PDA

View Full Version : Password stolen and program crashing.



Adam6420
2008-07-09, 07:32
Wasn't sure exactly where I should post this, but since I had passwords stolen this seemed like the best place. Please move if needed. Any help would be appreciated. I recently did my best remove virtumundo. So I recently had a password stolen, it must have been takin and decrypted off the HDD because I had it saved in my computer and never typed it. It was my Playonline password for Final Fantasy XI. A few weeks prior when I started pol.exe it would give me an error message stating it encountered a problem and needed to close, but would run normally until I closed the message window. The mod is wzcsvbxm.dll




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:24:04 PM, on 7/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {551931FA-A2C5-4498-B4A7-4BA8BA2C377F} - (no file)
O2 - BHO: (no name) - {62CA2072-E14C-4063-BE8E-EC2D3D1955C5} - (no file)
O2 - BHO: (no name) - {6953C7BD-5D13-4B95-B406-AD502BE3CFEE} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {A49E6C80-B6A3-4969-B725-67E0D2B0FEF5} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {CF4EE5F7-067B-4C88-A0DA-463B98E798C7} - (no file)
O2 - BHO: (no name) - {EC834713-4BA1-4947-9A49-E843348F0E11} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Brandon\lsass.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Universal Installer] "C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe" /fromrun /starthidden
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215131419172
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--fd864c10-f423-45bb-8447-230cc71ef3c3/online/diner_dash/en/DinerDash.1.0.0.80.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.myspace.com/gameshell/games/channel--110343720/lc--en/room--c8a6ce1e-943e-4ec1-be69-99984ab64567/online/peggle/en/popcaploader_v10_en.cab
O20 - Winlogon Notify: ljjghed - ljjghed.dll (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7966 bytes

pskelley
2008-07-10, 22:40
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Brandon\lsass.exe
http://www.castlecops.com/s16706-LSA_Shellu.html
http://www.symantec.com/security_response/writeup.jsp?docid=2002-070818-0630-99

This Trojan contains backdoor capabilities that allows a hacker to control your computer remotely using Internet Relay Chat (IRC). This Trojan also has the ability to download and execute other files of the hacker's choice.I believe this trojan is dangerous enough to post this information for you:
A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.

One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

Let us know what you have decided to do in your next post.

Thanks

Adam6420
2008-07-12, 07:58
Thank you for your response. I would really hate to have to reformat and re-install, as I've had to do so twice already in the past 4 months and have no way to backup any of the data. I would feel comfortable removing lsass.exe and trying to find any vulnerabilities on my PC. As the only thing that was stolen has been my password to an online game, I believe that was the hackers sole purpose and if they were to steal other information they would have done so already. I have already notified my banking institution and have changed my passwords on another PC. What would you suggest? Also what could be causing my program to get that error message upon startup? I have re-installed and still get it. Thank you for your help.

pskelley
2008-07-12, 14:48
Thanks for the feedback, you asked:

What would you suggest?
I don't, I provide the necessary security information for you to make your own decisions.

Also what could be causing my program to get that error message upon startup?
I have no idea, post the error message "word for word" exactly as it is communicated to you from Windows and I may have a better chance at researching it. When malware is involved, it makes changes that should not be made to your system and this is the systems way of informing you this has happened.

I also see this item so you have or had a Vundo infection that was not completely removed or that item would not be there. At this point I have only the information from the HJT log so I have no way of knowing if that infection is still present, since most of it remains hidden from HJT.

O20 - Winlogon Notify: ljjghed - ljjghed.dll (file missing)

Hope this helps

Adam6420
2008-07-13, 10:57
So what would be the necessarysteps I should take to remove lsass.exe and secure my computer as best as possible without a re-install?

Here is the error message, its the ______ has encountered a problem and need to close one, and until I click send or dont send error report, the program continues to run normally.


Error Signature
AppName: pol.exe AppVer: 1.18.7.0 ModName: wzcsvbxm.dll
ModVer: 0.0.0.0 Offset: 00002d60


The following files will be included in this error report:
C:\DOCUME~1\Brandon\LOCALS~1\Temp\3ab4_appcompat.txt

pskelley
2008-07-13, 15:37
wzcsvbxm.dll <<< that's part of the Vundo infection. The hackers don't take into consideration what effect their junk has on your computer when they infect you. A little information if you are interested:
http://www.networkworld.com/news/2007/030807-mystery-around-winfixer-slowly-unravels.html
http://www.youtube.com/watch?v=zBUZHiKhsog
http://msmvps.com/blogs/spywaresucks/search.aspx?q=winfixer+msn

1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

2) Thanks to andymanchesta and anyone else who helped with the fix.

Download SDFix and save it to your Desktop
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally post the contents of the Report.txt back on the forum with a new HijackThis log

(wait until you finish to post reports and logs)

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

3) Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the log from SDFix, the combofix log and a new HJT log.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

Adam6420
2008-07-14, 12:43
I followed the Instructions, and here are the logs:

SDFix: Version 1.205
Run by Adam on Mon 07/14/2008 at 02:04 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\pac.txt - Deleted



Folder C:\Temp\gbRve12 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-14 02:11:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:21,c0,92,ef,13,f3,11,41,66,6b,20,a2,60,44,c2,42,cc,b0,da,92,23,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,2f,b8,bb,4b,95,09,e3,3d,0b,42,cb,f8,d1,e0,0e,cd,b1,..
"khjeh"=hex:bb,fb,f1,e7,81,2c,c3,73,1c,e6,90,c2,68,89,9d,2e,a7,73,77,3d,b7,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:90,ca,10,70,b0,8b,a3,80,ef,a0,49,d4,88,01,00,ec,65,6a,1a,80,3c,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:21,c0,92,ef,13,f3,11,41,66,6b,20,a2,60,44,c2,42,cc,b0,da,92,23,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,2f,b8,bb,4b,95,09,e3,3d,0b,42,cb,f8,d1,e0,0e,cd,b1,..
"khjeh"=hex:bb,fb,f1,e7,81,2c,c3,73,1c,e6,90,c2,68,89,9d,2e,a7,73,77,3d,b7,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:90,ca,10,70,b0,8b,a3,80,ef,a0,49,d4,88,01,00,ec,65,6a,1a,80,3c,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\WINDOWS\\system32\\java.exe"="C:\\WINDOWS\\system32\\java.exe:*:Disabled:Java(TM) 2 Platform Standard Edition binary"
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"="C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe:*:Enabled:LaunchPad"
"C:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"="C:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe:*:Enabled:PlayOnline Viewer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 17 Aug 2004 15,872 ..SH. --- "C:\WINDOWS\system32\wzcsvbxm.dll"
Tue 17 Aug 2004 15,872 A.SH. --- "C:\Documents and Settings\Brandon\Desktop\wzcsvbxm.dll"
Tue 1 Apr 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Tue 1 Apr 2008 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Thu 3 Apr 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Finished!


