Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Buritos.exe Virus and a few more! HELP ! [RESOLVED]

Started by Magnolia2 , Oct 13 2008 09:08 PM

This topic is locked

#1
Magnolia2

Posted 13 October 2008 - 09:08 PM

Member

Member
33 posts

My computer is dying. I had to use an "emergy" user acct I created for just such problems.

I ran a scan from Kasperky site and was informed of the Buritos virsus. I also have found
Faceback
GetPack32
GetModule32

and a few more that I can't recall. I just downloded HiJack This and will run it. I keep my cookies cleaned out so that only the sites I actively use (Ancestry.com, GenForum, etc) are there.

Thanks for any help. I have a lot of ancestral photos and genealogy info that I really do not want to lose. I am a 54 yr old grandmother and my computer knowledge is next to zero.

Sherry

#2
Magnolia2

Posted 13 October 2008 - 09:14 PM

Member

Topic Starter
Member
33 posts

Sorry about posting a reply. I would delete this posting if I could. Besides, My computer may not last long enough to post this log file.

The HiJackThis Log. Does it matter if I am using another "user acct" on the same computer?

--------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:40 PM, on 10/13/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\drivers\services.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CbEvtSvc.exe
C:\WINDOWS\QWRtaW4\command.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\Admin\Local Settings\Temp\.ttDEE.tmp.exe
C:\WINDOWS\System32\rs32net.exe
C:\WINDOWS\system32\drivers\services.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\webHancer\Programs\whagent.exe
C:\WINDOWS\system32\update32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\faceback.exe
C:\WINDOWS\system32\lphc947j0e13j.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\buritos.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\emergency\Desktop\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\services.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [inrhcc47j0e13j] C:\Documents and Settings\Admin\Local Settings\Temp\.ttDEE.tmp.exe /CR=431FCF786A6D95BD03A9012D4E1BECB36A18556BD1B163B9269708969497CF1206F6DBB21CC94
71A60A11003A46C2D43E58442F2A049385B9D0F1F6C7760D55C1FE7095F2A0CFEE06FB75C26068F0
5
40D39ACEAC85D00E
O4 - HKLM\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe
O4 - HKLM\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKLM\..\Run: [winlogon] C:\Documents and Settings\emergency\svchost.exe
O4 - HKLM\..\Run: [{6a51822e-edd2-f3aa-49a9-67288e1fa0e4}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\ooubkphnts.dll" DllStub
O4 - HKLM\..\Run: [XP SecurityCenter] "C:\Program Files\XPSecurityCenter\xpsecuritycenter.exe" /hide
O4 - HKLM\..\Run: [winlogons.exe] C:\Genealogy\GeneTreeDNA Paternity Testing and More___files\GenRecords\KGB Spy\winlogons.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [System32] C:\WINDOWS\system32\update32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\faceback.exe 61A847B5BBF72810358B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
O4 - HKLM\..\Run: [lphc947j0e13j] C:\WINDOWS\system32\lphc947j0e13j.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [Instant Buzz Daemon] C:\Program Files\Instant Buzz\IBDaemon.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [buritos] buritos.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [msdefender] C:\WINDOWS\system32\msdefender.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKCU\..\Run: [winlogon] C:\Documents and Settings\emergency\svchost.exe
O4 - HKUS\S-1-5-18\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [winlogon] C:\Documents and Settings\LocalService\svchost.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [GetModule23] "C:\Program Files\GetModule\GetModule23.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [GetPack22] "C:\Program Files\GetPack\GetPack22.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe (User 'Default user')
O4 - Startup: userinit.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: WebCloner - {ADFCCE65-DF10-46fd-B04A-53CCBE2A0795} - C:\Program Files\ProductsFoundry\WebCloner Pro 2.5\WebCloner.exe
O9 - Extra 'Tools' menuitem: &WebCloner - {ADFCCE65-DF10-46fd-B04A-53CCBE2A0795} - C:\Program Files\ProductsFoundry\WebCloner Pro 2.5\WebCloner.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.aka...vex-2.0.6.5.cab
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.web...wsaxcontrol.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.liv...es/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritag...EngineQuery.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1222041489531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1222041440593
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoe...ggPublisher.exe
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driver...driveragent.cab
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.co...NetOpPlugin.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - AppInit_DLLs: karina.dat
O20 - Winlogon Notify: fkusntnq - C:\WINDOWS\SYSTEM32\fkusntnq.dll
O20 - Winlogon Notify: reset5e - C:\WINDOWS\SYSTEM32\reset5e.dll
O20 - Winlogon Notify: sysfldr - C:\WINDOWS\SYSTEM32\sysfldr.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CbEvtSvc - Unknown owner - C:\WINDOWS\System32\CbEvtSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QWRtaW4\command.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\services.exe

--
End of file - 13473 bytes

Edited by Magnolia2, 13 October 2008 - 09:43 PM.

#3
Rorschach112

Posted 14 October 2008 - 04:16 AM

Ralphie

Retired Staff
47,710 posts

Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum.

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

#4
Magnolia2

Posted 14 October 2008 - 07:19 AM

Member

Topic Starter
Member
33 posts

(BTW THANK YOU!!!) I will now run HiJack This again and post it in a few minutes. I don't know what all this means but it sure looks like I was infested!

(I was using Kaspersky when I got a notice of a hidden file download. When I clicked "Deny", it killed Kasperkey and rebooted my computer. The darn thing as been "sick" ever since!)

SDFix Log:

SDFix: Version 1.235
Run by Admin on Tue 10/14/2008 at 07:30 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix\SDFix

Checking Services :

Rootkit Found :
C:\WINDOWS\system32\drivers\ATI3INXX.sys - Rootkit Pandex/Cutwail - Protect.sys

Name :
CbEvtSvc
cmdService
ICF
Network Monitor
tcpsr
ATI3INXX

Path :
%SystemRoot%\System32\CbEvtSvc.exe -k netsvcs
C:\WINDOWS\QWRtaW4\command.exe
C:\WINDOWS\system32\svchost.exe:ext.exe
C:\Program Files\Network Monitor\netmon.exe service
\??\C:\WINDOWS\System32\drivers\tcpsr.sys
System32\Drivers\ati3inxx.sys

CbEvtSvc - Deleted
cmdService - Deleted
ICF - Deleted
Network Monitor - Deleted
tcpsr - Deleted
ATI3INXX - Deleted

Restoring Default Security Values
Restoring Default Hosts File
Restoring Default Desktop Wallpaper
Resetting SecurityProviders Value
Restoring Default ScreenSaver value
Restoring Default Schedule Service Path
Resetting AppInit_DLLs value

