNT\system32\update81085441.exe
2007-04-23 03:13:00 664 ----a-w C:\WINNT\system32\d3d9caps.dat
2007-04-23 03:12:00 984 ----a-w C:\WINNT\system32\d3d8caps.dat
2007-04-19 20:36:54 1,040,384 ----a-w C:\WINNT\system32\libeay32.dll
2007-04-19 20:36:14 196,608 ----a-w C:\WINNT\system32\ssleay32.dll
2007-01-21 09:39:40 0 ----a-w C:\Program Files\system spy server v1.0
2005-11-25 18:17:42 271 ---h--w C:\Program Files\desktop.ini
2005-11-25 18:17:42 21,952 ---h--w C:\Program Files\folder.htt

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
07-03-20 14:39 803864 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
03-11-03 14:17 54248 --a------ C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0B8E508D-CAB2-460C-B73F-CA5E834E4408}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
05-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60E5A847-67D5-3370-A33C-6FE33D9CFF98}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
C:\WINNT\xhelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
07-04-22 20:02 2403392 -ra------ c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C97E72C8-E809-B9FC-7B91-B59EFB1007CB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D6162326-2095-40CC-92A7-0EB5AF6C249B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [07-07-14 21:16 ]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [07-06-11 02:25 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SfKg6w"="C:\Documents and Settings\visitor1\Application Data\Microsoft\biodoslw.exe" []
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [06-11-30 21:49 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=
"FlashPlayerUpdate"=C:\WINNT\System32\Macromed\Flash\GetFlash.exe

C:\DOCUME~1\visitor1\STARTM~1\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [07-05-30 05:29 ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstss]
sstss.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]
rundll32.exe "C:\WINNT\system32\jmdeupcx.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kigyk]
C:\WINNT\system32\otvgjt.exe reg_run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nlaxjs]
C:\WINNT\system32\otvgjt.exe reg_run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w]
C:\Documents and Settings\visitor1\Application Data\Microsoft\biodoslw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
mobsync.exe /logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\userinit]
C:\Documents and Settings\visitor1\Application Data\ntos.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
C:\Program Files\WinPop\winpop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch]
C:\Documents and Settings\visitor1\Application Data\WinTouch\WinTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TCP and UDP Supp0rt"=2 (0x2)
"SLService"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"Network Monitor"=2 (0x2)
"Net Agent"=2 (0x2)
"MsaSvc"=2 (0x2)
"Microsoft IEUpdater2"=2 (0x2)
"lxcg_device"=3 (0x3)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"dmadmin"=3 (0x3)
"C-DillaCdaC11BA"=2 (0x2)
"Adobe LM Service"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Firefox"=C:\Program Files\Mozilla Firefox\firefox.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LoadQM"=loadqm.exe
"PPClean RunOnce insertion"="C:\Program Files\Yahoo!\YPSR\ppclean.exe" "clean" "virtumonde" "2" "configreboot"
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"outlook"=C:\Program Files\outlook\outlook.exe /auto
"Ulead AutoDetector v2"=C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
"ViewMgr"=C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

Contents of the 'Scheduled Tasks' folder
2007-07-05 06:14:24 C:\WINNT\tasks\1-Click Maintenance.job

**************************************************************************

catchme 0.3.1040 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-18 09:31:57
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden registry entries ...

disk error: C:\WINNT\system32\config\software
disk error: C:\Documents and Settings\visitor1\ntuser.dat
scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-18 9:35:14 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-07-18 09:35

--- E O F ---

by **Vino Rosso** » July 20th, 2007, 2:08 pm

Hi

Thanks for posting the logs.

Given the amount of 'FOUND' folders, which are usually created by disk checking or scanning software such as Chkdsk, and the two disk errors shown below, there is a possibility that your hard disk drive is about to fail.