2006-03-31 15:27 11169 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\config\customer.xml.vir
2006-03-31 15:27 11584 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\red\anim.png.vir
2006-03-31 15:27 11759 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\green\anim.png.vir
2006-03-31 15:27 11831 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\furniture\dishcart.png.vir
2006-03-31 15:27 11875 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\purple\anim.png.vir
2006-03-31 15:27 11922 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\blue\anim.png.vir
2006-03-31 15:27 12011 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\yellow\anim.png.vir
2006-03-31 15:27 12316 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\credits.jpg.vir
2006-03-31 15:27 1244 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\accessories\menu_up.png.vir
2006-03-31 15:27 12927 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\flo_lose.png.vir
2006-03-31 15:27 1319 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\choosedifficulty.png.vir
2006-03-31 15:27 13571 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\anim.xml.vir
2006-03-31 15:27 13644 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\anim.xml.vir
2006-03-31 15:27 1365 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\credits_yellow.png.vir
2006-03-31 15:27 1378 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\credits_blue.png.vir
2006-03-31 15:27 13807 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\flo_win.png.vir
2006-03-31 15:27 1393 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\backtomenu_yellow.png.vir
2006-03-31 15:27 1395 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\help_over.png.vir
2006-03-31 15:27 1397 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\help.png.vir
2006-03-31 15:27 14169 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_get_drinks_1_snd.ogg.vir
2006-03-31 15:27 1420 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\backtomenu_blue.png.vir
2006-03-31 15:27 14327 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\highscores.jpg.vir
2006-03-31 15:27 1455 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\furniture\dishcart.xml.vir
2006-03-31 15:27 14567 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\green\anim.png.vir
2006-03-31 15:27 14582 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\levelover.jpg.vir
2006-03-31 15:27 14586 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\levelintro.jpg.vir
2006-03-31 15:27 1477 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\red\anim.xml.vir
2006-03-31 15:27 1479 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\blue\anim.xml.vir
2006-03-31 15:27 1481 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\green\anim.xml.vir
2006-03-31 15:27 1483 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\purple\anim.xml.vir
2006-03-31 15:27 1483 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\yellow\anim.xml.vir
2006-03-31 15:27 1483 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\red\anim.xml.vir
2006-03-31 15:27 14840 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\red\anim.png.vir
2006-03-31 15:27 1485 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\blue\anim.xml.vir
2006-03-31 15:27 14859 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\purple\anim.png.vir
2006-03-31 15:27 1487 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\green\anim.xml.vir
2006-03-31 15:27 1487 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\instructions_yellow.png.vir
2006-03-31 15:27 14880 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\blue\anim.png.vir
2006-03-31 15:27 1489 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\purple\anim.xml.vir
2006-03-31 15:27 1489 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\yellow\anim.xml.vir
2006-03-31 15:27 1491 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\letsplay.png.vir
2006-03-31 15:27 1491 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\letsplayover.png.vir
2006-03-31 15:27 1492 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\instructions_blue.png.vir
2006-03-31 15:27 14982 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\yellow\anim.png.vir
2006-03-31 15:27 1512 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\furniture\dirt2top.png.vir
2006-03-31 15:27 1639 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\accessories\tray.png.vir
2006-03-31 15:27 16725 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\help1.jpg.vir
2006-03-31 15:27 1695 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\easy_over.png.vir
2006-03-31 15:27 16974 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\flo\upper.png.vir
2006-03-31 15:27 1726 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\cursor\grab.png.vir
2006-03-31 15:27 1761 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\back_yellow.png.vir
2006-03-31 15:27 1762 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\furniture\dirt4top.png.vir
2006-03-31 15:27 1773 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\cursor\arrow.png.vir
2006-03-31 15:27 17741 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\config\endless.xml.vir
2006-03-31 15:27 1780 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\hard_over.png.vir
2006-03-31 15:27 1795 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\back_blue.png.vir
2006-03-31 15:27 18595 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\help2.jpg.vir
2006-03-31 15:27 1899 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\popup_mask.png.vir
2006-03-31 15:27 1926 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\cursor\click2.png.vir
2006-03-31 15:27 1972 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\medium_over.png.vir
2006-03-31 15:27 2028 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\cursor\click.png.vir
2006-03-31 15:27 2073 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\download_blue.png.vir
2006-03-31 15:27 2081 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\download_yellow.png.vir
2006-03-31 15:27 2156 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\close.png.vir
2006-03-31 15:27 21613 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\flo\idle.png.vir
2006-03-31 15:27 2177 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\flo\lower.xml.vir
2006-03-31 15:27 2223 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\closeup.png.vir
2006-03-31 15:27 2274 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\cursor\open.png.vir
2006-03-31 15:27 228 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\cook\stove.png.vir
2006-03-31 15:27 2326 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\backchalk.png.vir
2006-03-31 15:27 2368 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\cancelup.png.vir
2006-03-31 15:27 239 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\accessories\heart.png.vir
2006-03-31 15:27 2403 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\cancel.png.vir
2006-03-31 15:27 2525 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\hard.png.vir
2006-03-31 15:27 2530 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\easy.png.vir
2006-03-31 15:27 2714 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\career_over.png.vir
2006-03-31 15:27 2722 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\career.png.vir
2006-03-31 15:27 2737 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\submitup.png.vir
2006-03-31 15:27 2752 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\flo\idle.xml.vir
2006-03-31 15:27 2812 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\submit.png.vir
2006-03-31 15:27 2835 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\quit.png.vir
2006-03-31 15:27 2866 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\quitover.png.vir
2006-03-31 15:27 2868 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_rollover_1.ogg.vir
2006-03-31 15:27 2871 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\highscores.png.vir
2006-03-31 15:27 2871 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\highscores_over.png.vir
2006-03-31 15:27 2882 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\endlessshift.png.vir
2006-03-31 15:27 2886 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\endlessshift_over.png.vir
2006-03-31 15:27 2903 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\moreinfoup.png.vir
2006-03-31 15:27 2909 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\moreinfo.png.vir
2006-03-31 15:27 2914 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\furniture\chair.xml.vir
2006-03-31 15:27 2934 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\medium.png.vir
2006-03-31 15:27 2960 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\backchalkup.png.vir
2006-03-31 15:27 2965 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\furniture\drinkstation_on2.png.vir
2006-03-31 15:27 2967 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\levelintro_mask.png.vir
2006-03-31 15:27 2990 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\furniture\drinkstation_off.png.vir
2006-03-31 15:27 3091 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\cook\cook.xml.vir
2006-03-31 15:27 3122 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\quitgameover.png.vir
2006-03-31 15:27 3137 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\config\powerups.xml.vir
2006-03-31 15:27 3175 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\tryagain.png.vir
2006-03-31 15:27 31920 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\comics\webcomic.jpg.vir
2006-03-31 15:27 3196 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\resumegameover.png.vir
2006-03-31 15:27 3208 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\continueover.png.vir
2006-03-31 15:27 3218 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\upgradetitle.png.vir
2006-03-31 15:27 3244 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\tryagainover.png.vir
2006-03-31 15:27 3248 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\furniture\drinkstation_on1.png.vir
2006-03-31 15:27 3250 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\viewhighscoreon.png.vir
2006-03-31 15:27 3346 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\continue.png.vir