Rebooting

Service ATI3INXX - Deleted
Service asc3550p - Deleted

Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\lphc947j0e13j.exe - Deleted
C:\WINDOWS\system32\FKUSNTNQ.dll - Deleted
C:\WINDOWS\system32\FKUSNT~1.dll - Deleted
C:\WINDOWS\QWRtaW4\asappsrv.dll - Deleted
C:\WINDOWS\QWRtaW4\command.exe - Deleted
C:\WINDOWS\QWRtaW4\kqlQuqb.vbs - Deleted
C:\WINDOWS\system32\phc947j0e13j.bmp - Deleted
C:\WINDOWS\SYSTEM32\UYIRDHFP.TMP - Deleted
C:\WINDOWS\system32\blphc947j0e13j.scr - Deleted
C:\DOCUME~1\ADMIN\COOKIES\EMYXYJ.DLL - Deleted
C:\DOCUME~1\ADMIN\COOKIES\JUBEBE~1.VBS - Deleted
C:\DOCUME~1\ADMIN\COOKIES\POZITU.VBS - Deleted
C:\Documents and Settings\Admin\svchost.exe - Deleted
C:\Documents and Settings\emergency\svchost.exe - Deleted
C:\Documents and Settings\LocalService\svchost.exe - Deleted
C:\Documents and Settings\Admin\Application Data\Gool\Gool.exe - Deleted
C:\Documents and Settings\Admin\Application Data\SpeedRunner\config.cfg - Deleted
C:\Documents and Settings\Admin\Application Data\SpeedRunner\SpeedRunner.exe - Deleted
C:\Documents and Settings\Admin\Application Data\SpeedRunner\SRUninstall.exe - Deleted
C:\Documents and Settings\Admin\Local Settings\Temp\.ttDEE.tmp.exe - Deleted
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt - Deleted
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt - Deleted
C:\Documents and Settings\Admin\Local Settings\Temp\v3xd1.g22me - Deleted
C:\Documents and Settings\Admin\Local Settings\Temp\v4xd3.ga2me - Deleted
C:\Documents and Settings\Admin\Local Settings\Temp\v4xd6.gam5e - Deleted
C:\Documents and Settings\Admin\Local Settings\Temp\v5xd2.g3ame - Deleted
C:\Documents and Settings\Admin\Local Settings\Temp\v5xd4.ga2me - Deleted
C:\Documents and Settings\Admin\Local Settings\Temp\v6xdt4.game - Deleted
C:\Documents and Settings\emergency\Local Settings\Temp\v3xd1.g22me - Deleted
C:\Documents and Settings\emergency\Local Settings\Temp\v4xd3.ga2me - Deleted
C:\Documents and Settings\emergency\Local Settings\Temp\v4xd6.gam5e - Deleted
C:\Documents and Settings\emergency\Local Settings\Temp\v5xd2.g3ame - Deleted
C:\Documents and Settings\emergency\Local Settings\Temp\v5xd4.ga2me - Deleted
C:\Documents and Settings\emergency\Local Settings\Temp\v6xdt4.game - Deleted
C:\Documents and Settings\Admin\Local Settings\Temp\vx1dt1.game - Deleted
C:\Documents and Settings\Admin\Local Settings\Temp\vx1dt3.game - Deleted
C:\Documents and Settings\Admin\Local Settings\Temp\vx3dt2.game - Deleted
C:\Documents and Settings\emergency\Local Settings\Temp\vx1dt1.game - Deleted
C:\Documents and Settings\emergency\Local Settings\Temp\vx1dt3.game - Deleted
C:\Documents and Settings\emergency\Local Settings\Temp\vx3dt2.game - Deleted
C:\Program Files\GetModule\dicik.gz - Deleted
C:\Program Files\GetModule\GetModule23.exe - Deleted
C:\Program Files\GetModule\kwdik.gz - Deleted
C:\Program Files\GetPack\dictame.gz - Deleted
C:\Program Files\GetPack\GetPack22.exe - Deleted
C:\Program Files\GetPack\trgtame.gz - Deleted
C:\Program Files\iCheck\iCheck.exe - Deleted
C:\Program Files\iCheck\Uninstall.exe - Deleted
C:\Program Files\Mjcore\Mjcore.dll - Deleted
C:\Program Files\VnrBlock\VnrBlock21.exe - Deleted
C:\Program Files\VnrBlock\xtarga.gz - Deleted
C:\Program Files\Webtools\webtools.dll - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\.tt12.tmp - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\.tt2.tmp - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\.tt5.tmp - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\.tt7.tmp - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\.tt9.tmp - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\.ttA.tmp - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\.ttC.tmp - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\.ttDE1.tmp - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\.ttDEE.tmp - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\.ttDF5.tmp - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\.ttDF7.tmp - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\.ttDF9.tmp - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\.ttDFB.tmp - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\.ttDFD.tmp - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\.ttDFF.tmp - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\.ttE01.tmp - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\.ttE03.tmp - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\.ttE06.tmp - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\.ttE08.tmp - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\.ttE0A.tmp - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\.ttE0C.tmp - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\.ttE0E.tmp - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\.ttE10.tmp - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\.ttE12.tmp - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\.ttE14.tmp - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\.ttE17.tmp - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\.ttDEE.tmp.exe - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\.tt2.tmp.vbs - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\.tt5.tmp.vbs - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\.ttA.tmp.vbs - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\.ttDE1.tmp.vbs - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\Binaries1.cab2 - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\Binaries1.cab3 - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\Binaries2.cab3 - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\gettpa123.exe - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\gettpa222.exe - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\gettpa421.exe - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\tmp3C.tmp - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\tmp55.tmp - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\tmp9.tmp - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\tmpB.tmp - Deleted
C:\WINDOWS\b103.exe - Deleted
C:\WINDOWS\b104.exe - Deleted
C:\WINDOWS\b116.exe - Deleted
C:\WINDOWS\b157.exe - Deleted
C:\WINDOWS\b161.exe - Deleted
C:\WINDOWS\system32\~.exe - Deleted
C:\WINDOWS\system32\vedxg4am1et2.exe - Deleted
C:\WINDOWS\system32\vedxg6ame4.exe - Deleted
C:\WINDOWS\system32\vedxga1me4t1.exe - Deleted
C:\WINDOWS\system32\vedxga4m1et4.exe - Deleted
C:\WINDOWS\system32\vedxga4me1.exe - Deleted
C:\WINDOWS\system32\wini10251.exe - Deleted
C:\WINDOWS\system32\wpv673.cpx - Deleted
C:\WINDOWS\system32\wpv761.cpx - Deleted
C:\WINDOWS\system32\wpv673.cpx - Deleted
C:\WINDOWS\system32\wpv761.cpx - Deleted
C:\WINDOWS\system32\wpx152.cpx - Deleted
C:\Documents and Settings\Admin\Start Menu\Programs\Startup\userinit.exe - Deleted
C:\Program Files\Network Monitor\netmon.exe - Deleted
C:\Documents and Settings\Admin\svchost.exe - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\Binaries1.zip - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\Binaries2.zip - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\Binaries3.zip - Deleted
C:\WINDOWS\brastk.exe - Deleted
C:\WINDOWS\buritos.exe - Deleted
C:\WINDOWS\default.htm - Deleted
C:\WINDOWS\faceback.exe - Deleted
C:\WINDOWS\iexplorer.exe - Deleted
C:\WINDOWS\karina.dat - Deleted
C:\WINDOWS\karna.dat - Deleted
C:\WINDOWS\system32\_scui.cpl - Deleted
C:\WINDOWS\system32\atmtd.dll - Deleted
C:\WINDOWS\system32\atmtd.dll._ - Deleted
C:\WINDOWS\system32\brastk.exe - Deleted
C:\WINDOWS\system32\braviax.exe - Deleted
C:\WINDOWS\system32\buritos.exe - Deleted
C:\WINDOWS\system32\CbEvtSvc.exe - Deleted
C:\WINDOWS\system32\dlds1.exe - Deleted
C:\WINDOWS\system32\dlds2.exe - Deleted
C:\WINDOWS\system32\dlds5.exe - Deleted
C:\WINDOWS\system32\dlds6.exe - Deleted
C:\WINDOWS\system32\dlds7.exe - Deleted
C:\WINDOWS\system32\dlds8.exe - Deleted
C:\WINDOWS\system32\getsn32.dll - Deleted
C:\WINDOWS\system32\karina.dat - Deleted
C:\WINDOWS\system32\karna.dat - Deleted
C:\WINDOWS\system32\kr_done1 - Deleted
C:\WINDOWS\system32\msansspc.dll - Deleted
C:\WINDOWS\system32\msdefender.exe - Deleted
C:\WINDOWS\system32\rs32net.exe - Deleted
C:\WINDOWS\system32\smwin32.dll - Deleted
C:\WINDOWS\system32\sysfldr.dll - Deleted
C:\WINDOWS\system32\update32.exe - Deleted
C:\WINDOWS\system32\vx.tll - Deleted
C:\WINDOWS\system32\winivstr.exe - Deleted
C:\WINDOWS\uninstall_nmon.vbs - Deleted
C:\WINDOWS\wiaservb.log - Deleted
C:\WINDOWS\system32\drivers\asc3550p.sys - Deleted
C:\WINDOWS\system32\drivers\services.exe - Deleted
C:\WINDOWS\system32\drivers\ATI3INXX.sys - Deleted