C:\FOUND.202
C:\FOUND.201
C:\FOUND.200
C:\FOUND.199
C:\FOUND.198
C:\FOUND.197
C:\FOUND.196
C:\FOUND.195
C:\FOUND.194
C:\FOUND.193
C:\FOUND.192
C:\FOUND.191
C:\FOUND.190
C:\FOUND.189
C:\FOUND.188
C:\FOUND.187
C:\FOUND.186

disk error: C:\WINNT\system32\config\software
disk error: C:\Documents and Settings\visitor1\ntuser.dat

I believe that your computer has had a number of serious infections and I would strongly recommend reformatting your hard drive, which will also check for disk errors, and re-installing Windows.

Unfortunately, it seems your computer has a number of infections. So that we know what infections are involved and to allow me to provide you with the most appropriate advice, please do the following:

1 - Run HijackThis Scan and Fix
Start HijackThis and click Do a system scan only
Tick the following entries, if present:
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... xdm231YYUS
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O15 - Trusted Zone: http://www.winantivirus.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: http://www.winantiviruspro.com
O15 - Trusted Zone: http://download.cdn.winsoftware.com
O15 - Trusted IP range: http://66.230.*.*
O15 - Trusted IP range: http://66.235.*.*
O15 - Trusted IP range: http://69.31.*.*
O15 - Trusted IP range: http://69.50.*.*
O15 - Trusted IP range: http://205.177.*.*

Close all windows except HijackThis
Click Fix Checked in HijackThis.

2 - ComboFix Script Fixes
Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text and pressing Ctrl+C

Code: Select all

File:: 
C:\Documents and Settings\visitor1\Application Data\Microsoft\biodoslw.exe
C:\Documents and Settings\visitor1\Application Data\ntos.exe
C:\WINNT\system32\moviesdvds1176.exe
C:\WINNT\system32\vplyinbx.ini2

Folder:: 
C:\Program Files\system spy server v1.0

Registry:: 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0B8E508D-CAB2-460C-B73F-CA5E834E4408}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60E5A847-67D5-3370-A33C-6FE33D9CFF98}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C97E72C8-E809-B9FC-7B91-B59EFB1007CB}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D6162326-2095-40CC-92A7-0EB5AF6C249B}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SfKg6w"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstss]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kigyk]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nlaxjs]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\userinit]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch]

Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

The main ComboFix.exe program should be on your Desktop
Drag the file you just created CFScript.txt and drop it on the main ComboFix.exe icon
Please wait for ComboFix to finish running

Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash.

3 - Upload Files To Jotti
I'd like to be certain about the content of some files.
Please visit this link http://virusscan.jotti.org/
Click the Browse... button
Navigate to the following file on your PC:

C:\WINNT\system32\itdurpfm.dll

Click Open
Please reply back with the results from Jotti.

Please repeat the above for the following files:

C:\WINNT\system32\libeay32.dll

C:\WINNT\system32\rm.exe

C:\WINNT\system32\setup9x.exe

C:\WINNT\system32\ssleay32.dll

C:\WINNT\system32\update81085441.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\mocna.dll

C:\WINNT\rrict.dll

C:\WINNT\zlbw.dll

C:\5407.bat

C:\6591.bat

C:\9758.bat

C:\setup9x.exe

Please reply back with the results for all 14 files.

4 - Check on status
After you have completed the above, please provide:

the Jotti results for 14 files
the ComboFix.txt report
a new HijackThis log

Thanks
Vino

by **Dwight Hebert** » July 25th, 2007, 3:04 pm

Thanks Vino

The owner has decided to cut his losses and buy a new computer and retire this one, so I won't have the opportunity to follow your good advice.

Thanks for the help!

Dwight

by **Vino Rosso** » July 25th, 2007, 3:27 pm

Dwight Hebert wrote:The owner has decided to cut his losses and buy a new computer and retire this one...

Good choice I think!

Dwight Hebert wrote:Thanks for the help!

You're welcome

by **NonSuch** » July 26th, 2007, 1:19 am

As this issue appears to be resolved, this topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.

Free Malware Removal Forum

HijackThis Log - Explorer.exe does not work

HijackThis Log - Explorer.exe does not work

Who is online