2006-03-31 15:27 33657 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\config\career.xml.vir
2006-03-31 15:27 3383 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\levelover_mask.png.vir
2006-03-31 15:27 34231 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\fonts\komikaaxis.mvec.vir
2006-03-31 15:27 3602 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_deliver_food_1_snd.ogg.vir
2006-03-31 15:27 3650 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_gain_heart_1.ogg.vir
2006-03-31 15:27 3710 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\viewhighscore.png.vir
2006-03-31 15:27 3762 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\resumegame.png.vir
2006-03-31 15:27 3776 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\quitgame.png.vir
2006-03-31 15:27 39050 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\upsell.jpg.vir
2006-03-31 15:27 3906 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_dish_dropoff_1_snd.ogg.vir
2006-03-31 15:27 3932 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_food_ready_1_snd.ogg.vir
2006-03-31 15:27 4173 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\viewlocalup.png.vir
2006-03-31 15:27 4189 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\viewlocal.png.vir
2006-03-31 15:27 4219 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\viewglobalup.png.vir
2006-03-31 15:27 4235 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\viewglobal.png.vir
2006-03-31 15:27 43278 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\mainmenu.jpg.vir
2006-03-31 15:27 4392 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\upgrade_over.png.vir
2006-03-31 15:27 4413 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_pickup_food_1_snd.ogg.vir
2006-03-31 15:27 4429 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\upgrade_up.png.vir
2006-03-31 15:27 448 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\green\sit_legs.png.vir
2006-03-31 15:27 466 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\red\sit_legs.png.vir
2006-03-31 15:27 475 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\purple\sit_legs.png.vir
2006-03-31 15:27 476 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\blue\sit_legs.png.vir
2006-03-31 15:27 483 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\yellow\sit_legs.png.vir
2006-03-31 15:27 4861 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_pencil_write_2.ogg.vir
2006-03-31 15:27 4862 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_seat_people_snd.ogg.vir
2006-03-31 15:27 504 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\on_on.png.vir
2006-03-31 15:27 505 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\on.png.vir
2006-03-31 15:27 5299 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_bring_check_1_snd.ogg.vir
2006-03-31 15:27 5529 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\furniture\chair.png.vir
2006-03-31 15:27 5560 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_deliver_order_1_snd.ogg.vir
2006-03-31 15:27 55809 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\music\mainmenumusic.ogg.vir
2006-03-31 15:27 568 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\accessories\cup.png.vir
2006-03-31 15:27 580 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\off.png.vir
2006-03-31 15:27 580 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\off_on.png.vir
2006-03-31 15:27 6010 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\upgradegrid.png.vir
2006-03-31 15:27 619 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\accessories\customer_cup.png.vir
2006-03-31 15:27 621 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\config\global.xml.vir
2006-03-31 15:27 626 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\green\sit_legs.png.vir
2006-03-31 15:27 640 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\purple\sit_legs.png.vir
2006-03-31 15:27 649 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\red\sit_legs.png.vir
2006-03-31 15:27 6690 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\cook\cook.png.vir
2006-03-31 15:27 6727 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_party_arrive_1_snd.ogg.vir
2006-03-31 15:27 678 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\blue\sit_legs.png.vir
2006-03-31 15:27 6892 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\flo\upper.xml.vir
2006-03-31 15:27 6943 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\flo\lower.png.vir
2006-03-31 15:27 7362 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\popup.jpg.vir
2006-03-31 15:27 741 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\accessories\ticket.png.vir
2006-03-31 15:27 786 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\yellow\sit_legs.png.vir
2006-03-31 15:27 825 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\arrowleft_blue.png.vir
2006-03-31 15:27 827 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\arrowright_blue.png.vir
2006-03-31 15:27 827 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\pause.png.vir
2006-03-31 15:27 843 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\pauseover.png.vir
2006-03-31 15:27 850 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\accessories\plates.png.vir
2006-03-31 15:27 9248 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_diner.ogg.vir
2006-03-31 15:27 927 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\accessories\menu_down.png.vir
2006-03-31 15:27 991 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\arrowright_yellow.png.vir
2006-03-31 15:27 995 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\arrowleft_yellow.png.vir
2006-03-31 15:28 1014 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\tutorialarrow.png.vir
2006-03-31 15:28 10376 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\level.png.vir
2006-03-31 15:28 11027 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\upgradeanim.png.vir
2006-03-31 15:28 1117 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\heartgrow.xml.vir
2006-03-31 15:28 1146 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\coinflip.xml.vir
2006-03-31 15:28 1179 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\angersmoke.xml.vir
2006-03-31 15:28 11803 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\strings.xml.vir
2006-03-31 15:28 1182 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\dollar.png.vir
2006-03-31 15:28 1300 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\gothighscore.lua.vir
2006-03-31 15:28 1323 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\style.lua.vir
2006-03-31 15:28 14012 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\furniture\ticketstation.png.vir
2006-03-31 15:28 14475 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\hiscore.lua.vir
2006-03-31 15:28 1457 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\upgradeanim.xml.vir
2006-03-31 15:28 1497 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\chooserestaurant.lua.vir
2006-03-31 15:28 1516 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\yesno.lua.vir
2006-03-31 15:28 1521 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\tutorialintro.lua.vir
2006-03-31 15:28 1582 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\levelintro.lua.vir
2006-03-31 15:28 1641 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\check.png.vir
2006-03-31 15:28 1757 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\tables\2top.xml.vir
2006-03-31 15:28 1830 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\staron.png.vir
2006-03-31 15:28 1880 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\tutorialbox.png.vir
2006-03-31 15:28 1884 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\chairflags.xml.vir
2006-03-31 15:28 18939 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\jar.png.vir
2006-03-31 15:28 1926 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\tables\4top.png.vir
2006-03-31 15:28 1947 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\choosedifficulty.lua.vir
2006-03-31 15:28 2013 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\heartgrow.png.vir
2006-03-31 15:28 2057 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\pause.lua.vir
2006-03-31 15:28 2066 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\hiscore\title.png.vir
2006-03-31 15:28 2098 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\chairflags.png.vir
2006-03-31 15:28 2142 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\tables\2top.png.vir
2006-03-31 15:28 21506 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\splash\playfirst_logo.jpg.vir
2006-03-31 15:28 2187 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\tablenumber.png.vir
2006-03-31 15:28 2227 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\tables\4top.xml.vir
2006-03-31 15:28 2247 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\webcomic.lua.vir
2006-03-31 15:28 2301 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\upgrades\drinks.png.vir
2006-03-31 15:28 23014 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\background.jpg.vir
2006-03-31 15:28 2303 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\tablenumberup.png.vir
2006-03-31 15:28 2482 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\upgrades\shoes.png.vir
2006-03-31 15:28 2500 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\help.lua.vir
2006-03-31 15:28 2511 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\coinflip.png.vir
2006-03-31 15:28 2574 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\mainmenu.lua.vir
2006-03-31 15:28 2621 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\furniture\ticketstation.xml.vir
2006-03-31 15:28 2676 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\fork_timer.png.vir
2006-03-31 15:28 2680 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\goalcompleted.png.vir
2006-03-31 15:28 2754 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\upgrade.lua.vir
2006-03-31 15:28 28970 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\frames\upgrade_0001.png.vir
2006-03-31 15:28 2928 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\doodles\wallpaper.png.vir
2006-03-31 15:28 2996 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\tableshadow.png.vir
2006-03-31 15:28 301 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_1.txt.vir