Folder C:\Documents and Settings\Admin\Application Data\Gool - Removed
Folder C:\Documents and Settings\Admin\Application Data\SpeedRunner - Removed
Folder C:\Program Files\GetModule - Removed
Folder C:\Program Files\GetPack - Removed
Folder C:\Program Files\iCheck - Removed
Folder C:\Program Files\InetGet2 - Removed
Folder C:\Program Files\Mjcore - Removed
Folder C:\Program Files\Network Monitor - Removed
Folder C:\Program Files\VnrBlock - Removed
Folder C:\Program Files\Webtools - Removed
Folder C:\Documents and Settings\LocalService\Application Data\NetMon - Removed

Removing Temp Files

ADS Check :

C:\WINDOWS\system32\svchost.exe
: ADS Found!
svchost.exe: deleted 25088 bytes in 1 streams.

Checking for remaining Streams

C:\WINDOWS\system32\svchost.exe
No streams found.

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-14 07:46:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ContentIndex\Catalogs\System]
"IsIndexingW3Svc"=dword:00000000
"IsIndexingNNTPSvc"=dword:00000000
"Location"="C:\System Volume Information"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\tourp.exe]
"0"=hex:00,00,1e,00,00,00,05,00
"1"=hex:82,cf,0c,ea,25,a6,21,d5,c4,01,d6,18,b2,ce,f7,75,75,84,e8,41,34,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Abiosdsk]
"ErrorControl"=dword:00000000
"Group"="Primary disk"
"Start"=dword:00000004
"Tag"=dword:00000003
"Type"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\System\abiosdsk]
"EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll"
"TypesSupported"=dword:00000007
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\System\intelide]
"EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\Drivers\IntelIde.sys"
"TypesSupported"=dword:00000007
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\System\PptpMiniport]
"EventMessageFile"=str(2):"%SystemRoot%\System32\netevent.dll"
"TypesSupported"=dword:00000007
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IntelIde]
"ErrorControl"=dword:00000001
"Group"="System Bus Extender"
"Start"=dword:00000000
"Tag"=dword:00000004
"Type"=dword:00000001
"ImagePath"=str(2):"system32\DRIVERS\intelide.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PptpMiniport]
"Type"=dword:00000001
"Start"=dword:00000003
"ErrorControl"=dword:00000001
"ImagePath"=str(2):"system32\DRIVERS\raspptp.sys"
"DisplayName"="WAN Miniport (PPTP)"
"Description"="WAN Miniport (PPTP)"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PptpMiniport\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ContentIndex\Catalogs\System]
"IsIndexingW3Svc"=dword:00000000
"IsIndexingNNTPSvc"=dword:00000000
"Location"="C:\System Volume Information"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\tourp.exe]
"0"=hex:00,00,1e,00,00,00,05,00
"1"=hex:82,cf,0c,ea,25,a6,21,d5,c4,01,d6,18,b2,ce,f7,75,75,84,e8,41,34,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Abiosdsk]
"ErrorControl"=dword:00000000
"Group"="Primary disk"
"Start"=dword:00000004
"Tag"=dword:00000003
"Type"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\abiosdsk]
"EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll"
"TypesSupported"=dword:00000007
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\intelide]
"EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\Drivers\IntelIde.sys"
"TypesSupported"=dword:00000007
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\napagent]
"EventMessageFile"=str(2):"%SystemRoot%\System32\qagentrt.dll"
"TypesSupported"=dword:00000007
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\PptpMiniport]
"EventMessageFile"=str(2):"%SystemRoot%\System32\netevent.dll"
"TypesSupported"=dword:00000007
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IntelIde]
"ErrorControl"=dword:00000001
"Group"="System Bus Extender"
"Start"=dword:00000000
"Tag"=dword:00000004
"Type"=dword:00000001
"ImagePath"=str(2):"system32\DRIVERS\intelide.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\napagent]
"DisplayName"="Network Access Protection Agent"
"Description"="Allows windows clients to participate in Network Access Protection"
"Type"=dword:00000020
"Start"=dword:00000003
"ErrorControl"=dword:00000001
"ImagePath"=str(2):"%SystemRoot%\System32\svchost.exe -k netsvcs"
"DependOnService"=str(7):"RpcSs\0"
"ObjectName"="localSystem"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\napagent\LocalConfig]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\napagent\Parameters]
"ServiceDll"=str(2):"%SystemRoot%\System32\qagentrt.dll"
"ServiceDllUnloadOnStop"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\napagent\Qecs]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\napagent\Shas]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\napagent\SohCache]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PptpMiniport]
"Type"=dword:00000001
"Start"=dword:00000003
"ErrorControl"=dword:00000001
"ImagePath"=str(2):"system32\DRIVERS\raspptp.sys"
"DisplayName"="WAN Miniport (PPTP)"
"Description"="WAN Miniport (PPTP)"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PptpMiniport\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rrvvnnzj]
"Type"=dword:00000001
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=str(2):"\??\C:\WINDOWS\system32\drivers\rrvvnnzj.sys"
"DisplayName"="rrvvnnzj"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rrvvnnzj\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\ContentIndex\Catalogs\System]
"IsIndexingW3Svc"=dword:00000000
"IsIndexingNNTPSvc"=dword:00000000
"Location"="C:\System Volume Information"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Nls\MUILanguages\RCV2\tourp.exe]
"0"=hex:00,00,1e,00,00,00,05,00
"1"=hex:82,cf,0c,ea,25,a6,21,d5,c4,01,d6,18,b2,ce,f7,75,75,84,e8,41,34,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Abiosdsk]
"ErrorControl"=dword:00000000
"Group"="Primary disk"
"Start"=dword:00000004
"Tag"=dword:00000003
"Type"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Eventlog\System\abiosdsk]
"EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll"
"TypesSupported"=dword:00000007
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Eventlog\System\intelide]
"EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\Drivers\IntelIde.sys"
"TypesSupported"=dword:00000007
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Eventlog\System\napagent]
"EventMessageFile"=str(2):"%SystemRoot%\System32\qagentrt.dll"
"TypesSupported"=dword:00000007
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Eventlog\System\PptpMiniport]
"EventMessageFile"=str(2):"%SystemRoot%\System32\netevent.dll"
"TypesSupported"=dword:00000007
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\IntelIde]
"ErrorControl"=dword:00000001
"Group"="System Bus Extender"
"Start"=dword:00000000
"Tag"=dword:00000004
"Type"=dword:00000001
"ImagePath"=str(2):"system32\DRIVERS\intelide.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\napagent]
"DisplayName"="Network Access Protection Agent"
"Description"="Allows windows clients to participate in Network Access Protection"
"Type"=dword:00000020
"Start"=dword:00000003
"ErrorControl"=dword:00000001
"ImagePath"=str(2):"%SystemRoot%\System32\svchost.exe -k netsvcs"
"DependOnService"=str(7):"RpcSs\0"
"ObjectName"="localSystem"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\napagent\LocalConfig]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\napagent\Parameters]
"ServiceDll"=str(2):"%SystemRoot%\System32\qagentrt.dll"
"ServiceDllUnloadOnStop"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\napagent\Qecs]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\napagent\Shas]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\napagent\SohCache]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\PptpMiniport]
"Type"=dword:00000001
"Start"=dword:00000003
"ErrorControl"=dword:00000001
"ImagePath"=str(2):"system32\DRIVERS\raspptp.sys"
"DisplayName"="WAN Miniport (PPTP)"
"Description"="WAN Miniport (PPTP)"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\PptpMiniport\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\rrvvnnzj]
"Type"=dword:00000001
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=str(2):"\??\C:\WINDOWS\system32\drivers\rrvvnnzj.sys"
"DisplayName"="rrvvnnzj"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\rrvvnnzj\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\WinSock2]