2006-03-31 15:28 301 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_1_a.txt.vir
2006-03-31 15:28 301 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_1_b.txt.vir
2006-03-31 15:28 301 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_1_c.txt.vir
2006-03-31 15:28 301 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_2.txt.vir
2006-03-31 15:28 301 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_2_a.txt.vir
2006-03-31 15:28 301 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_2_c.txt.vir
2006-03-31 15:28 301 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_2_d.txt.vir
2006-03-31 15:28 301 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_3.txt.vir
2006-03-31 15:28 301 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_3_a.txt.vir
2006-03-31 15:28 301 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_3_b.txt.vir
2006-03-31 15:28 301 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_3_c.txt.vir
2006-03-31 15:28 301 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_3_d.txt.vir
2006-03-31 15:28 3021 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\closed.png.vir
2006-03-31 15:28 313 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\first_level_diner.txt.vir
2006-03-31 15:28 313 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\second_level_diner.txt.vir
2006-03-31 15:28 313 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_2_b.txt.vir
2006-03-31 15:28 313 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\fifth_level_diner.txt.vir
2006-03-31 15:28 313 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\fourth_level_diner.txt.vir
2006-03-31 15:28 3181 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\angersmoke.png.vir
2006-03-31 15:28 3217 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\food\food2.png.vir
2006-03-31 15:28 3263 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\food\food3.png.vir
2006-03-31 15:28 3323 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\food\food1.png.vir
2006-03-31 15:28 335 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\checkmark.png.vir
2006-03-31 15:28 3381 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\help2.lua.vir
2006-03-31 15:28 357 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\hiscore\p1icon.png.vir
2006-03-31 15:28 3757 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\levelover.lua.vir
2006-03-31 15:28 3783 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\upgrades\oven.png.vir
2006-03-31 15:28 3784 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\hiscoresubmit.lua.vir
2006-03-31 15:28 3844 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\hiscore\textedit.png.vir
2006-03-31 15:28 3861 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\chooseplayer.lua.vir
2006-03-31 15:28 3910 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\expertscore.png.vir
2006-03-31 15:28 3924 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\upgrades\table.png.vir
2006-03-31 15:28 3960 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\doodles\tables.png.vir
2006-03-31 15:28 4094 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\game.lua.vir
2006-03-31 15:28 4177 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\upgrades\select.png.vir
2006-03-31 15:28 419 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\traynumber.png.vir
2006-03-31 15:28 4267 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\upgrades\stereo.png.vir
2006-03-31 15:28 4276 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\level_career.png.vir
2006-03-31 15:28 443 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\upgrades.xml.vir
2006-03-31 15:28 4505 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\upgrades\maitred.png.vir
2006-03-31 15:28 5155 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\doodles\coffee.png.vir
2006-03-31 15:28 5460 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\playfirst_logo.png.vir
2006-03-31 15:28 5463 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\foodpoof.png.vir
2006-03-31 15:28 5511 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\closingtime.png.vir
2006-03-31 15:28 6341 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\expert.png.vir
2006-03-31 15:28 640 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\foodpoof.xml.vir
2006-03-31 15:28 677 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\hiscore\arrowright.png.vir
2006-03-31 15:28 678 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\food\food2.xml.vir
2006-03-31 15:28 678 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\food\food3.xml.vir
2006-03-31 15:28 679 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\food\food1.xml.vir
2006-03-31 15:28 679 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\hiscore\arrowrighton.png.vir
2006-03-31 15:28 684 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\hiscore\arrowleft.png.vir
2006-03-31 15:28 684 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\hiscore\arrowlefton.png.vir
2006-03-31 15:28 6924 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\tutorial_character.png.vir
2006-03-31 15:28 697 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\sound.png.vir
2006-03-31 15:28 699 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\hiscore\arrowdownon.png.vir
2006-03-31 15:28 700 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\hiscore\arrowdown.png.vir
2006-03-31 15:28 701 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\hiscore\arrowup.png.vir
2006-03-31 15:28 702 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\hiscoreinfo.lua.vir
2006-03-31 15:28 703 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\hiscore\arrowupon.png.vir
2006-03-31 15:28 7620 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\splash\aol_logo.png.vir
2006-03-31 15:28 7639 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\splash\gamelabsplash.jpg.vir
2006-03-31 15:28 775 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\loading.lua.vir
2006-03-31 15:28 825 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\mainloop.lua.vir
2006-03-31 15:28 8311 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\credits.lua.vir
2006-03-31 15:28 836 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\ok.lua.vir
2006-03-31 15:28 862 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\staroff.png.vir
2006-03-31 15:28 8910 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\score.png.vir
2006-03-31 15:28 941 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\jar.xml.vir
2006-03-31 15:28 973 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\upsell.lua.vir
2006-03-31 15:28 9739 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\clock.png.vir
2006-03-31 15:30 1009256 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.80\dinerdash.exe.vir
2007-04-25 21:30 29184 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\MSINET.oca.vir
2008-03-24 14:47 1578565 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\rpwdqqpx.ini.vir
2008-03-24 19:10 1578806 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\oawgxwhu.ini.vir
2008-03-26 14:53 1511462 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\caqwwarn.ini.vir
2008-03-27 11:07 1416544 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\sxspjrhs.ini.vir
2008-03-28 14:50 1476500 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ewtvyliv.ini.vir
2008-03-28 14:51 1271333 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\qriooekw.ini.vir
2008-03-29 04:13 286657 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ddeeg.ini2.vir
2008-03-29 04:15 286673 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ddeeg.ini.vir
2008-03-29 04:37 1122 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\cookies.ini.vir
2008-03-29 15:32 1583673 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\dbpdcnap.ini.vir
2008-03-29 15:32 284073 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ycbeg.ini2.vir
2008-03-29 15:34 284073 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ycbeg.ini.vir
2008-04-01 16:41 276914 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\hhkmp.ini.vir
2008-04-01 16:41 276914 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\hhkmp.ini2.vir
2008-04-01 22:06 297779 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ihhkj.ini.vir
2008-04-01 22:06 297779 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ihhkj.ini2.vir
2008-04-02 07:10 281814 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\nmllm.ini2.vir
2008-04-02 07:12 282168 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\nmllm.ini.vir
2008-04-02 20:35 277049 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\fhkmp.ini.vir
2008-04-02 20:35 277049 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\fhkmp.ini2.vir
2008-04-02 23:22 279455 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\rstwa.ini.vir
2008-04-02 23:22 279455 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\rstwa.ini2.vir
2008-04-02 23:57 269737 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\orutv.ini.vir
2008-04-02 23:57 269737 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\orutv.ini2.vir
2008-04-03 03:02 275951 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\qqtss.ini2.vir
2008-04-03 03:05 275951 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\qqtss.ini.vir
2008-07-14 02:27 195 --a------ C:\Qoobox\Quarantine\catchme.log
2008-07-14 02:34 157 --a------ C:\Qoobox\Quarantine\Registry_backups\BHO-{551931FA-A2C5-4498-B4A7-4BA8BA2C377F}.reg.dat
2008-07-14 02:34 157 --a------ C:\Qoobox\Quarantine\Registry_backups\BHO-{62CA2072-E14C-4063-BE8E-EC2D3D1955C5}.reg.dat
2008-07-14 02:34 157 --a------ C:\Qoobox\Quarantine\Registry_backups\BHO-{6953C7BD-5D13-4B95-B406-AD502BE3CFEE}.reg.dat
2008-07-14 02:34 157 --a------ C:\Qoobox\Quarantine\Registry_backups\BHO-{A49E6C80-B6A3-4969-B725-67E0D2B0FEF5}.reg.dat
2008-07-14 02:34 157 --a------ C:\Qoobox\Quarantine\Registry_backups\BHO-{CF4EE5F7-067B-4C88-A0DA-463B98E798C7}.reg.dat
2008-07-14 02:34 157 --a------ C:\Qoobox\Quarantine\Registry_backups\BHO-{EC834713-4BA1-4947-9A49-E843348F0E11}.reg.dat
2008-07-14 02:34 196 --a------ C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Universal Installer.reg.dat
2008-07-14 02:34 494 --a------ C:\Qoobox\Quarantine\Registry_backups\Notify-ljjghed.reg.dat


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:42:14 AM, on 7/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215131419172
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--fd864c10-f423-45bb-8447-230cc71ef3c3/online/diner_dash/en/DinerDash.1.0.0.80.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.myspace.com/gameshell/games/channel--110343720/lc--en/room--c8a6ce1e-943e-4ec1-be69-99984ab64567/online/peggle/en/popcaploader_v10_en.cab
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6713 bytes

pskelley
2008-07-14, 16:02
I need to see the combofix log, you have posted information from the C:\Qoobox\Quarantine\ which is where combofix stores the junk it removes. Return to your C:\ and post the C:\Combofix.txt

I also requested that TeaTimer be disabled and to (leave TT disabled until we finish)
TeaTimer is running in the HJT log.
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
Please follow directions, if this was baseball, that would be strike two. Post a new HJT log also so I can see this important instructions has been followed.

Thanks

Adam6420
2008-07-15, 03:38
SDFix: Version 1.205
Run by Brandon on Mon 07/14/2008 at 05:01 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-14 17:08:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:21,c0,92,ef,13,f3,11,41,66,6b,20,a2,60,44,c2,42,cc,b0,da,92,23,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,2f,b8,bb,4b,95,09,e3,3d,0b,42,cb,f8,d1,e0,0e,cd,b1,..
"khjeh"=hex:bb,fb,f1,e7,81,2c,c3,73,1c,e6,90,c2,68,89,9d,2e,a7,73,77,3d,b7,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:90,ca,10,70,b0,8b,a3,80,ef,a0,49,d4,88,01,00,ec,65,6a,1a,80,3c,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:21,c0,92,ef,13,f3,11,41,66,6b,20,a2,60,44,c2,42,cc,b0,da,92,23,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,2f,b8,bb,4b,95,09,e3,3d,0b,42,cb,f8,d1,e0,0e,cd,b1,..
"khjeh"=hex:bb,fb,f1,e7,81,2c,c3,73,1c,e6,90,c2,68,89,9d,2e,a7,73,77,3d,b7,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:90,ca,10,70,b0,8b,a3,80,ef,a0,49,d4,88,01,00,ec,65,6a,1a,80,3c,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\WINDOWS\\system32\\java.exe"="C:\\WINDOWS\\system32\\java.exe:*:Disabled:Java(TM) 2 Platform Standard Edition binary"
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"="C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe:*:Enabled:LaunchPad"
"C:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"="C:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe:*:Enabled:PlayOnline Viewer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 17 Aug 2004 15,872 ..SH. --- "C:\WINDOWS\system32\wzcsvbxm.dll"
Tue 17 Aug 2004 15,872 A.SH. --- "C:\Documents and Settings\Brandon\Desktop\wzcsvbxm.dll"
Tue 1 Apr 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Tue 1 Apr 2008 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Thu 3 Apr 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Finished!


ComboFix 08-07-14.2 - Brandon 2008-07-14 17:24:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.241 [GMT -7:00]
Running from: C:\Documents and Settings\Brandon\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-06-15 to 2008-07-15 )))))))))))))))))))))))))))))))
.