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MOH.exe]
"Path"="C:\Program Files\NetWaiting"
@="C:\Program Files\NetWaiting\MOH.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\DeluxeCD\Providers]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CSSFilters]
"oavredirect"="{999937BC-30FE-11D4-BA52-00C04F6843FA}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartMenu\StartMenuRun]
"Type"="checkbox"
"Text"="@shell32.dll,-30474"
"HKeyRoot"=dword:80000001
"RegPath"="Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"
"ValueName"="StartMenuRun"
"CheckedValue"=dword:00000001
"UncheckedValue"=dword:00000000
"DefaultValue"=dword:00000001
"HelpID"="windows.hlp#51142"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartPanel\ShowPrinters]
"Type"="checkbox"
"Text"="@shell32.dll,-30493"
"HKeyRoot"=dword:80000001
"RegPath"="Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"
"ValueName"="Start_ShowPrinters"
"CheckedValue"=dword:00000001
"UncheckedValue"=dword:00000000
"DefaultValue"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\ACTIVE_CONTENT\AUTOMATIC_ACTIVEX_UI\DISABLE]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"PlugUIText"="@inetcplc.dll,-4805"
"ValueName"="2201"
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\ACTIVE_CONTENT\BBHVR\DISABLE]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"PlugUIText"="@inetcplc.dll,-4805"
"ValueName"="2000"
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\DOWNLOAD\AUTOMATIC_DOWNLOAD_UI\DISABLE]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"PlugUIText"="@inetcplc.dll,-4805"
"ValueName"="2200"
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\JAVAPER\JAVA\DISABLE]
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\FORMDATA]
"Type"="group"
"Text"="Submit non-encrypted form data"
"PlugUIText"="@inetcplc.dll,-4797"
"Bitmap"="C:\WINDOWS\system32\inetcpl.cpl,4443"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\FORMDATA\ALLOW]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Enable"
"PlugUIText"="@inetcplc.dll,-4803"
"ValueName"="1601"
"CheckedValue"=dword:00000000
"DefaultValue"=dword:00000003
"Mask"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\FORMDATA\DENY]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"PlugUIText"="@inetcplc.dll,-4805"
"ValueName"="1601"
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
"Mask"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\FORMDATA\QUERY]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Prompt"
"PlugUIText"="@inetcplc.dll,-4804"
"ValueName"="1601"
"CheckedValue"=dword:00000001
"DefaultValue"=dword:00000003
"Mask"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\MIME_SNIFFING\DISABLE]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"PlugUIText"="@inetcplc.dll,-4805"
"ValueName"="2100"
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\RESTRICTED_PROTOCOLS\DISABLE]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"PlugUIText"="@inetcplc.dll,-4805"
"ValueName"="2300"
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\WINDOW_RESTRICTIONS\DISABLE]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"PlugUIText"="@inetcplc.dll,-4805"
"ValueName"="2102"
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\ZONE_ELEVATION\DISABLE]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"PlugUIText"="@inetcplc.dll,-4805"
"ValueName"="2101"
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\ACTIVE_CONTENT\AUTOMATIC_ACTIVEX_UI\DISABLE]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"PlugUIText"="@inetcplc.dll,-4805"
"ValueName"="2201"
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\ACTIVE_CONTENT\BBHVR\DISABLE]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"PlugUIText"="@inetcplc.dll,-4805"
"ValueName"="2000"
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\DOWNLOAD\AUTOMATIC_DOWNLOAD_UI\DISABLE]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"PlugUIText"="@inetcplc.dll,-4805"
"ValueName"="2200"
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\JAVAPER\JAVA\DISABLE]
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable Java"
"PlugUIText"="@inetcplc.dll,-4818"
"ValueName"="1C00"
"CheckedValue"=dword:00000000
"DefaultValue"=dword:00000000
"HKeyRoot"=dword:80000002
"HelpID"="iexplore.hlp#50241"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\FORMDATA]
"Type"="group"
"Text"="Submit non-encrypted form data"
"PlugUIText"="@inetcplc.dll,-4797"
"Bitmap"="C:\WINDOWS\system32\inetcpl.cpl,4443"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\FORMDATA\ALLOW]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Enable"
"PlugUIText"="@inetcplc.dll,-4803"
"ValueName"="1601"
"CheckedValue"=dword:00000000
"DefaultValue"=dword:00000003
"HKeyRoot"=dword:80000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\FORMDATA\DENY]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"PlugUIText"="@inetcplc.dll,-4805"
"ValueName"="1601"
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
"HKeyRoot"=dword:80000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\FORMDATA\QUERY]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Prompt"
"PlugUIText"="@inetcplc.dll,-4804"
"ValueName"="1601"
"CheckedValue"=dword:00000001
"DefaultValue"=dword:00000003
"HKeyRoot"=dword:80000002
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\MIME_SNIFFING\DISABLE]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"PlugUIText"="@inetcplc.dll,-4805"
"ValueName"="2100"
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\RESTRICTED_PROTOCOLS\DISABLE]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"PlugUIText"="@inetcplc.dll,-4805"
"ValueName"="2300"
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\WINDOW_RESTRICTIONS\DISABLE]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"PlugUIText"="@inetcplc.dll,-4805"
"ValueName"="2102"
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\ZONE_ELEVATION\DISABLE]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"PlugUIText"="@inetcplc.dll,-4805"
"ValueName"="2101"
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName"=str(2):"stdout"
"Active"=dword:00000001
"ControlFlags"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\fullpage]
"a"="C:\Documents and Settings\Admin\My Documents\My Pictures\Ebay Items\1963 Beaumont newspapers\BmtJou3.fullpage"
"MRUList"="a"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\CleanupWiz]
"Days between clean up"=dword:0000003c
"NoRun"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg3]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU]
"0"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"1"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"2"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"3"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"4"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"5"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"6"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"7"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"8"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"9"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"10"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"11"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"12"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"13"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"14"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"15"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"16"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"17"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"18"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"19"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"20"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"21"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"22"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"23"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"24"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"25"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"26"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"27"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"28"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"29"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"30"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"31"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"32"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"33"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"34"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"35"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"36"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"37"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"38"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"39"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"40"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"41"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"42"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"43"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"44"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"45"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"46"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"47"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"48"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"49"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"50"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"51"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"53"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"57"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"58"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"59"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"60"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"61"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"62"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"63"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"64"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"65"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"66"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"67"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"68"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"69"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"70"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"71"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"72"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"73"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"74"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"75"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"76"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"77"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"78"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"79"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"80"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"81"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"82"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"83"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"84"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"85"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"86"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"87"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"88"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"89"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"90"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"91"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"92"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"93"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"94"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"95"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"96"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"97"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"98"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"99"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"100"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"101"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"102"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"103"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"104"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"105"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"106"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"107"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"108"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"109"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"MRUListEx"=hex:f2,01,00,00,f1,01,00,00,f0,01,00,00,ef,01,00,00,ee,01,00,00,ed,..
"110"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"111"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"112"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"113"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"114"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"115"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"116"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"117"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"118"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"119"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"120"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"121"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"122"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"123"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"124"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"125"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"126"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"127"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"128"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"129"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"130"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"131"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"132"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"133"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"134"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"135"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"136"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"137"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"138"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"139"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"140"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"141"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"142"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"143"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"144"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"145"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"146"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"147"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"148"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"149"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"150"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"151"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"152"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"153"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"154"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"155"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"156"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"157"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"158"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"159"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"160"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"161"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"162"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"163"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"164"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"165"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"166"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"167"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"168"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"169"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"170"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"171"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"172"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"173"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"174"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"175"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"176"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"177"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"178"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"179"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"180"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"181"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"182"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"183"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"184"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"185"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"186"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"187"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"188"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"189"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"190"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"52"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"54"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"55"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"56"=hex:43,00,3a,00,5c

#5
Magnolia2

Posted 14 October 2008 - 07:22 AM

Member

Topic Starter
Member
33 posts