2008-07-14 02:00 . 2008-07-14 02:00 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-14 01:54 . 2008-07-14 17:09 <DIR> d-------- C:\SDFix
2008-07-08 21:23 . 2008-07-08 21:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-08 20:52 . 2008-07-08 20:52 <DIR> d-------- C:\Program Files\Safer Networking
2008-07-08 20:08 . 2008-07-08 20:08 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-07-08 18:40 . 2008-07-08 18:40 <DIR> d-------- C:\Program Files\PlayOnline
2008-07-08 04:11 . 2008-07-08 04:19 <DIR> d-------- C:\Program Files\Nitto 1320 Legends
2008-07-06 04:43 . 2008-07-06 04:43 <DIR> d-------- C:\Documents and Settings\Brandon\Application Data\PlayFirst
2008-07-06 04:43 . 2008-07-06 04:43 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-07-05 03:09 . 2008-07-05 03:09 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\PopCap
2008-07-01 22:18 . 2008-07-01 22:18 <DIR> d-------- C:\Program Files\Audacity
2008-06-30 20:00 . 2003-03-18 14:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-06-30 16:18 . 2008-07-14 08:54 1,668 --a------ C:\WINDOWS\Bringer.INI
2008-06-29 20:07 . 2008-06-29 21:05 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-29 18:15 . 2008-06-30 00:18 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-17 15:41 . 2008-07-04 04:56 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-17 15:41 . 2008-06-17 15:41 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-09 02:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-29 15:29 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-06-27 01:51 --------- dc----w C:\Program Files\DivX
2008-06-25 20:30 --------- d-----w C:\Documents and Settings\Brandon\Application Data\LimeWire
2008-06-12 22:40 --------- dc----w C:\Program Files\Java
2008-06-07 04:56 --------- d-----w C:\Program Files\MSECache
2008-06-03 13:51 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-03 13:09 0 ----a-w C:\Program Files\temp01
2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-05-30 23:22 815,104 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-05-30 23:22 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-05-30 23:22 683,520 ----a-w C:\WINDOWS\system32\DivX.dll
2008-05-30 23:22 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-05-30 23:22 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-05-30 23:22 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-05-30 23:22 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-05-30 23:22 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-05-30 23:22 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-05-22 22:22 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-05-22 22:22 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-05-22 22:20 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-05-22 22:20 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-05-22 22:19 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-05-22 22:19 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-05-22 22:19 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-22 22:18 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-18 01:34 --------- d-----w C:\Documents and Settings\Brandon\Application Data\Move Networks
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-01 00:27 442,368 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-11 11:17 483 ----a-w C:\Program Files\Shortcut to NetMeeting.lnk
2004-08-17 09:25 15,872 --sh--w C:\WINDOWS\system32\wzcsvbxm.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-14_ 2.34.04.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-14 09:00:44 4,382,720 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-07-14 23:58:06 4,382,720 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
- 2008-07-14 09:00:44 163,840 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-07-14 23:58:06 163,840 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
- 2008-07-14 09:25:26 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-07-14 21:19:26 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-07-14 09:25:26 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-07-14 21:19:26 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 04:00 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-10 20:12 282624]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 15:42 1404928]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 14:56 64512]
"nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"C:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b8cf959-ed92-11dc-8a21-ce3ad220a3aa}]
\Shell\Auto\command - Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
\Shell\Shell00\Command - F:\Autorun.exe /run
\Shell\Shell01\Command - F:\Autorun.exe /action
\Shell\Shell02\Command - F:\Autorun.exe /uninstall

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f3a68fb5-edbb-11dc-8a28-001320467212}]
\Shell\Auto\command - G:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-15 09:14:36 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-07-01 08:00:07 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-14 17:26:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-14 17:27:46
ComboFix-quarantined-files.txt 2008-07-15 00:27:36
ComboFix2.txt 2008-07-14 09:34:38

Pre-Run: 6,162,042,880 bytes free
Post-Run: 6,225,010,688 bytes free

138 --- E O F --- 2008-06-11 00:54:05



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:36:39 PM, on 7/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215131419172
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--fd864c10-f423-45bb-8447-230cc71ef3c3/online/diner_dash/en/DinerDash.1.0.0.80.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.myspace.com/gameshell/games/channel--110343720/lc--en/room--c8a6ce1e-943e-4ec1-be69-99984ab64567/online/peggle/en/popcaploader_v10_en.cab
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6689 bytes

pskelley
2008-07-15, 12:36
Thanks, read and follow these directions carefully and in the numbered order.

1) C:\Program Files\Java\jre1.6.0_06\ <<< check Java for and update:
http://forums.spybot.info/showpost.php?p=12880&postcount=2

2) C:\SDFix <<< delete SDFix from your computer3)

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file) <<< damaged
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.myspace.com/gameshell/g...der_v10_en.cab <<< adware

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

6) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

How is the computer running now?

Thanks

Adam6420
2008-07-15, 14:36
PLayonline is still getting the error message with wzcsvbxm.dll as the problem. Another problem I have found is that I cannot enable automatic updates from microsoft, and going to the automatic updates section from system properties, the window freezes. On the MS website it says that files are missing, but when I try to download them it does nothing. But I have noticed the my web browser is running alot faster :)


Malwarebytes' Anti-Malware 1.20
Database version: 951
Windows 5.1.2600 Service Pack 2

4:26:51 AM 7/15/2008
mbam-log-7-15-2008 (04-26-51).txt

Scan type: Full Scan (C:\|X:\|)
Objects scanned: 117270
Time elapsed: 34 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\WINDOWS\BMcbb8b562.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMcbb8b562.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:31:01 AM, on 7/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215131419172
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--fd864c10-f423-45bb-8447-230cc71ef3c3/online/diner_dash/en/DinerDash.1.0.0.80.cab
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6140 bytes

pskelley
2008-07-15, 14:53
MBAM just removed a bunch of junk, did you restart the computer and see how it runs?

If you want help with error messges, you will need to post them exactly as you get them "word for word", there is little chance of researching them otherwise.
For instance: error message with wzcsvbxm.dll
Google: http://www.google.com/search?hl=en&q=error+message+with+wzcsvbxm.dll+&btnG=Search

You may need to find a forum to ask about the error at Playonline?
http://www.google.com/search?hl=en&q=PLayonline++error+message+&btnG=Search

Give me the WU messages, you should also check to be sure it is not disabled in service:
Click Start < Run and type services.msc
Scroll down to Automatic Updates and right click on it and choose Properties.
On the General Tab be sure the Startup type is set to Automatic

Thanks

Adam6420
2008-07-15, 15:51
I have searched for hours trying to find anything on wzcsvbxm.dll and Playonline viewer error messages to no avail. You stated that wzcsvbxm.dll was part of the Vundo virus when I provided the error message in a previous post. Does that mean I still have the virus? Here it is again. Funny thing is the app works fine until I hit either send or dont send the error report to MS. Only useful info I found was that it is related to my password playonline passwords being stolen. :( As for the automatic updates, it is set to automatic startup. When I try to download an update manually through the MS website, it states there is files missing but when it leads me to download the missing files nothing happens. Other than that comp seems to be runnin smooth.

Here is the error report again

Error signature

AppName: pol.exe AppVer: 1.18.7.0 ModName: wzcsvbxm.dll
ModVer: 0.0.0.0 Offset: 00002d60

pskelley
2008-07-15, 16:09
Sure looked like a Vundo file to me but when I rescanned I find the only references at to the game site you are using. Keep in mind you are working with one, I am working with around 50.

1) Let's remove combofix and get a fresh download:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

Restart the computer...

2) Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log. (wait until you finish the KOS scan to post)

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

3) Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here along with the combofix log and a fresh HJT log.

Thanks

Adam6420
2008-07-15, 17:51
Again, thank you so much for your time and help. Finally a scanner that found it!


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, July 15, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, July 15, 2008 13:39:58
Records in database: 955772
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
X:\

Scan statistics:
Files scanned: 82805
Threat name: 1
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 00:53:52


File name / Threat name / Threats count
svchost.exe\wzcsvbxm.dll/svchost.exe\wzcsvbxm.dll Infected: Trojan-GameThief.Win32.WOW.bkb 1
c:\windows\system32\wzcsvbxm.dll/c:\windows\system32\wzcsvbxm.dll Infected: Trojan-GameThief.Win32.WOW.bkb 1
C:\Documents and Settings\Brandon\Desktop\wzcsvbxm.dll Infected: Trojan-GameThief.Win32.WOW.bkb 1
C:\WINDOWS\system32\wzcsvbxm.dll Infected: Trojan-GameThief.Win32.WOW.bkb 1

The selected area was scanned.



ComboFix 08-07-14.2 - Brandon 2008-07-15 6:25:59.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.199 [GMT -7:00]
Running from: C:\Documents and Settings\Brandon\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-06-15 to 2008-07-15 )))))))))))))))))))))))))))))))
.

2008-07-15 03:47 . 2008-07-15 03:47 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-15 03:47 . 2008-07-15 03:47 <DIR> d-------- C:\Documents and Settings\Brandon\Application Data\Malwarebytes
2008-07-15 03:47 . 2008-07-15 03:47 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-15 03:47 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-15 03:47 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-15 03:23 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-14 02:00 . 2008-07-14 02:00 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-08 21:23 . 2008-07-08 21:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-08 20:52 . 2008-07-08 20:52 <DIR> d-------- C:\Program Files\Safer Networking
2008-07-08 20:08 . 2008-07-08 20:08 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-07-08 18:40 . 2008-07-08 18:40 <DIR> d-------- C:\Program Files\PlayOnline
2008-07-08 04:11 . 2008-07-08 04:19 <DIR> d-------- C:\Program Files\Nitto 1320 Legends
2008-07-06 04:43 . 2008-07-06 04:43 <DIR> d-------- C:\Documents and Settings\Brandon\Application Data\PlayFirst
2008-07-06 04:43 . 2008-07-06 04:43 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-07-05 03:09 . 2008-07-05 03:09 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\PopCap
2008-07-01 22:18 . 2008-07-01 22:18 <DIR> d-------- C:\Program Files\Audacity
2008-06-30 20:00 . 2003-03-18 14:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-06-30 16:18 . 2008-07-15 06:24 1,675 --a------ C:\WINDOWS\Bringer.INI
2008-06-29 20:07 . 2008-06-29 21:05 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-29 18:15 . 2008-06-30 00:18 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-17 15:41 . 2008-07-04 04:56 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-17 15:41 . 2008-06-17 15:41 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-15 10:23 --------- dc----w C:\Program Files\Java
2008-07-09 02:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-29 15:29 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-06-27 01:51 --------- dc----w C:\Program Files\DivX
2008-06-25 20:30 --------- d-----w C:\Documents and Settings\Brandon\Application Data\LimeWire
2008-06-07 04:56 --------- d-----w C:\Program Files\MSECache
2008-06-03 13:51 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-03 13:09 0 ----a-w C:\Program Files\temp01
2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-05-30 23:22 815,104 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-05-30 23:22 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-05-30 23:22 683,520 ----a-w C:\WINDOWS\system32\DivX.dll
2008-05-30 23:22 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-05-30 23:22 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-05-30 23:22 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-05-30 23:22 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-05-30 23:22 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-05-30 23:22 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-05-22 22:22 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-05-22 22:22 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-05-22 22:20 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-05-22 22:20 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-05-22 22:19 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-05-22 22:19 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-05-22 22:19 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-22 22:18 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-18 01:34 --------- d-----w C:\Documents and Settings\Brandon\Application Data\Move Networks
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-01 00:27 442,368 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-11 11:17 483 ----a-w C:\Program Files\Shortcut to NetMeeting.lnk
2004-08-17 09:25 15,872 --sh--w C:\WINDOWS\system32\wzcsvbxm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 04:00 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-10 20:12 282624]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 15:42 1404928]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 14:56 64512]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"C:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b8cf959-ed92-11dc-8a21-ce3ad220a3aa}]
\Shell\Auto\command - Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
\Shell\Shell00\Command - F:\Autorun.exe /run
\Shell\Shell01\Command - F:\Autorun.exe /action
\Shell\Shell02\Command - F:\Autorun.exe /uninstall

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f3a68fb5-edbb-11dc-8a28-001320467212}]
\Shell\Auto\command - G:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-07-15 09:13:56 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-07-01 08:00:07 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-15 06:28:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-15 6:29:05
ComboFix-quarantined-files.txt 2008-07-15 13:28:59
ComboFix2.txt 2008-07-15 00:27:46

Pre-Run: 7,176,032,256 bytes free
Post-Run: 7,182,819,328 bytes free

132 --- E O F --- 2008-06-11 00:54:05



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:50:08 AM, on 7/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215131419172
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--fd864c10-f423-45bb-8447-230cc71ef3c3/online/diner_dash/en/DinerDash.1.0.0.80.cab
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6201 bytes

pskelley
2008-07-15, 19:06
Again, thank you so much for your time and help. Finally a scanner that found it!
Yes, Kaspersky is one of the better scanners, I use it when it is needed, they just don't remove anything free. combofix is programmed with data to go after certain infections and MBAM is basically after rouge junk leaving stuff like this which is neither and hidden from HJT undetected.

You may navigate to that items and delete it manually, may have to do it in Safe Mode:
c:\windows\system32\wzcsvbxm.dll <<< delete that file
C:\Documents and Settings\Brandon\Desktop\wzcsvbxm.dll <<< delete that file

or we can see if CFScript will get rid of that item for us.

Open notepad and copy/paste the text in the codebox below into it:


File::
c:\windows\system32\wzcsvbxm.dll
C:\Documents and Settings\Brandon\Desktop\wzcsvbxm.dll

Save this as
CFScript

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Post the log from CFScript if you use it.

You may want to run KOS again after the removal to be sure it is gone.

Thanks

Adam6420
2008-07-16, 10:38
Well th program is no longer getting an error message and kaspersky detects nothing. Thank you so much, I spent so many hours trying to figure it out. Here are the logs. Is there anything else I should do to check and protect my computer?