"56"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"191"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"192"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"193"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"194"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"195"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"196"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"197"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"198"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"199"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"200"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"201"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"202"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"203"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"204"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"205"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"206"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"207"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"208"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"209"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"210"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"211"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"212"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"213"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"214"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"215"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"216"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"217"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"218"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"219"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"220"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"221"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"222"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"223"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"224"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"225"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"226"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"227"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"228"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"229"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"230"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"231"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"232"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"233"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"234"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"235"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"236"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"237"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"238"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"239"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"240"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"241"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"242"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"243"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"244"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"245"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"246"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"247"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"248"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"249"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"250"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"251"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"252"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"253"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"254"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"255"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"256"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"257"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"258"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"259"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"260"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"261"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"262"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"263"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"264"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"265"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"266"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"267"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"268"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"269"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"270"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"271"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"272"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"273"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"274"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"275"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"276"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"277"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"278"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"279"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"280"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"281"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"282"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"283"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"284"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"285"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"286"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"287"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"288"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"289"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"290"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"291"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"292"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"293"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"294"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"295"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"296"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"297"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"298"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"299"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"300"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"301"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"302"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"303"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"304"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"305"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"306"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"307"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"308"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"309"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"310"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"311"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"312"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"313"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"314"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"315"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"316"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"317"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"318"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"319"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"320"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"321"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"322"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"323"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"324"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"325"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"326"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"327"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"328"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"329"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"330"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"331"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"332"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"333"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"334"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"335"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"336"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"337"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"338"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"339"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"340"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"341"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"342"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"343"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"344"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"345"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"346"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"347"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"348"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"349"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"350"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"351"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"352"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"353"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"354"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"355"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"356"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"357"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"358"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"359"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"360"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"361"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"362"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"363"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"364"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"365"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"366"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"367"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"368"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"369"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"370"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"371"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"372"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"373"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"374"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"375"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"376"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"377"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"378"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"379"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"380"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"381"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"382"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"384"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"385"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"386"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"387"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"388"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"389"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"390"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"391"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"392"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"393"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"394"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"395"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"396"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"397"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"398"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"399"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"400"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"401"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"402"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"403"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"404"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"405"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"406"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"407"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"408"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"409"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"410"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"411"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"412"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"413"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"414"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"415"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"416"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"417"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"418"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"419"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"420"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"421"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"422"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"423"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"424"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"425"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"426"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"427"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"428"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"429"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"430"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"431"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"432"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"433"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"434"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"435"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"436"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"437"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"438"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"439"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"440"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"441"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"442"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"443"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"444"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"445"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"446"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"447"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"448"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"449"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"450"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"451"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"452"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"453"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"454"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"455"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"456"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"457"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"458"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"459"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"460"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"461"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"462"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"463"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"464"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"465"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"466"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"467"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"468"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"469"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"470"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"471"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"472"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"473"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"474"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"475"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"476"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"477"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"478"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"479"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"480"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"481"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"482"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"483"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"484"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"485"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"486"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"487"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"488"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"489"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"490"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"491"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"492"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"493"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"494"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"495"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"496"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"497"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"498"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"499"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"383"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ssby.com]
"*"=dword:00000004
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\urlstat.ru]
"*"=dword:00000004

scanning hidden files ...

C:\WINDOWS\system32\drivers\rrvvnnzj.sys 177664 bytes executable

scan completed successfully
hidden processes: 0
hidden services: 3
hidden files: 1

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Disabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Disabled:AOL"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Genealogy\\GeneTreeDNA Paternity Testing and More___files\\GenRecords\\ASMonitor\\ASMonitor.exe"="C:\\Genealogy\\GeneTreeDNA Paternity Testing and More___files\\GenRecords\\ASMonitor\\ASMonitor.exe:*:Enabled:System"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Genealogy\\New Folder\\ACSPMonitor\\ASMonitor.exe"="C:\\Genealogy\\New Folder\\ACSPMonitor\\ASMonitor.exe:*:Enabled:System"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Disabled:Google Talk"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Disabled:Skype"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Disabled:Yahoo! FT Server"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\kav\\kav7\\setup.exe"="C:\\kav\\kav7\\setup.exe:*:Enabled:Kaspersky Anti-Virus 7.0 Setup"
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"="C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe:*:Enabled:Kaspersky Anti-Virus"
"C:\\Program Files\\ProductsFoundry\\WebCloner Pro 2.5\\WebCloner.exe"="C:\\Program Files\\ProductsFoundry\\WebCloner Pro 2.5\\WebCloner.exe:*:Enabled:ProductsFoundry WebCloner"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\DOCUME~1\\Admin\\LOCALS~1\\Temp\\C.tmp.exe"="C:\\DOCUME~1\\Admin\\LOCALS~1\\Temp\\C.tmp.exe:*:Enabled:msdefender.exe"
"C:\\WINDOWS\\system32\\msdefender.exe"="C:\\WINDOWS\\system32\\msdefender.exe:*:Enabled:msdefender.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

File Backups: - C:\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 25 Dec 2005 56 A.SHR --- "C:\i386\1CAADE2B9F.sys"
Sun 25 Dec 2005 3,350 A.SH. --- "C:\i386\KGyGaAvL.sys"
Sun 13 Apr 2008 1,695,232 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Tue 12 Aug 2008 104 ..SHR --- "C:\WINDOWS\system32\1CAADE2B9F.sys"
Fri 24 Nov 2006 88 ..SHR --- "C:\WINDOWS\system32\9F2BDEAA1C.sys"
Mon 13 Oct 2008 7,520 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Sun 24 Dec 2006 47,104 ...H. --- "C:\Documents and Settings\Admin\My Documents\Resume\~WRL4100.tmp"
Sat 29 Dec 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 20 Dec 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Tue 20 Dec 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Tue 20 Dec 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Thu 22 Dec 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"

Finished!

#6
Rorschach112

Posted 14 October 2008 - 07:25 AM

Ralphie

Retired Staff
47,710 posts

Post the ComboFix log as well

#7
Magnolia2

Posted 14 October 2008 - 07:26 AM

Member

Topic Starter
Member
33 posts

NEW HIJACK THIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:24:23 AM, on 10/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Admin\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [RRRRAADB] %systemroot%\RRRRAADB.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ffko] C:\PROGRA~1\COMMON~1\ffko\ffkom.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Lookup Meaning - res://C:\Program Files\ieSpell\iespell.dll/LOOKUPMEANING.HTM
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: http://www.tsl.state.tx.us
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.aka...vex-2.0.6.5.cab
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.web...wsaxcontrol.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.liv...es/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritag...EngineQuery.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1222041489531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1222041440593
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoe...ggPublisher.exe
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driver...driveragent.cab
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.co...NetOpPlugin.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: fkusntnq - fkusntnq.dll (file missing)
O20 - Winlogon Notify: reset5e - C:\WINDOWS\SYSTEM32\reset5e.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 10111 bytes

#8
Rorschach112

Posted 14 October 2008 - 07:37 AM

Ralphie

Retired Staff
47,710 posts

Post the ComboFix log

#9
Magnolia2

Posted 14 October 2008 - 07:49 AM

Member

Topic Starter
Member
33 posts

QUESTION:

My Floppy and CD rom (?) drives do not work. In order to use the Recovery Console, must I create the 6 disks? Can I just leave it on my desktop. If I have to create the disks, I probably should not run the ComboFix program (I do have it on my desktop).

#10
Rorschach112

Posted 14 October 2008 - 07:52 AM

Ralphie

Retired Staff
47,710 posts

Leave the Recovery Console and go ahead and run ComboFix

#11
Magnolia2

Posted 14 October 2008 - 10:17 AM

Member

Topic Starter
Member
33 posts

The computer seems to be running slow but it may be it is adjusting to "being able to breathe"...?

ComboFix Log:

ComboFix 08-10-12.01 - Admin 2008-10-14 10:40:01.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.678 [GMT -5:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Admin\Application Data\DOBE~1
C:\Documents and Settings\Admin\Cookies\idep.com
C:\Documents and Settings\Admin\Cookies\nuhyxyl.pif
C:\Documents and Settings\Admin\Cookies\oqebubamo.reg
C:\Documents and Settings\Admin\Cookies\romohi.inf
C:\Documents and Settings\Admin\Cookies\taga.db
C:\Documents and Settings\Admin\Cookies\tyma._sy
C:\Documents and Settings\Admin\Cookies\udacew.reg
C:\Documents and Settings\Admin\Cookies\ufypuze.db
C:\Documents and Settings\Admin\Cookies\ujupib.scr
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\AlxRes_dll_IMAGE_bg_popup.gif
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\AlxRes_dll_IMAGE_window_sliver.gif
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\arab.ban
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\bestwiner.stt
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\CPV.stt
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\ducuti._dl
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\fpinst.exe
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\fuwajim.dl
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\gohinave.dat
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\orebav.inf
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\qahokoky.reg
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\ybecu._sy
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\ywyfiseli.pif
C:\Documents and Settings\emergency\Start Menu\Programs\Startup\userinit.exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\CPV.stt
C:\Program Files\alexa toolbar
C:\Program Files\Common Files\ppatch~1
C:\Program Files\Instant Buzz
C:\Program Files\Instant Buzz\.ibp
C:\Program Files\Instant Buzz\slhightower.ibp
C:\WINDOWS\Downloaded Program Files\MyWebEx
C:\WINDOWS\Downloaded Program Files\MyWebEx\319\atrares.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\319\racfg.exe
C:\WINDOWS\Downloaded Program Files\MyWebEx\319\ratrace.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\319\trace.txt
C:\WINDOWS\IE4 Error Log.txt
C:\WINDOWS\system32\1045425041.dll
C:\WINDOWS\system32\243057841.dll
C:\WINDOWS\system32\drivers\rrvvnnzj.sys
C:\WINDOWS\system32\tsuninst.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASC3550P
-------\Legacy_RRVVNNZJ
-------\Service_rrvvnnzj

((((((((((((((((((((((((( Files Created from 2008-09-14 to 2008-10-14 )))))))))))))))))))))))))))))))
.

2008-10-14 07:40 . 2008-10-14 07:40 29 --a------ C:\WINDOWS\system32\tpoigref.tmp
2008-10-14 07:28 . 2008-10-14 07:28 578,560 --a------ C:\WINDOWS\system32\dllcache\user32.dll
2008-10-14 07:22 . 2008-10-14 07:23 <DIR> d-------- C:\WINDOWS\ERUNT
2008-10-14 07:15 . 2008-10-14 08:23 <DIR> d-------- C:\SDFix
2008-10-14 05:17 . 2008-10-14 05:17 <DIR> d-------- C:\_OTScanIt
2008-10-14 05:03 . 2008-10-14 05:03 138,400 --a------ C:\WINDOWS\system32\drivers\wanatw4.sys
2008-10-13 21:47 . 2005-12-20 09:06 <DIR> d--h----- C:\Documents and Settings\emergency\Application Data\Gtek
2008-10-13 21:47 . 2008-10-14 07:36 <DIR> d-------- C:\Documents and Settings\emergency
2008-10-12 14:57 . 2008-10-12 14:57 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-10-12 14:57 . 2008-10-12 14:57 4,286 --a------ C:\WINDOWS\system32\Jamster.ico
2008-10-12 14:42 . 2008-10-14 07:36 <DIR> d-------- C:\WINDOWS\QWRtaW4
2008-10-12 14:37 . 2008-10-14 07:18 <DIR> d-------- C:\Program Files\Common Files\ffko
2008-10-11 14:23 . 2008-04-13 19:12 11,776 --a------ C:\WINDOWS\system32\reset5e.dll
2008-10-11 13:41 . 2008-10-11 13:41 85,008 --a------ C:\WINDOWS\system32\uesiuqcr.exe
2008-10-11 13:40 . 2008-10-11 21:50 16,896 --a------ C:\Documents and Settings\Admin\~.exe
2008-10-02 20:47 . 2008-10-02 20:48 <DIR> d-------- C:\PCOMP5
2008-10-02 20:47 . 2006-01-18 17:47 1,925,120 --a------ C:\WINDOWS\system32\cdintf250.dll
2008-10-02 20:45 . 2008-10-02 20:45 <DIR> d-------- C:\Program Files\FamilySearch
2008-09-30 09:14 . 2008-09-30 09:17 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\SecondLife
2008-09-30 09:14 . 2008-10-11 21:49 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-09-30 09:14 . 2008-09-30 09:14 1,409 --a------ C:\WINDOWS\QTFont.for
2008-09-22 03:07 . 2008-09-22 03:07 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-09-21 20:47 . 2008-04-11 14:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-09-21 20:47 . 2008-05-01 09:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-09-21 20:46 . 2008-06-13 06:05 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-09-21 20:30 . 2008-05-08 09:02 203,136 --------- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-09-21 20:17 . 2008-07-18 22:07 29,728 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-09-21 20:06 . 2008-09-21 20:06 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-21 20:06 . 2008-09-21 20:06 <DIR> d-------- C:\WINDOWS\system32\en
2008-09-21 20:06 . 2008-09-21 20:06 <DIR> d-------- C:\WINDOWS\system32\bits
2008-09-21 20:06 . 2008-09-21 20:06 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-21 20:01 . 2008-09-21 20:01 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-09-21 19:50 . 2008-09-21 19:50 <DIR> d-------- C:\WINDOWS\EHome
2008-09-21 19:37 . 2004-08-03 22:41 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-09-21 19:37 . 2004-08-03 22:41 685,056 --------- C:\WINDOWS\system32\drivers\hsfcxts2.sys
2008-09-21 19:37 . 2004-08-03 22:41 220,032 --------- C:\WINDOWS\system32\drivers\hsfbs2s2.sys
2008-09-21 19:37 . 2004-07-17 22:55 129,045 --------- C:\WINDOWS\system32\drivers\cxthsfs2.cty
2008-09-21 18:58 . 2008-07-18 22:10 33,992 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-09-21 18:58 . 2008-07-18 22:09 25,800 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-09-21 18:58 . 2008-07-18 22:09 25,800 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-09-21 18:58 . 2008-07-18 22:08 20,680 --a------ C:\WINDOWS\system32\wuaueng.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-14 10:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-14 02:48 --------- d-----w C:\Program Files\Web Publish
2008-09-23 03:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-18 00:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-09-14 02:49 --------- d-----w C:\Program Files\EPSON
2008-09-07 08:45 --------- d-----w C:\Program Files\Family Tree Maker 2005
2008-09-06 19:27 --------- d-----w C:\Program Files\AVG
2008-09-06 18:57 --------- d-----w C:\Program Files\Kaspersky Lab
2008-09-05 17:07 18,610 ----a-w C:\WINDOWS\dofujezi.pif
2008-09-05 17:07 17,304 ----a-w C:\Documents and Settings\Admin\Application Data\qawutysave.com
2008-09-05 17:07 17,289 ----a-w C:\Documents and Settings\Admin\Application Data\ficek.pif
2008-09-05 17:07 16,238 ----a-w C:\WINDOWS\ubyja.bin
2008-09-05 17:07 15,729 ----a-w C:\WINDOWS\usupa.scr
2008-09-05 17:07 14,942 ----a-w C:\Program Files\Common Files\cuwumyxyf.scr
2008-09-05 17:07 14,262 ----a-w C:\Documents and Settings\All Users\Application Data\bejujo.sys
2008-09-05 17:07 10,655 ----a-w C:\WINDOWS\miquzoj.sys
2008-09-05 17:07 10,589 ----a-w C:\WINDOWS\uturyqaby.scr
2008-09-05 17:07 10,514 ----a-w C:\WINDOWS\ekuherymy.exe
2008-09-05 17:07 10,170 ----a-w C:\Documents and Settings\All Users\Application Data\ubifovoqep.bat
2008-09-05 14:09 19,397 ----a-w C:\Program Files\Common Files\huhubiwelu._sy
2008-09-05 14:09 19,262 ----a-w C:\Documents and Settings\All Users\Application Data\pyvur.vbs
2008-09-05 14:09 18,941 ----a-w C:\WINDOWS\togavo.vbs
2008-09-05 14:09 17,714 ----a-w C:\Documents and Settings\Admin\Application Data\wolodip.com
2008-09-05 14:09 11,575 ----a-w C:\Program Files\Common Files\izowo.exe
2008-09-05 14:09 10,011 ----a-w C:\WINDOWS\apuz.bat
2008-09-05 01:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-09-05 01:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-09-05 01:09 18,713 ----a-w C:\WINDOWS\ledybubu.dll
2008-09-05 01:09 15,090 ----a-w C:\Documents and Settings\Admin\Application Data\paduseqeby.exe
2008-09-05 01:09 14,954 ----a-w C:\Program Files\Common Files\hetyr.bin
2008-09-05 01:09 12,155 ----a-w C:\Documents and Settings\Admin\Application Data\qofizi.dat
2008-08-14 19:30 --------- d-----w C:\Program Files\Java
2006-06-23 18:57 3,167,744 ----a-w C:\Documents and Settings\Admin\gosetup.exe
2006-11-24 17:34 88 --sh--r C:\WINDOWS\system32\9F2BDEAA1C.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-08 282624]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2003-08-29 188416]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 249856]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 114688]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2005-09-24 483328]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 77824]
"WinFaxAppPortStarter"="wfxsnt40.exe" [2000-09-29 C:\WINDOWS\system32\WFXSNT40.EXE]

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2005-12-31 45056]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-09-02 25214]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-06-17 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-12-20 24576]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-12-22 169472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.enc"= ITIG726.acm
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\Program Files
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\Program Files\1&1
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\Program Files\1&1\1&1 EasyLogin

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe]
1&1 EasyLogin HIDE [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2005-05-15 03:04 332800 C:\Program Files\Dell Support\DSAgnt.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\kav\\kav7\\setup.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowOutboundDestinationUnreachable"= 1 (0x1)

S2 pxppttpp;pxppttpp;C:\WINDOWS\system32\drivers\pxppttpp.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{93e9f11d-899c-11dd-929b-001320c6a326}]
\Shell\AutoRun\command - E:\rcaeasyrip_setup.exe
\Shell\install\command - E:\rcaeasyrip_setup.exe
\Shell\usermanualEnglish\command - E:\rcaeasyrip_setup.exe /pdf_English
\Shell\usermanualFrench\command - E:\rcaeasyrip_setup.exe /pdf_French
\Shell\usermanualSpanish\command - E:\rcaeasyrip_setup.exe /pdf_Spanish
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uniblue RegistryBooster 2 - C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
HKCU-Run-ffko - C:\PROGRA~1\COMMON~1\ffko\ffkom.exe
HKCU-Run-OE_OEM - C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
HKLM-Run-RRRRAADB - C:\WINDOWS\RRRRAADB.exe
HKLM-Run-Easy Dock - (no file)
Notify-fkusntnq - fkusntnq.dll
MSConfigStartUp-RRRRAADB - C:\WINDOWS\RRRRAADB.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\12voyv8n.default\
FF -: plugin - C:\PROGRA~1\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-14 10:50:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Crypserv.exe
.
**************************************************************************
.
Completion time: 2008-10-14 11:10:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-14 16:09:20

Pre-Run: 31,893,463,040 bytes free
Post-Run: 31,855,370,240 bytes free

234 --- E O F --- 2008-09-23 03:38:40

#12
Rorschach112

Posted 14 October 2008 - 10:25 AM

Ralphie

Retired Staff
47,710 posts

Hello

Plug your USB key in for this

Open notepad and copy/paste the text in the quotebox below into it:

http://www.geekstogo.com/forum/Buritos-exe-Virus-few-more-HELP-t214524.html#entry1352166

Collect::
C:\WINDOWS\system32\tpoigref.tmp
C:\WINDOWS\system32\ZoneAlarmIconUS.ico
C:\WINDOWS\system32\Jamster.ico
C:\WINDOWS\system32\reset5e.dll
C:\WINDOWS\system32\uesiuqcr.exe
C:\Documents and Settings\Admin\~.exe
C:\WINDOWS\dofujezi.pif
C:\Documents and Settings\Admin\Application Data\qawutysave.com
C:\Documents and Settings\Admin\Application Data\ficek.pif
C:\WINDOWS\ubyja.bin
C:\WINDOWS\usupa.scr
C:\Program Files\Common Files\cuwumyxyf.scr
C:\Documents and Settings\All Users\Application Data\bejujo.sys
C:\WINDOWS\miquzoj.sys
C:\WINDOWS\uturyqaby.scr
C:\WINDOWS\ekuherymy.exe
C:\Documents and Settings\All Users\Application Data\ubifovoqep.bat
C:\Program Files\Common Files\huhubiwelu._sy
C:\Documents and Settings\All Users\Application Data\pyvur.vbs
C:\WINDOWS\togavo.vbs
C:\Documents and Settings\Admin\Application Data\wolodip.com
C:\Program Files\Common Files\izowo.exe
C:\WINDOWS\apuz.bat
C:\WINDOWS\ledybubu.dll
C:\Documents and Settings\Admin\Application Data\paduseqeby.exe
C:\Program Files\Common Files\hetyr.bin
C:\Documents and Settings\Admin\Application Data\qofizi.dat
C:\WINDOWS\system32\drivers\pxppttpp.sys
E:\rcaeasyrip_setup.exe

Folder::
C:\Program Files\Common Files\ffko
C:\WINDOWS\QWRtaW4

KillAll::

Sysrst::

Driver::
pxppttpp

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{93e9f11d-899c-11dd-929b-001320c6a326}]

Suspect::

Save this as CFScript.txt

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.
A browser will open.
Simply follow the instructions to copy/paste/send the requested file.

#13
Magnolia2

Posted 14 October 2008 - 10:37 AM

Member

Topic Starter
Member
33 posts

What is a "USB Key"?

#14
Rorschach112

Posted 14 October 2008 - 10:38 AM

Ralphie

Retired Staff
47,710 posts

Ignore that then and just go on with the rest of it

#15
Magnolia2

Posted 14 October 2008 - 10:51 AM

Member

Topic Starter
Member
33 posts

I did what you wrote, the desk top shuttered but nothing else happened. Here is a screen shot of my processes. Up until now, I kept getting "Task manager disabled by administrator" msg when I would try to open it.

Posted Image