ComboFix 08-07-14.2 - Brandon 2008-07-16 0:08:42.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.249 [GMT -7:00]
Running from: C:\Documents and Settings\Brandon\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Brandon\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Brandon\Desktop\wzcsvbxm.dll
c:\windows\system32\wzcsvbxm.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Brandon\Desktop\wzcsvbxm.dll
c:\windows\system32\wzcsvbxm.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-16 to 2008-07-16 )))))))))))))))))))))))))))))))
.

2008-07-15 21:41 . 2008-07-15 21:41 <DIR> d-------- C:\Program Files\Common Files\ChessBase
2008-07-15 10:31 . 2008-07-15 21:41 <DIR> d-------- C:\Program Files\jose
2008-07-15 10:20 . 2008-07-15 10:20 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\ChessBase
2008-07-15 10:18 . 2008-07-15 10:25 <DIR> d-------- C:\Documents and Settings\Brandon\Application Data\ChessBase
2008-07-15 09:46 . 2008-07-15 10:25 <DIR> d-------- C:\Program Files\ChessBase
2008-07-15 09:46 . 2008-07-15 10:11 58 --a------ C:\WINDOWS\ChssBase.ini
2008-07-15 03:47 . 2008-07-15 03:47 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-15 03:47 . 2008-07-15 03:47 <DIR> d-------- C:\Documents and Settings\Brandon\Application Data\Malwarebytes
2008-07-15 03:47 . 2008-07-15 03:47 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-15 03:47 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-15 03:47 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-15 03:23 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-14 02:00 . 2008-07-14 02:00 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-08 21:23 . 2008-07-08 21:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-08 20:52 . 2008-07-08 20:52 <DIR> d-------- C:\Program Files\Safer Networking
2008-07-08 20:08 . 2008-07-08 20:08 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-07-08 18:40 . 2008-07-08 18:40 <DIR> d-------- C:\Program Files\PlayOnline
2008-07-08 04:11 . 2008-07-08 04:19 <DIR> d-------- C:\Program Files\Nitto 1320 Legends
2008-07-06 04:43 . 2008-07-06 04:43 <DIR> d-------- C:\Documents and Settings\Brandon\Application Data\PlayFirst
2008-07-06 04:43 . 2008-07-06 04:43 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-07-05 03:09 . 2008-07-05 03:09 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\PopCap
2008-07-01 22:18 . 2008-07-01 22:18 <DIR> d-------- C:\Program Files\Audacity
2008-06-30 20:00 . 2003-03-18 14:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-06-30 16:18 . 2008-07-15 23:34 1,667 --a------ C:\WINDOWS\Bringer.INI
2008-06-29 20:07 . 2008-06-29 21:05 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-29 18:15 . 2008-06-30 00:18 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-17 15:41 . 2008-07-04 04:56 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-17 15:41 . 2008-06-17 15:41 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-15 17:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-15 10:23 --------- dc----w C:\Program Files\Java
2008-06-29 15:29 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-06-27 01:51 --------- dc----w C:\Program Files\DivX
2008-06-25 20:30 --------- d-----w C:\Documents and Settings\Brandon\Application Data\LimeWire
2008-06-07 04:56 --------- d-----w C:\Program Files\MSECache
2008-06-03 13:51 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-03 13:09 0 ----a-w C:\Program Files\temp01
2008-05-18 01:34 --------- d-----w C:\Documents and Settings\Brandon\Application Data\Move Networks
2008-03-11 11:17 483 ----a-w C:\Program Files\Shortcut to NetMeeting.lnk
.

((((((((((((((((((((((((((((( snapshot@2008-07-15_ 6.28.46.15 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-15 10:18:13 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-07-16 04:45:35 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-07-15 10:18:13 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-07-16 04:45:35 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-06-30 04:58:41 117,360 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-07-16 04:42:41 141,240 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2008-06-25 21:04:49 126,764 -c--a-w C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2008-07-16 04:42:09 274,180 -c--a-w C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2008-07-15 17:18:06 833,536 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.1002.3_x-ww_021cfae0\dxmrtp.dll
+ 2008-07-15 17:18:07 1,055,744 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.1002.3_x-ww_92561fce\rtcdll.dll
+ 2008-07-15 17:18:07 132,096 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.RtcRes_6595b64144ccf1df_5.2.1002.3_x-ww_88ef1b2a\rtcres.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 04:00 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-10 20:12 282624]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 15:42 1404928]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 14:56 64512]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"C:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b8cf959-ed92-11dc-8a21-ce3ad220a3aa}]
\Shell\Auto\command - Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
\Shell\Shell00\Command - F:\Autorun.exe /run
\Shell\Shell01\Command - F:\Autorun.exe /action
\Shell\Shell02\Command - F:\Autorun.exe /uninstall

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f3a68fb5-edbb-11dc-8a28-001320467212}]
\Shell\Auto\command - G:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-07-15 09:13:56 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-07-01 08:00:07 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-16 00:14:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-07-16 0:18:12 - machine was rebooted [Brandon]
ComboFix-quarantined-files.txt 2008-07-16 07:18:05
ComboFix2.txt 2008-07-16 04:32:28
ComboFix3.txt 2008-07-15 13:29:06
ComboFix4.txt 2008-07-15 00:27:46

Pre-Run: 7,498,747,904 bytes free
Post-Run: 7,553,761,280 bytes free

159 --- E O F --- 2008-06-11 00:54:05



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:21:09 AM, on 7/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215131419172
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--fd864c10-f423-45bb-8447-230cc71ef3c3/online/diner_dash/en/DinerDash.1.0.0.80.cab
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6235 bytes

pskelley
2008-07-16, 15:45
Is there anything else I should do to check and protect my computer?Thanks for the feedback, we have just a few more steps to go and this is the first one:

I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not have access to Recovery Console via a Windows CD, I strongly advise you to install this tool.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.

Since we do not need to scan with combofix, click NO

http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif

http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif

Thanks

Adam6420
2008-07-16, 17:06
I have XP Media Center Edition, is there a different download I should use, or the Home or Professional one?

pskelley
2008-07-16, 17:52
As far as I know, you may have the Media Edition, but you also have
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.199
with Platform: Windows XP SP2 (WinNT 5.01.2600)
so it should work. If it does not you would have to ask Microsoft why it was not installed by default like most of us believe it should have been, and live without it if you did not get a actual Windows Operating System CD when you purchased your computer.

Hope that helps...Phil

Adam6420
2008-07-16, 18:25
I did the install, here is the C:\*CF-RC.txt*. Thanks


WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

pskelley
2008-07-16, 18:41
Good job:bigthumb: the RC may come in real handy in an emergency one day, a little information:
http://support.microsoft.com/kb/314058
http://support.microsoft.com/kb/307654

Let's remove combofix from your computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

Make sure you have no infected System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

Adam6420
2008-07-16, 21:19
All right, Combo Fix has been removed and all previous restore points have been cleared out. Thanks for all that great information and all your help.
:2thumb: