false screen

frolma

Yes, I know to attempt with my bank office is a risk,but until now I hadn't
had any problem. Maybe now I'll choose not to do so


! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
midimapper REG_SZ midimap.dll
msacm.imaadpcm REG_SZ imaadp32.acm
msacm.msadpcm REG_SZ msadp32.acm
msacm.msg711 REG_SZ msg711.acm
msacm.msgsm610 REG_SZ msgsm32.acm
msacm.trspch REG_SZ tssoft32.acm
vidc.cvid REG_SZ iccvid.dll
vidc.I420 REG_SZ i420vfw.dll
vidc.iv31 REG_SZ ir32_32.dll
vidc.iv32 REG_SZ ir32_32.dll
vidc.iv41 REG_SZ ir41_32.ax
vidc.iyuv REG_SZ iyuv_32.dll
vidc.mrle REG_SZ msrle32.dll
vidc.msvc REG_SZ msvidc32.dll
vidc.uyvy REG_SZ msyuv.dll
vidc.yuy2 REG_SZ msyuv.dll
vidc.yvu9 REG_SZ tsbyuv.dll
vidc.yvyu REG_SZ msyuv.dll
wavemapper REG_SZ msacm32.drv
msacm.msg723 REG_SZ msg723.acm
vidc.M263 REG_SZ msh263.drv
vidc.M261 REG_SZ msh261.drv
msacm.msaudio1 REG_SZ msaud32.acm
msacm.sl_anet REG_SZ sl_anet.acm
msacm.iac2 REG_SZ C:\WINDOWS\system32\iac25_32.ax
vidc.iv50 REG_SZ ir50_32.dll
msacm.l3acm REG_SZ C:\WINDOWS\system32\l3codeca.acm
wave REG_SZ wdmaud.drv
midi REG_SZ wdmaud.drv
mixer REG_SZ wdmaud.drv
aux REG_SZ wdmaud.drv
vidc.DIVX REG_SZ divx.dll
vidc.yv12 REG_SZ yv12vfw.dll
msacm.siren REG_SZ sirenacm.dll
VIDC.PIM1 REG_SZ pclepim1.dll
vidc.XVID REG_SZ xvidvfw.dll
VIDC.MJPG REG_SZ Pvmjpg30.dll
aux1 REG_SZ 3740728561.CPX
VIDC.MPG4 REG_SZ mpg4c32.dll
VIDC.MP42 REG_SZ mpg4c32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server

Gmer(part one)

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-09-07 01:03:04
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.14 ----
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwAdjustPrivilegesToken [0xAA35F81A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwClose [0xAA35FDC6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwConnectPort [0xAA36182A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateFile [0xAA3611E0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateKey [0xAA35EF90]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xAA36318C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateThread [0xAA35FBC2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteKey [0xAA35F3D2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteValueKey [0xAA35F5D2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeviceIoControlFile [0xAA3614EC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDuplicateObject [0xAA363698]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateKey [0xAA35F6E8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateValueKey [0xAA35F750]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwFsControlFile [0xAA3613A2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwLoadDriver [0xAA362C50]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenFile [0xAA36103C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenKey [0xAA35F0F2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenProcess [0xAA35F9E8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenSection [0xAA3631B6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenThread [0xAA35F93E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryKey [0xAA35F7B8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryMultipleValueKey [0xAA35F4BC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryValueKey [0xAA35F29A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueueApcThread [0xAA362EB8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwReplaceKey [0xAA35EC12]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRequestWaitReplyPort [0xAA3620B4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRestoreKey [0xAA35ED74]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwResumeThread [0xAA363568]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSaveKey [0xAA35EA10]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSecureConnectPort [0xAA3616CC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetContextThread [0xAA35FCC0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSecurityObject [0xAA362D4A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSystemInformation [0xAA3631E0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetValueKey [0xAA35F148]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendProcess [0xAA3632C4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendThread [0xAA3633F0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSystemDebugControl [0xAA362B7C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwTerminateProcess [0xAA35FA92]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwWriteVirtualMemory [0xAA35FB04]
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) IoIsOperationSynchronous
---- Kernel code sections - GMER 1.0.14 ----
.text ntkrnlpa.exe!FsRtlCheckLockForReadAccess 804E9E54 5 Bytes JMP AA37601C \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab)
.text ntkrnlpa.exe!IoIsOperationSynchronous 804EE738 5 Bytes JMP AA3763D6 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab)
.text ntkrnlpa.exe!ZwCallbackReturn + 2720 805015F0 12 Bytes [ C4, 32, 36, AA, F0, 33, 36, ... ]
---- User code sections - GMER 1.0.14 ----
.text C:\WINDOWS\System32\svchost.exe[160] kernel32.dll!FindNextFileW 7C80EF3A 5 Bytes JMP 00F60000
.text C:\WINDOWS\System32\svchost.exe[160] kernel32.dll!ExitProcess 7C81CDDA 5 Bytes JMP 00C40000
.text C:\WINDOWS\System32\svchost.exe[160] kernel32.dll!FindNextFileA 7C834EB1 5 Bytes JMP 00FA0000
.text C:\WINDOWS\System32\svchost.exe[160] ADVAPI32.dll!CryptDeriveKey 77DBA685 5 Bytes JMP 01950000
.text C:\WINDOWS\System32\svchost.exe[160] ADVAPI32.dll!CryptImportKey 77DBA879 5 Bytes JMP 01960000
.text C:\WINDOWS\System32\svchost.exe[160] ADVAPI32.dll!CryptGenKey 77DE14B1 5 Bytes JMP 01970000
.text C:\WINDOWS\System32\svchost.exe[160] USER32.dll!DispatchMessageW 7E398A01 5 Bytes JMP 01AA0000
.text C:\WINDOWS\System32\svchost.exe[160] ws2_32.dll!send 71A3428A 5 Bytes JMP 01940000
.text C:\WINDOWS\system32\svchost.exe[256] kernel32.dll!FindNextFileW 7C80EF3A 5 Bytes JMP 00FD0000
.text C:\WINDOWS\system32\svchost.exe[256] kernel32.dll!ExitProcess 7C81CDDA 5 Bytes JMP 00FC0000
.text C:\WINDOWS\system32\svchost.exe[256] kernel32.dll!FindNextFileA 7C834EB1 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\svchost.exe[256] ADVAPI32.dll!CryptDeriveKey 77DBA685 5 Bytes JMP 01010000
.text C:\WINDOWS\system32\svchost.exe[256] ADVAPI32.dll!CryptImportKey 77DBA879 5 Bytes JMP 01020000
.text C:\WINDOWS\system32\svchost.exe[256] ADVAPI32.dll!CryptGenKey 77DE14B1 5 Bytes JMP 01030000
.text C:\WINDOWS\system32\svchost.exe[256] USER32.dll!DispatchMessageW 7E398A01 5 Bytes JMP 01160000
.text C:\WINDOWS\system32\svchost.exe[256] ws2_32.dll!send 71A3428A 5 Bytes JMP 00FF0000
.text C:\WINDOWS\Explorer.EXE[888] kernel32.dll!FindNextFileW 7C80EF3A 5 Bytes JMP 00DA0000
.text C:\WINDOWS\Explorer.EXE[888] kernel32.dll!ExitProcess 7C81CDDA 5 Bytes JMP 00D00000
.text C:\WINDOWS\Explorer.EXE[888] kernel32.dll!FindNextFileA 7C834EB1 5 Bytes JMP 00DB0000
.text C:\WINDOWS\Explorer.EXE[888] ADVAPI32.dll!CryptDeriveKey 77DBA685 5 Bytes JMP 00FD0000
.text C:\WINDOWS\Explorer.EXE[888] ADVAPI32.dll!CryptImportKey 77DBA879 5 Bytes JMP 00FE0000
.text C:\WINDOWS\Explorer.EXE[888] ADVAPI32.dll!CryptGenKey 77DE14B1 5 Bytes JMP 00FF0000
.text C:\WINDOWS\Explorer.EXE[888] USER32.dll!DispatchMessageW 7E398A01 5 Bytes JMP 01590000
.text C:\WINDOWS\Explorer.EXE[888] ws2_32.dll!send 71A3428A 5 Bytes JMP 00FC0000
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!FindNextFileW 7C80EF3A 5 Bytes JMP 00FC0000
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!ExitProcess 7C81CDDA 5 Bytes JMP 00FB0000
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!FindNextFileA 7C834EB1 5 Bytes JMP 00FD0000
.text C:\WINDOWS\system32\svchost.exe[916] ADVAPI32.dll!CryptDeriveKey 77DBA685 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\svchost.exe[916] ADVAPI32.dll!CryptImportKey 77DBA879 5 Bytes JMP 01280000
.text C:\WINDOWS\system32\svchost.exe[916] ADVAPI32.dll!CryptGenKey 77DE14B1 5 Bytes JMP 01290000
.text C:\WINDOWS\system32\svchost.exe[916] USER32.dll!DispatchMessageW 7E398A01 5 Bytes JMP 013C0000
.text C:\WINDOWS\system32\svchost.exe[916] ws2_32.dll!send 71A3428A 5 Bytes JMP 00FE0000
.text C:\Archivos de programa\Java\jre1.5.0_09\bin\jucheck.exe[984] kernel32.dll!FindNextFileW 7C80EF3A 5 Bytes JMP 01E10000
.text C:\Archivos de programa\Java\jre1.5.0_09\bin\jucheck.exe[984] kernel32.dll!ExitProcess 7C81CDDA 5 Bytes JMP 01E00000
.text C:\Archivos de programa\Java\jre1.5.0_09\bin\jucheck.exe[984] kernel32.dll!FindNextFileA 7C834EB1 5 Bytes JMP 01E20000
.text C:\Archivos de programa\Java\jre1.5.0_09\bin\jucheck.exe[984] ADVAPI32.dll!CryptDeriveKey 77DBA685 5 Bytes JMP 01E40000
.text C:\Archivos de programa\Java\jre1.5.0_09\bin\jucheck.exe[984] ADVAPI32.dll!CryptImportKey 77DBA879 5 Bytes JMP 01E50000
.text C:\Archivos de programa\Java\jre1.5.0_09\bin\jucheck.exe[984] ADVAPI32.dll!CryptGenKey 77DE14B1 5 Bytes JMP 01E60000
.text C:\Archivos de programa\Java\jre1.5.0_09\bin\jucheck.exe[984] USER32.dll!DispatchMessageW 7E398A01 5 Bytes JMP 01F90000
.text C:\Archivos de programa\Java\jre1.5.0_09\bin\jucheck.exe[984] ws2_32.dll!send 71A3428A 5 Bytes JMP 01E30000
.text C:\WINDOWS\system32\spoolsv.exe[1244] kernel32.dll!FindNextFileW 7C80EF3A 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\spoolsv.exe[1244] kernel32.dll!ExitProcess 7C81CDDA 5 Bytes JMP 00FD0000
.text C:\WINDOWS\system32\spoolsv.exe[1244] kernel32.dll!FindNextFileA 7C834EB1 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\spoolsv.exe[1244] ADVAPI32.dll!CryptDeriveKey 77DBA685 5 Bytes JMP 01180000

frolma

Gmer (part two)

.text C:\WINDOWS\system32\spoolsv.exe[1244] ADVAPI32.dll!CryptImportKey 77DBA879 5 Bytes JMP 01190000
.text C:\WINDOWS\system32\spoolsv.exe[1244] ADVAPI32.dll!CryptGenKey 77DE14B1 5 Bytes JMP 011A0000
.text C:\WINDOWS\system32\spoolsv.exe[1244] USER32.dll!DispatchMessageW 7E398A01 5 Bytes JMP 012D0000
.text C:\WINDOWS\system32\spoolsv.exe[1244] ws2_32.dll!send 71A3428A 5 Bytes JMP 01170000
.text C:\WINDOWS\system32\winlogon.exe[1568] kernel32.dll!FindNextFileW 7C80EF3A 5 Bytes JMP 012C0000
.text C:\WINDOWS\system32\winlogon.exe[1568] kernel32.dll!ExitProcess 7C81CDDA 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\winlogon.exe[1568] kernel32.dll!FindNextFileA 7C834EB1 5 Bytes JMP 012D0000
.text C:\WINDOWS\system32\winlogon.exe[1568] ADVAPI32.dll!CryptDeriveKey 77DBA685 5 Bytes JMP 016E0000
.text C:\WINDOWS\system32\winlogon.exe[1568] ADVAPI32.dll!CryptImportKey 77DBA879 5 Bytes JMP 016F0000
.text C:\WINDOWS\system32\winlogon.exe[1568] ADVAPI32.dll!CryptGenKey 77DE14B1 5 Bytes JMP 01700000
.text C:\WINDOWS\system32\winlogon.exe[1568] USER32.dll!DispatchMessageW 7E398A01 5 Bytes JMP 01830000
.text C:\WINDOWS\system32\winlogon.exe[1568] WS2_32.dll!send 71A3428A 5 Bytes JMP 016D0000
.text C:\WINDOWS\system32\lsass.exe[1624] kernel32.dll!FindNextFileW 7C80EF3A 5 Bytes JMP 00DD0000
.text C:\WINDOWS\system32\lsass.exe[1624] kernel32.dll!ExitProcess 7C81CDDA 5 Bytes JMP 00C80000
.text C:\WINDOWS\system32\lsass.exe[1624] kernel32.dll!FindNextFileA 7C834EB1 5 Bytes JMP 00FA0000
.text C:\WINDOWS\system32\lsass.exe[1624] ADVAPI32.dll!CryptDeriveKey 77DBA685 5 Bytes JMP 00FC0000
.text C:\WINDOWS\system32\lsass.exe[1624] ADVAPI32.dll!CryptImportKey 77DBA879 5 Bytes JMP 00FD0000
.text C:\WINDOWS\system32\lsass.exe[1624] ADVAPI32.dll!CryptGenKey 77DE14B1 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\lsass.exe[1624] USER32.dll!DispatchMessageW 7E398A01 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\lsass.exe[1624] WS2_32.dll!send 71A3428A 5 Bytes JMP 00FB0000
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!FindNextFileW 7C80EF3A 5 Bytes JMP 00ED0000
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!ExitProcess 7C81CDDA 5 Bytes JMP 00EC0000
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!FindNextFileA 7C834EB1 5 Bytes JMP 00EE0000
.text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!CryptDeriveKey 77DBA685 5 Bytes JMP 00F00000
.text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!CryptImportKey 77DBA879 5 Bytes JMP 00F10000
.text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!CryptGenKey 77DE14B1 5 Bytes JMP 00F20000
.text C:\WINDOWS\system32\svchost.exe[1784] USER32.dll!DispatchMessageW 7E398A01 5 Bytes JMP 00FC0000
.text C:\WINDOWS\system32\svchost.exe[1784] ws2_32.dll!send 71A3428A 5 Bytes JMP 00EF0000
? C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[1844] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; unknown module: rasapi32.dll
.text C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[1844] kernel32.dll!FindNextFileW 7C80EF3A 5 Bytes JMP 041B0000
.text C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[1844] kernel32.dll!ExitProcess 7C81CDDA 5 Bytes JMP 035D0000
.text C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[1844] kernel32.dll!FindNextFileA 7C834EB1 5 Bytes JMP 041C0000
.text C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[1844] ADVAPI32.dll!CryptDeriveKey 77DBA685 5 Bytes JMP 041E0000
.text C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[1844] ADVAPI32.dll!CryptImportKey 77DBA879 5 Bytes JMP 049B0000
.text C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[1844] ADVAPI32.dll!CryptGenKey 77DE14B1 5 Bytes JMP 049C0000
.text C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[1844] USER32.dll!VRipOutput + FFFA4DE7 7E392A78 4 Bytes [ 70, 11, 41, 6D ]
.text C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[1844] USER32.dll!DispatchMessageW 7E398A01 5 Bytes JMP 04AF0000
.text C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[1844] WS2_32.dll!send 71A3428A 5 Bytes JMP 041D0000
.text C:\Archivos de programa\MSN Messenger\msnmsgr.exe[2160] kernel32.dll!FindNextFileW 7C80EF3A 5 Bytes JMP 02310000
.text C:\Archivos de programa\MSN Messenger\msnmsgr.exe[2160] kernel32.dll!ExitProcess 7C81CDDA 5 Bytes JMP 02300000
.text C:\Archivos de programa\MSN Messenger\msnmsgr.exe[2160] kernel32.dll!FindNextFileA 7C834EB1 5 Bytes JMP 02320000
.text C:\Archivos de programa\MSN Messenger\msnmsgr.exe[2160] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 5 Bytes JMP 004DE392 C:\Archivos de programa\MSN Messenger\msnmsgr.exe (Messenger/Microsoft Corporation)
.text C:\Archivos de programa\MSN Messenger\msnmsgr.exe[2160] ADVAPI32.dll!CryptDeriveKey 77DBA685 5 Bytes JMP 02340000
.text C:\Archivos de programa\MSN Messenger\msnmsgr.exe[2160] ADVAPI32.dll!CryptImportKey 77DBA879 5 Bytes JMP 02350000
.text C:\Archivos de programa\MSN Messenger\msnmsgr.exe[2160] ADVAPI32.dll!CryptGenKey 77DE14B1 5 Bytes JMP 02360000
.text C:\Archivos de programa\MSN Messenger\msnmsgr.exe[2160] USER32.dll!DispatchMessageW 7E398A01 5 Bytes JMP 02490000
.text C:\Archivos de programa\MSN Messenger\msnmsgr.exe[2160] WS2_32.dll!send 71A3428A 5 Bytes JMP 02330000
.text C:\WINDOWS\sm56hlpr.exe[2244] kernel32.dll!FindNextFileW 7C80EF3A 5 Bytes JMP 01490000
.text C:\WINDOWS\sm56hlpr.exe[2244] kernel32.dll!ExitProcess 7C81CDDA 5 Bytes JMP 01480000
.text C:\WINDOWS\sm56hlpr.exe[2244] kernel32.dll!FindNextFileA 7C834EB1 5 Bytes JMP 014A0000
.text C:\WINDOWS\sm56hlpr.exe[2244] USER32.dll!DispatchMessageW 7E398A01 5 Bytes JMP 01610000
.text C:\WINDOWS\sm56hlpr.exe[2244] ADVAPI32.dll!CryptDeriveKey 77DBA685 5 Bytes JMP 014C0000
.text C:\WINDOWS\sm56hlpr.exe[2244] ADVAPI32.dll!CryptImportKey 77DBA879 5 Bytes JMP 014D0000
.text C:\WINDOWS\sm56hlpr.exe[2244] ADVAPI32.dll!CryptGenKey 77DE14B1 5 Bytes JMP 014E0000
.text C:\WINDOWS\sm56hlpr.exe[2244] ws2_32.dll!send 71A3428A 5 Bytes JMP 014B0000
.text C:\WINDOWS\RTHDCPL.EXE[2260] kernel32.dll!FindNextFileW 7C80EF3A 5 Bytes JMP 02BA0000
.text C:\WINDOWS\RTHDCPL.EXE[2260] kernel32.dll!ExitProcess 7C81CDDA 5 Bytes JMP 02B90000
.text C:\WINDOWS\RTHDCPL.EXE[2260] kernel32.dll!FindNextFileA 7C834EB1 5 Bytes JMP 02BB0000
.text C:\WINDOWS\RTHDCPL.EXE[2260] USER32.dll!DispatchMessageW 7E398A01 5 Bytes JMP 02D20000
.text C:\WINDOWS\RTHDCPL.EXE[2260] ADVAPI32.dll!CryptDeriveKey 77DBA685 5 Bytes JMP 02BD0000
.text C:\WINDOWS\RTHDCPL.EXE[2260] ADVAPI32.dll!CryptImportKey 77DBA879 5 Bytes JMP 02BE0000
.text C:\WINDOWS\RTHDCPL.EXE[2260] ADVAPI32.dll!CryptGenKey 77DE14B1 5 Bytes JMP 02BF0000
.text C:\WINDOWS\RTHDCPL.EXE[2260] ws2_32.dll!send 71A3428A 5 Bytes JMP 02BC0000
.text C:\Archivos de programa\CyberLink\PowerDVD\PowerDVD.exe[2404] kernel32.dll!FindNextFileW 7C80EF3A 5 Bytes JMP 017A0000
.text C:\Archivos de programa\CyberLink\PowerDVD\PowerDVD.exe[2404] kernel32.dll!ExitProcess 7C81CDDA 5 Bytes JMP 01300000
.text C:\Archivos de programa\CyberLink\PowerDVD\PowerDVD.exe[2404] kernel32.dll!FindNextFileA 7C834EB1 5 Bytes JMP 017B0000
.text C:\Archivos de programa\CyberLink\PowerDVD\PowerDVD.exe[2404] ADVAPI32.dll!CryptDeriveKey 77DBA685 5 Bytes JMP 017D0000
.text C:\Archivos de programa\CyberLink\PowerDVD\PowerDVD.exe[2404] ADVAPI32.dll!CryptImportKey 77DBA879 5 Bytes JMP 017E0000
.text C:\Archivos de programa\CyberLink\PowerDVD\PowerDVD.exe[2404] ADVAPI32.dll!CryptGenKey 77DE14B1 5 Bytes JMP 017F0000
.text C:\Archivos de programa\CyberLink\PowerDVD\PowerDVD.exe[2404] USER32.dll!DispatchMessageW 7E398A01 5 Bytes JMP 01920000
.text C:\Archivos de programa\CyberLink\PowerDVD\PowerDVD.exe[2404] ws2_32.dll!send 71A3428A 5 Bytes JMP 017C0000
? C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[2460] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; unknown module: rasapi32.dll
.text C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[2460] kernel32.dll!FindNextFileW 7C80EF3A 5 Bytes JMP 025A0000
.text C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[2460] kernel32.dll!ExitProcess 7C81CDDA 5 Bytes JMP 01EE0000
.text C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[2460] kernel32.dll!FindNextFileA 7C834EB1 5 Bytes JMP 025B0000
.text C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[2460] ADVAPI32.dll!CryptDeriveKey 77DBA685 5 Bytes JMP 025D0000
.text C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[2460] ADVAPI32.dll!CryptImportKey 77DBA879 5 Bytes JMP 025E0000
.text C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[2460] ADVAPI32.dll!CryptGenKey 77DE14B1 5 Bytes JMP 025F0000
.text C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[2460] USER32.dll!VRipOutput + FFFA4DE7 7E392A78 4 Bytes [ 70, 11, 41, 6D ]
.text C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[2460] USER32.dll!DispatchMessageW 7E398A01 5 Bytes JMP 02720000
.text C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[2460] WS2_32.dll!send 71A3428A 5 Bytes JMP 025C0000
.text C:\Archivos de programa\iTunes\iTunesHelper.exe[2484] kernel32.dll!FindNextFileW 7C80EF3A 5 Bytes JMP 01CC0000
.text C:\Archivos de programa\iTunes\iTunesHelper.exe[2484] kernel32.dll!ExitProcess 7C81CDDA 5 Bytes JMP 01CB0000
.text C:\Archivos de programa\iTunes\iTunesHelper.exe[2484] kernel32.dll!FindNextFileA 7C834EB1 5 Bytes JMP 01CD0000
.text C:\Archivos de programa\iTunes\iTunesHelper.exe[2484] ADVAPI32.dll!CryptDeriveKey 77DBA685 5 Bytes JMP 01CF0000
.text C:\Archivos de programa\iTunes\iTunesHelper.exe[2484] ADVAPI32.dll!CryptImportKey 77DBA879 5 Bytes JMP 01D00000
.text C:\Archivos de programa\iTunes\iTunesHelper.exe[2484] ADVAPI32.dll!CryptGenKey 77DE14B1 5 Bytes JMP 01D10000
.text C:\Archivos de programa\iTunes\iTunesHelper.exe[2484] USER32.dll!DispatchMessageW 7E398A01 5 Bytes JMP 01E40000
.text C:\Archivos de programa\iTunes\iTunesHelper.exe[2484] WS2_32.dll!send 71A3428A 5 Bytes JMP 01CE0000
.text C:\WINDOWS\system32\ctfmon.exe[2500] kernel32.dll!FindNextFileW 7C80EF3A 5 Bytes JMP 01160000
.text C:\WINDOWS\system32\ctfmon.exe[2500] kernel32.dll!ExitProcess 7C81CDDA 5 Bytes JMP 01150000
.text C:\WINDOWS\system32\ctfmon.exe[2500] kernel32.dll!FindNextFileA 7C834EB1 5 Bytes JMP 01170000
.text C:\WINDOWS\system32\ctfmon.exe[2500] ADVAPI32.dll!CryptDeriveKey 77DBA685 5 Bytes JMP 01190000
.text C:\WINDOWS\system32\ctfmon.exe[2500] ADVAPI32.dll!CryptImportKey 77DBA879 5 Bytes JMP 011A0000
.text C:\WINDOWS\system32\ctfmon.exe[2500] ADVAPI32.dll!CryptGenKey 77DE14B1 5 Bytes JMP 011B0000
.text C:\WINDOWS\system32\ctfmon.exe[2500] USER32.dll!DispatchMessageW 7E398A01 5 Bytes JMP 012E0000
.text C:\WINDOWS\system32\ctfmon.exe[2500] ws2_32.dll!send 71A3428A 5 Bytes JMP 01180000
.text C:\Archivos de programa\Messenger\msmsgs.exe[2508] kernel32.dll!FindNextFileW 7C80EF3A 5 Bytes JMP 01A10000
.text C:\Archivos de programa\Messenger\msmsgs.exe[2508] kernel32.dll!ExitProcess 7C81CDDA 5 Bytes JMP 00F80000
.text C:\Archivos de programa\Messenger\msmsgs.exe[2508] kernel32.dll!FindNextFileA 7C834EB1 5 Bytes JMP 01A20000
.text C:\Archivos de programa\Messenger\msmsgs.exe[2508] ADVAPI32.dll!CryptDeriveKey 77DBA685 5 Bytes JMP 01A40000
.text C:\Archivos de programa\Messenger\msmsgs.exe[2508] ADVAPI32.dll!CryptImportKey 77DBA879 5 Bytes JMP 01A50000
.text C:\Archivos de programa\Messenger\msmsgs.exe[2508] ADVAPI32.dll!CryptGenKey 77DE14B1 5 Bytes JMP 01A60000
.text C:\Archivos de programa\Messenger\msmsgs.exe[2508] USER32.dll!DispatchMessageW 7E398A01 5 Bytes JMP 01B90000
.text C:\Archivos de programa\Messenger\msmsgs.exe[2508] WS2_32.dll!send 71A3428A 5 Bytes JMP 01A30000
---- Kernel IAT/EAT - GMER 1.0.14 ----
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] [F6D4FDF0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] [F6D4FDF0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
---- Devices - GMER 1.0.14 ----
AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Registry - GMER 1.0.14 ----
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x71 0x3B 0x04 0x66 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0xFF 0x7C 0x85 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xDF 0x20 0x58 0x62 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xE3 0x0E 0x66 0xD5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ...
---- EOF - GMER 1.0.14 ----

Thomas

Another of those odd code translation functions in the registry where normally an older type of wave map driver should be. The Gmer log suggests what could be a translation function as well hooking into a lot of processes, except that each of those accesses the Winsock, which suggests net communications. I hadn't actually ask straight up yet - what types of translation software are in use there right now? Any recent installations of translation (language) software?


Go here http://www.billsway.com/vbspage/ and download, unzip and run the Registry Search Tool (scroll down the page to locate it). Type (or copy/paste) cpx in the dialog box. Let it run and after a few minutes, a prompt will appear. Click OK to write the results to Notepad and post them back here please. There will be quite a few unrelated items that happen to have "cpx" in their names, but with the random name .cpx files this is the best we can try right now.

---

Also Click here and download RegDelNull.zip. Unzip the file and when you have done this, read the Eula and then copy and paste RegDelNull.exe to your C folder (so it will then be C:\RegDelNull.exe).

Go again to Start - Run, type cmd (and OK). At the prompt copy and paste the below commands (hit Enter after each line).

cd\

regdelnull hklm -s

(be sure to place a space after hklm)

Your registry will be scanned, and if any Null entries are found, the scan will stop and you will be asked to confirm deletion. For now, type n and hit Enter let the scan continue until it has finished.

When it has finished, click on the Icon in the top left hand corner of the Command Prompt and choose Edit > Select All and then Edit > Copy. Rightclick on your Desktop and create a text file. Open it and position your mouse inside the file, rightclick again and choose Paste. Save the file and post the contents here please.

frolma

Hi, I use the google translate and mansioningles http://www.mansioningles.com/. I use it since long time ago.

I can't run regdelnull hklm -s, it's not admited like a command :

Microsoft Windows XP [Versión 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Propietario>cd\
C:\>regdelnull hklm -s
"regdelnull" no se reconoce como un comando interno o externo,
programa o archivo por lotes ejecutable.
C:\>

Here's the log

REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "cpx" 07/09/2008 18:56:39
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

"P"="q2+GX3I8N9XI]8Jmk=]?3^)8AL.GS='~ndIgLhJ]Ig-o4wQHP9s7BkU3~w%?Ue.&w(0_+?+L~cfGR]Yi1t!*7U@fY8Ar8JANuYZRtGu_CZs}w@n_+,[q^FSyTjOPAVJ^k9HexH_*AW45=[`3JFBp6@k'HbRy9M^Z?_6@Mc14&=@36JExpR$7mwe[JC{aD9m0[.V]1lk0ovuY']Tze?W~O0^p3{nDH[548KTDy?[T-{^k*EeISWR={`~Fb=xD*u!Q2h824DIS_L.&e@e2P4Hq,dX.ib!*g*9[H=Bxx`53G0V?=FunXU'la9AP[jPrTD._qbwwDEX$[9mtkYr=kN=V6L{kDk-b)9)BCX@eh0?XHJOa*KMe?AJdzmIaEXzB=yzO6cRGf?u~*+hayy2@%7qNx}@W&?-vo@voye??p*O64zL-{8y}f1fgxz3`&`(35.Qid=Ix&iG{DBL@=@^F$9)z-9p0eG[JrSz6QA6'v62aH@Aa.d-W?QmxhGu){T@JaAf*k=w&&`)3hh6BNy!5Y@@o`4HN*FO+OuHTMbLlB=*`sP8!Q[mlU'~..(30c90JK?70PJ+D!.G,x7P-h=[]F4$X%}^U7maNK@!?o?[VTenQ1AHT=pJfGj'H^A6Ks!+PMWRIAW8ib'6]T?KLZmezEooDe@sDynjK+@2X-MN&n3f`E-iD`OwX=9n^AVMobQXZH1H'RpXh,AM1EfK(UB6t8+Ox@(18o@eumbQ{dm!k.~,w+!9NT?gD^wfG-PWhwwrV@,P*WAD%YK@dND$td6]mCCla8A'cFBW8NJpd(Hc~wUPV[AF?n29'ut-tq='CaJ8(??poHBmyhHTwSvX6N+jO1?&16xiiRr2!Ex@daH+3~@Map?Lm}Tv?_V3r,+G{K?NNx~62}n+e}9%s!duxl=IYnbsGnCVuEt}+PMQoI9HK!KD[@6BB)AKS4EB7v9WFZv4&gs5801x=X1,sYAw9xh91B1aIFb61Qbxjh?{5W!vD*K'[[IhT'8-309{dGj@k}W{^mo%)[gJu[=!iPNN8gS0DkI'C%0ikF@(BxXzVMp-E4A85N?SAa=d5SGD%S+}hl,@lLN8ks=vM'B]%-H-GCwCyTA^F_?+N!i*ikS$xkx%AO8_1s@'_jP&hgMsU.R=D@)__5@0IT4?HWHV%N^L(a?Y~K?r'+w`$3*WXr&=~6'jUUAhDirXAd&cOz1HRw%Sj39J$&le=)5$zyLxmLXFlx@MM(f^3vmP4T?OX'*G(v=HBl^'*KY!7&wCK2{C&~?s&L07oj,?&dXW1]ei2N=k(OpDZ0MQ%~.6x*eeWa@Xj0NUZc^A%zqG$ob7D&?V6Y[i2(.4=!pY'J'TJc8%kxd+w'fq'wC!uCoqZF?Z%,`I_4}%j!!3LY$AO?@GSqRN]nG&oLerU=2bfP@CL^4!{1V4S77^Jh_By^@!@q6m}dS[KBF*(Kh)-0?so)I7WA'83VP)LXf.i6AbsyP]X76jAM'e3c@W6+=ILog2cP]Z+Q5`g,(,^G=+hvfcmrjRG(n*wBU..QAr91-0'G`8l@)Ln6o--c?paXpDjr~YcJhWHp?5U$@MP'ZjtqlOOM63HqQS@0?q2[1Q]w7JiqI&~MGv)f=!1(WZ5!Ql+g.Md`QzeT9'u_1,3.%Ue3MIz$QKz]@PXRp6!BqH%}v281^Mqx@8O(aM~WGDNR('Mn,68N@&BgjY40([)c~(n6nfe(A(2bOftUX]W3+?fvg@0-@H^(H7Av]bWiNu.KCv!x?IRi-B')[XGc7^W.5YQ!?n=Qci!$?KA2]+pC@Y)L?[mZu33_zkBTYW&`r+8{8n`70V6vS{K!ml~1zdG6A1yGY'$u5AhN~tlTyA[t86U$k_e%oKm&j{eebHgFA5f5@%-,zzOa'.a5EJR`?a(J*@Tb&Z]YluRPj.2W=8-!K?s,C0mYJ4gwO2}*9^aIKXMQfWv6,s&ZR4TI?aI[XS1QdL&z=OVR`)~U9*=lqIFFphb?uA$b=5OT?86oJ9iBfvT4F]zPTm$CAhFXmabVgZYJ`41xC.bR9,?MS]{oQ-8&O*j-Rmr*AZr_Eo]2dE?Wefd-D!0U=}jc$*!JwEw``EzP^lX9A3((n*9)x`Re}Ilw-.}XAy,ECO^4Z'*vT@tbqDuf?Z+4hO}wZ(d3`Wvp-TpR@V&{[!%{gf`-dIlKNl&V?E^`*,LdnooTQl`]o!N)9&O7cIkZk4E35r~EUp~{8n`KwXSU&@.$dXCQA&0H@4Ztsa_T[~Y&ec8=EKuf@z7opa0ekD3%Tq3E~-Dy@Y),k_D)eX^@l{6BmU6J=C1Z]I_{Q@wK%Gct.i&)A6hte0sscH@T8qHRf(&]9X}=-P}ll_IaG2umS^A==iK)Fh~8,imd2Ig&Fy6U@}pc%E'cpXGnOApDAn`OAt.[ujZ7Y.5Adrvqa%5t=tE-7],]&B8$&jz`c2tP@Gf(j?+osO.?zLPXpITS9-)j_z3J6[hKZmYkB5?S=zF3.5b^rb^Uv8_62a5d=_!OA${$,+4[=@x7MTLq9mM{R]tcJTxqEN%(dX8p8Cg!@8+u&eoJrK-F?+=q?G~Ia3zvW2@!oC$XgnD1A8AuiXquL8!}GV1Ceqls?.=_~9zptYQd-?9g{NfQA~S07I[)27Jkod=Nl)Rn?-ZQ?.Pd%A-ncRMQx!n&@p'HUvI2de@0Z^V4aafD9!GVJ2BPNZj$Q8%iV)bBAGPF~87z1gggRE)`O[=NAZ_RXVmq{]QRZY}[~Cn6AYYr~7N-'iUsG5spHe]&9^^1P?+*Dbhbl%uE&}DaAz5IZ7@ej37SOPKwT`@]8R8i&nCEe%&9Ry,w+?K7=4^Bk1s[B.NkW!vDOA!c?Gh6^TP0TNaJ^dCGiMst=X&sx?N),ah6Q2=VKQlI@({Fvy(moy4T78RN$,&[8kHsipn!w48'Ac3&YVlY@~?d81~}(?.~!pz8%Qvj8v3Hb+?tY8MGRB6S4F5Z9d],}0hFKiuEhJ.5saPm8S_Zg`0iABMa7bj&7wOXA@01Vp}%ZeAdRHPh3odWAm5pccgZ$59=ka8uGEB_?+@S}7PA.'0*Bm-OC=s-9XcobqnPxryK03CMmNas8UdGMdzm.Su@fKlB9DPy=704+W(LR-n*3TM0o=EXA'lxj922nH,^U9x0T3~(=XM}'B+&r?6mwlCVO_v^@Nkpg6&4tOY5)ZLp{-%aAxi{(iyfa.!R4Ona$5D{@UJej^ji`Q^=eA[iP*L)9.U{qaiXLX_n5dQ-i[.@=)3wsS,&dZmT?a(gV{}E?nOPt`![N_W_2]o3J9Er9!6XCE2i$5PCbh~4nH_3@7o`cN{T6q8}S&$X)-i9AX@4-+SHvcm~R$!2AzpQAsL7RQJR!J7y50V*^XP79kOXk.$[BiZ=+hl0?*'K@pcxBlBZ1H2Z4'i*isEn=('lQ([1*I`PuVgOf,hS94i{(%yTp@eBz{Z`Fxw(9y`72'KKd+g&VO,2l[JT?4$J`CzO'g2Ol1[-P]O6@&'zLjl-)vs+(m'Z)Wk}8oArOn'GHYnY}JFhj0C+A@XrM400}TO'@99%0gRE9E]N(i!+[)@~pwZ[b*uH?6Uf6eB,+q8E'_9W.+CD@b-p'6xSemtkBv-CJ94e@L$1KVw-9.[z0=xeBdq6=f~@v*0MPU]z&,=5MS,??]Cd5JN1ePklKiZyv4VD@xKQ3xlnh_VM^Pf4H5a)AKkaHG,SRucYQ*5cL3WQ@Y+`pYzDUk47Ks%k6bfT@-5g`=bX!Vlfit9=[!H==.*~v_X9dF6dFVe.hWj9=J5d,6Ta+IOk'6N[S[z@=9[)OE,p'j,mW?WrrAUX?4[kK+H$!.5f(W0P[(2y@.hRH5@Imvs,2'tJoaeV9!rhUIx}&kaE'0,a-tcM?RQFxjpf82jvme=tEh.Z9,XX},LJYDT5Y1%YO)Ku?e^9wwb)RWWU%}Dg%@MRAXVpk0xcRb$Aq$rkSTDS9R=^n+iG_J,0)0vNwd4l8WeuUtImACqD0iZ%'5a6=9Em=QtrZMD`8]`Xq2cM=^iGuwJfK]Jy(=2g*]}W@iw7`=CZLtMTwLpor'cI@fU9+Q?ltAj!jd.!LfVP9?4qfS3m5mSeseA_Ta9,=?&+N^$Au$pz(QzD0rPc9B54]&0K?!CJ-1{D-r?W9@tTNkP$koWx](D%sQ?v9c*)@elw6DLBQ[[aQ3Qv@nN&O!k6F'(vCztxBsXi9r%1^I)4FzRY!4.meji_=sR'.N+!^(]z,{Sflr!k@X{B`h*ILqEmqe^YS1mdAP9_8``0F8O*~Rp1@7V`@lHbuk?T*UOTGkiu-3=O94nC?(w&e{zb~n!.8cCX@SMP~x.jvfD`Y2F5QNJV=KJSJc-%DhL](k$TjdJu@DMlG+oUgC'mL!9flniz=K!Efkrvb72VP4o0W*AW=a$_niSi[!nteG%yj&L!=MK602cBsx)$IIv11.9$AW~,U1kY{FkI4T@BwfYi=]6Dkmv.zx8wh)m)s'!TA0}]~hzdw3.]R[nyQb879v1'~%9xyN2uECCW{IIP96a1WP~SZoH_[S[5p(X$=T5P1*D(@bK?tJ.BTgpk@4!mRh3%'Eh6&sv.k+q6?.%-i%YjDlAOuFvQ'YpL9mu%@r8l[0,&.!7m1mTCAFR2?f!2!H[fq`rXCJy-=L=cfYtcFW$yK%yM,lgX?upcoz3!P@5Cn-DdMv^5@2'eo&gB{0,a0q{M*1$'=Jp,%!c^7q1+Kmp(*b!P9BTj}Cw]nwH2au%Q51Fa?g8wB_qe,?Zgul*7o'Ur9Ver`%,vWSzYqFC]{uY[Aj3rHxX4KHt9Hzw!A_'w?2J1l%-D[RHCEgOW19Tx9^uG.p7IPdET3]q1mkjv8-TWM0EkN(ikis*(xm}Y=%6v8?rvzp!8BS3w,U?.AO6u0eu1WPA[Ap}!{eWn8UP.dBK%nMpo+.Op*Ka=A'r)!!%^a&SqUYaU1jNU?EV?)9[H'oxBeBje@f^f=2}wkPb=w2*orCn,wU@Z?(.I}^}m3_dG.Ggq~EQ~8TE_=b4$~~$hzs8e!ycl@vJz~0P9L2!WU~v+l8%'=YIxB*,I42&EkK^)xjcX8+Y?rF77JTxT)2^Nx&?i=kY2++)Th5iil)evVbLh8GzkRmG_2}``bG5isVRc8@CCx6NY=@PyDV4ZUuxM9@_NZVjpBrfl09D0lj+%?al*S5AK=d`HbEWNtc8??Zf.r4%$J9lB)5u+BD{X??3Cz9kL@OzNr^!LeMqc?'&zmaq.}M@_R'un8lyf@j*,9JwB?fcP7(H3A6.Y?k_CLpX2qMFNP=}EH}Ds9{y)X1n%f.kp+WA_Yr[7=AuPdnCnH'6t~!tb}F(3A1m?*b,e8y65EbV?6*KY@G!ah5{7*22&XZF@``-0?WB~eZAoxaG87EZkiBBF@{d`p^i}CMdR{x3%v{GN=]oQeTB-QUe5?nGdwo=S@s_}Z$[3z$HZjAJf-]k1?U^.NA~_x&P%7eLhtspt9Y4LywR9Qm_P[$E@EpG[8O]+XceH}%9R8qa1G15e936+@+kkO$&R^hP.-@=k?LBO3N3UsQ's@gPgP%zU?Ffj****EHzzNe+7i0m{89as!3^p9)J_'FDrHHjg=wu6_s3s~.,G)gpA@N[(?UD]@vV%s?+YD40owIm_@)NAdI)xLG7x0U}d{*n'Ae$7M2F{~l?F,-]i0)BP@rEAV.nu*Tnm+0}c85u?@ztea0u[oqZB_(TCu`-u8325,g])1X17p!N0GU+W=Tx%Z.-1_Iz~!f%p}Erx?'w6s[pNXX.JdQB(7kw@@LM2@]__79edR=9@tuL,=i{$5itfqNe-yM[P(?My8WC2uwHbr,.ovF,4vh_29Oq,,sN.=j8u^}k+,c&t=JICl9M!c-egO{z=f4%n?2Po(sK2]*']+jIpp98F?zLm?]iOJ5?a9Hzgf9Qf8XQ+2!a(o0Ner$+]vART@AU'W7Ie5Q8]W4ha0q8w?jRcXm6L~*rYG+1,K^HU=RBM,iYr`C7ty}d&&tQl?mpp+kqT2%uIoPnrdbAH?4t8dxgdZX66$8uO1D0r=jQd0o$Vk762wS{V$6vJ=C4Vr3[V?6i]{.NaN{uR=mldeoOQa()WxN,pwWjU9A?2dsewyxtJS3c7Vj$p?)C$TZa8Q9]3aZGU]IUf@e{t{WtfmsgR'7bO*n8SAY(85.}$rHyuRfu,37,[AcXL&Pbo9AYdw=}tC?oP?DgrMTa-w@5,hdiq-Lb,?s5}F3~fdnHz$O,G_OMo@zvoaDyHcx&E]Z-]V7O!=!A}*TTLG44ko'&n6l9h9SgM^klV^rm@Bf,Z=ME69tL4S1U9$=9x~bD=c?(d9z@G)]?T72pHO1rAI[}q9UZ6sbF&I511azyxMkdX=zHd5d)a$sFS?x-T=L5~94$4evcFs1WBGJDjj32N9jkXyq~U(GcC'dq8bD.h=~P`cz,[hUjXSX(25dQt@1E9lvfB]H6uQ$b^QtvA@6t4TGe8awL`WOUiGdDW=P*H`,Wrjr3E8BCQHJwY9u{&EC(5]Z8_tl2T7HvT?[gCDBaCT1uSBJvN205K?4?Qr,Lty@.v!w!Pp(i{8LG.Zo&8lBaq_ibgVw-R9~%'io_NrtH=y.Cl{b3b8mq5wri--$a%rE?FsX*WA2qj7+uyLym_wq%-~ZPh89}MRVtz,4!gS_Ne]]9e@9eKVQS3)55^R&oHBX5O@h`At)twOi^$mffM%,@y85}zq%RQf[!V&Qrpg0{}@'b-rY~wr[(LLa4UU$qB@ZiIEc%5@P[N=pBufAc$A+YEhe{}2nC]U-3[sV5F@CHU([~9BoOIpCV%EEgL9ou$+9TCZthXW'90yS9*=~Va*7kF5zn5=uv%gg3V9=s5,L,a%BQh-xWzH04g=.[MY)p}DlUCDlr197nD=Eb`T+qDI$J*DveDZu,$9R=B9B$&sXR+&kr]{ECh98tZwvAIn^0eza86VjXg=TWhWbu{xWk,eL}z&$JNAF8]WC1St3%&TmUHO,QP9Fe`R6K]+aQXnOu=ro2`='Jp(-1uRcG67G2OyUn~=6I}8@-fNv%ZuoCb917.A{ybxYp2cEpPyt3HSyKD=LjsL78yvQtOoOA)TJ),9R]=@`X.z88EfX$P%?PW9~WubmVs)+t(gDKZAkcY?7z!.WImGDIiT%4h6tIz8T[yzqBI*-I86AR4h)qt8rhEeTtyxQ@uJRY]Nn~q8Xt}6Tk'3etDU4@Dutn0@oD+s^wjZC.x+`f5Ce[]9QJmsMCx!KJ6_&J90qo2A^].!x}oND=M0C'wY={c?l1'C)teL^gq*gaPAaux8w)5pF,RZo^p0L}(TP4ZA(nff2rd5}eBN1IH(r~$?MLHiEvnlt43?=0A{E2k?9?h[MscN+Z7XwW@,ZQg=!7]uTTqfUWNH1%Id]4!=mW]TJHC)M+vw4bUeeB%ALhg~cq-sQIY9nKLHPWE9hj]X?R&J~Wa]Qz]gOAY9.GI$Rof'Pw3WIy*YL'`=^5NuBH+F~mS'ywT0q%}?=pZm-nG~F+M_e`p$wGBAyx8onfZ61c^%PF*1lgU@?ziet2X~PM9_J'G(I{_=AeUZlr&.Y%z$hkSPt]39$Eh?Zp5@BpR8aStn-Ka@42e+s22Y@-*Umc*)?9Pyg!1Q4i!@IVWAS?OXhmZ=K8FUM7.!qyp)-NPKccL@UtB(ieA_{Mm8K!v`@,rG(n_5lLu=Iyjw3p'y9yoG&3b=5Bu&B8MrR!Om8Lp7Xsea3%t4(`Wr-,yN9'r-bWv~9*.CxC}1S^(r?8MB[sfu5)l$OuGcD]Dn?kVJ8UBHz[H[nnuS0Qdk=NSoA(.R^'Ib61@TuhoO=Ed(JoT(C_aS4ns_jhGe=?t-3TQF49{{**W1eweU?g0^ul_AeG7[*%B8([QAA?SNP8RQC4OG5(YAehhX9P$G2N~C=Bs@a2wz3=0}=f^PoHaE.rqk[7O)@Uk=$p?x^,Bx6B,y+USi'S1,^e8?a2E-_'rlGR~zC3*J*%=J{fz'l^bVy,qL(z!Gh'?R2*.cpC)bMfh@gdmPzMAmP1d+v]BcP$f*&ZWxMD=(ZX^7X?ohBy)MfpmooA9{?bUD2cfOGs@VgwA@u+=ELAhC?YXB7tAB^F9`-k9&(lTl,)a91HT-$Q}}G(@fkp?Q6ao?p}6RALiB~cAszc71m9lK_'+Ldw[And8Zcx*)mouS7o2*`kW'qJ=g]_-Y?,ZG=KK^8ywTtA?w8ls=&PUEJ,iJ4DN((F9vx'7uT4xK4GtJ,O]TS198yyX'S6bW)Gy3@[gjsN=WCHT@5wab]YWaE'p+HV=R~GJUzOa0Ft`!KN)i,m9i20tx39h8ZgI~Eh_92i=D`~@Gh*qxyf+t_2S`y)@E%$.QzNLabE*X(J_V{EA)F4+daz7p'khNMbpqW{9j_L_6hBD1F}{qq(7A2p?Zltkb.^cNy2fImoJ[Nh@0mT5r`lOSsxPe+FOMaF?Bqkv2M-wYIgknqK]z22A]O!9!=J,1f]M90QT8+t?G0CBeZLSGa7k1^wYUUAA=&Yi3+wJ&%f!Rr.*v@!AWHjb9[M1EVB~4Pb6^93@^F+!qmGF@P`u2yaFnO9@a(6{YUMblXNO}6S(=`+@FB}Zf-1EM+vJcpO{iA}=Z[%8rL)Xi&UJ.7&L'LZ8Qqeymv+iZ6~N?VPov{h?*M.CqhnoXI2$Zg$MZ--?zNxGDJlYRHt3CE+~Zd.9b7D}`(a4SdF[[{,{3Fk=1,947}vSCwnISR=((6?f*5~KUS7h}R!=pyH,y}fE4Rdw3ej-_BI9OU{3_&^Ut-o5F7_Op9Q@4*u0A!zaax$ypoa8dXX='b53zFQCu)=0~)`T^$v@%~4n3rI&j?7$&xrAlZi9!D%Xh)mI8VvbJ[+Aw^c=lB}gYx!m=q9Xd')M^?E?q}N{JI1j=P9DKU=8]j'=sJ0i)RxZ~lKLh_ISO1RG6D{rihLkotX'0X+40=R@OFxER,o)&[xTM.^k^3x=HF99D8~M`Pi_gT3jKPB=yWkT[$yDusl0vv8iZrFA6-'cSiJ9RJdDG(XNvKh@[RhBT]wHP.RvVQ*)u^~@zD3VE~1KdC~ylw+-mq!=RcYn3=qLM46hdy$yjR69.B_BSf_0l)^Zmp=3V[.??S5SF=Q05.8sH-'9pt@9uO'XHw'Q6sV$DCaEG=MAO^V0hy8kdb9Ds+AM}w^=11R@.[SrukdvuUPY7~29Ns43JGvi9y7mxdh'M%^8o4]b$5m3)xHtdWg^*F.A3hrH'HYA$?RM.'T@2Xe@8`?@*jfJJ.SVy3re2519mj}!oXz`f6'4?gsds!G@=HHuWASqW')x=66_L&k?2^czHj}XWYW-r6&nWV3?K8qUcfjjDr-A14d0vss=ch=jorCaPd.wzu=k%c.=uHnrg'(qGJWXOWj{Eg`=H%7wy4unk&?R7OH6jC)A5CAJeF((+-56Z7C^!4&9n8?A+8`4F^_LyL0TeWc8ZwOajn!ZMk9d-Fj4Wvw8TAVGAtR-?I?S_M=(p1b?OmKn)5&oQX^Dw'Fm8*l9wUhODw6D8*b,)E+R-CF@7ZxU.*Qb3JMM._XCf,,=Li4q7.`yzUe]8ni?A1c9=ktx5]-atSO}xVLbJgj8gl5F.p--ogujr=xdNH8Ad4x(Idj,we$C^D[ywX3=BJW]+vX{'m*Smd[pVLV9`'7synHh.7e(HGn9__Y@tB56l}QME*4pYwF1dDCAr]E]6yX)`94iIZdTclf97iu,cnQ4k*@s$64U]^f8Q!Oy$UJQwiE{2_XZYCl=9,Q3+{e&n1&H_c(`eZZ9c[4i2sN`(sg)PxZk}ri8m3LJ*l~I(eiae[_w[7p@k(LHOGM5JTNZBKy&TUp?kTSc6n^v2'lJBM9Kq4[8iRNGN~Sx`^g`ZJ`FVkW@qikk[h%z!%hR3DT8Q0I@UVY7'ACHiW^hF&x!7B%?C*u8{P0N^_$dBHMIrZc9`$iNud*'2@f3EqNy0We@'WtF@Fx%Vo7^wFSD4xr8=uU`(auf}VW8+w*}HTg?1j-L3ZR[]?QiuG-K_V.A)Q3aYvDq(9fe@W9A}8o=`igOv+(lF'fxenjU?@4@R*ULC~qW^ma,Ju0~@,-9nE!I[ZR32T$*N1xq]@8=zh)X2,oKm!.a}8g=UKSAK!pjZLYX-usYv.t)sCr81P[-@fvns6=bw[w&uLcAj6?zDiO7Y9Cp.[zV*pq9_17fWVm}HQ1E_*$2O}f9&CWDAMS[XDJXw?eWmOs?xYG!,p!@{!@tL~p}61994^jEC{mv(T=7c8!wbA!@-QtJaIgdQXNGqxh^-DJAUYg6x=Pc5pet=~@-XSUANSC.]w!$PGsC9t7+m8j=jIXyn{usg$y&Kpk@z@y?~j4}[)Qs9bK{~kj96CD?SQa$b}+2o-RJD[TFpG@=nC!eg,,E9-bgZo(XPEk9y'sl()06hr7_,XhbemX8LW3[v_kkv.9~~Q1tb+??IlDv2%B'+uF_Y9,VmE8=%,'H,ppd+u.@qd5_zR,9]t0xnKj?$fjSlxMXFA.9X.nupJ7-N_uoc-SVhfK=kd)vH!BI?0dp(ncB$jK?Vn_m@@I5*`{HViC?C7FAvZbfub~='Tm5yY!*WS7=TL.ToQ!=T_I=L%RrZ]2@E&I^K^a1R](][JzRSm_8)VIS,'n*)X-Dn&cf6!i?X7A%aX@DLE(wsijiC6{@=_))n2Xx4I3-%ISCZKZ@3[?gssi=_e$2L=X-DnMA?E1=ZWMPb&vPOP&&ng=?NUiqh?548mztdLkRetg=D=Z4)j5Gb?Bx[6)S(TN9ke?sV7f%$Bv,Y-MIcfE?T(ZYQ$-c&++YZV.5uS~8`T)VIMiYyQ]]EVeC]dB@pgM*zN(e0bC+kj4,cpY?t$J6qpN@W0,lv1nyMWWAbRRnUn}(duyyg(TK?&w?6--[SEVISay![XGsK0l@t4u4X(SMluCZzp[=6*&9$EntKviiNj_*SkZV?6.@mwbfDEGZQ(3U%kE@BeIAElQgt)z~Y=[n,6SKHyz9&xlr-PVmef6ZW-ADKBl8=B+LFK1fhvdbE4?azAI@Rk-D0^EMFv).@iAjFOM?)8H447]`UpbK{(d1sr[85r)yB^c,$lMCGyQ*ZpAAaOobRtuB[2Et+0]{k}o=WWSRoHPR`b@e&{k%7(n@FC'N@g5{~^7)lFMn`$c?G%^uh]XkfyQa$jZ!F~v@M3e(Mnv_2LY~Pln!_9&9[$I15TN9nB)E?]7bE`f8-?J{Tt!7,S3mH%Bfx!X?{3p{2cSkD+1D~R3.k4=@yIUWq0&$qAqYkel37L^Ao'Ofgs.T9!OVojzXE)O=1]=*m[S+M`X^upt')y!?sIO%'HazliERl-,Ww?i9NsI1(Bh@+vy%Qh^[ce!9N7bF2gG!1TwYEI(bRr+@*-1Lw^6.8`ZZ8JMV@&y@GWHd`DhK_!~uW2aBLQ.Axeo{Bai=Hq&!B9[{eFZ=[N13z2`o+ctrWIsf4G[?UWmh6p!9L,mY,v'z{C-A9b)3Am*ZOG8$REiVe)}@.d5`%rf47u~Q,4=KLE6=c8]r.mx4mNG03tz7x00A6Pd5%auZ,1`E)oc4.z&@.BV^xb%q'YahqO+Ze`R?YoyM`?&YgrSk{LLLvUt?C.`4Iq*ox38Du&fgc0WA7L1tvRkqSI8{8,i,GuaAfCn1-573+Ua*EdKca*G@Efh6k[D?,UCWZ[m!ojv?qF6.p5V&$1YaJxU.CHv8CmBs9Rn5=t&KA`M7{sl?Sn@Dib.%`aB]l6l1jE9AG}HNhMVFf(JLg^W&.)=90eklw1-g)Rklh9^Fd'+9hiv=kr*'jOe4j9&E7-UARP+Rr5JpFFrLxB*iCWRA+`Bbt.h8ze!F%g`&P!59nDL=5F'EcDhuV6jiWRo=4lu=UiaJKm`WVttfqeTA[6s]nzk)Z,'.F*abSw+As&+PG1WaVlI'$2Y%zL@?o17{?'&`nkDo(L[^a'Y=lESuSCcz$GqL%J'URm`@KZHhJ{b-oHIM8sTb~T+?W1fMoB*~R3VGghp@%ds8s[N-2%&epPwIOF3ZdJN?[{7o&Fk6MfO5W}nCJs[9JBfyXhq62=3f0]RLmdn9fzYX,m&2YbE-vQtG`bj?ix,GT~z]KJLE0P5=i'N@)sayxXNuukP(u!IrZqSAj@?f*Lqde)^h(%19*vx@niuIu%gnd+Iqi)VB!Xz9LR?(aG!XBvHc9ll5=kl9@[b{wcngGCMu}Is@-V2=k+B}cvxd?aMgY9InL2_A5!g(EhCL7F8bBJatoPM?JgNFSX9mlvw2HoXD5CL@qh_*g8ODAI9aTo=4zU,?Nni*qNR_hJrtk%b},s5@2z_vok2u-wdPO8oiEj.9ZCZqaWj}QwB&b@K*(tw=c$.ZvhX(A1h@9B7V-vw@13%fd}aeH!o75xi5Rof9iFU9mEqC$H{Hf%l)k,s8K2eD6%2Ii(S,{70.aoo8ZQtCm0NB%q(~v`6a*j(@%Pjqpgx^}X(@]9C6d9V=3^~.7PRt&UqN0Z&%f,0=W,bNJ-XA?418HGlHazS?2T9p+1R%'scPj-7MNHm9LjR3F3y!'UpyA&'.}do9I}-MZ^{G{S6mS}?XkLe=sDP!v{@~%ev)mqv9Fb%?BUgP'iE-HBX+6jG04[+@.b9rbg{83NvHP[raIe6?ZHvQ57U][X18gPPG6_x95eYy.^F]at1Q8VdI?cNAM^qsyMWr$wC[61_e1LG@c3Q=wSv(-{7$t+,G=*0@sF'u)G_T4DF+!KNn2-^8BNUd3([Q3sbPhlLkL@59!upbg7Z^yKkowD`,F?{?}c!1&i9XZ6O~jJ-dwsH=0-)Nqf2`aePwzkwz.x39{}LH!F-eB8Wvm_V5P.K@-.I&{+{gf%Uh=Y$z[i6@{+-2uLF*Zu*&OQ)3dmZ=Ua{FjS@mkb)d&,r-XF(9DKVBClvzm6.%LpwI~CX=T4h]!=*I}Y'd!d$af.3=PkICscmUYhkx~jZ+~ZQ9Ek!JfQ`kQ,j+ra.bzz`@NRlVUvr!WUTzO3iaxb`@?xepNsTXQkPv(QxJf[NAjUOtb*.&Egh({r(G670=e0g]G`_ZEsmkN*[AkA]A$Tm`*[&ms%i-ZQYQ-e@A7uuD(=?V)$Xy(g^-Fw*@hr&*4!bQY)%0?{7G.RF?ChxIh(DR0p}mAO'wFV89VcokZfq$2La72A8Xf+u?k&6c'FW2z8rsOH%vQwI?DQ=H(gLaj(+!vhdHU8J9%62Uqiq`)X`M)?3tOVa8+7H3v^wY$+e8t]$%i?{@YN`(YT4!qhP6uB^$H]V=OG'Os6jD?=I$MmV[_HB=_G{njfse$dZ]vD.(9N`A(rr{&a2[1RZ.'(a3.t@?1M6Hhi&zlE?gDj6^hB$=}~3P1&7FeMM&njdwr]S=SPDelxB+}G!,y4f)tBD9Nb}w5Phyl^1f7Rpe8Y]Aqr-21?YqBvV6zJSfjJU=-lRD!Sh@D0$@)UQ1zVn8=Q!3R!9l,aq(cRn-GOo=RQso(%WFo%p]AAopQs697]dH^=jFI&*OLtwj?f&9nJ'9IisfO.SLCSF~m~x@bIV='ndCgOMxPyumxQa?R+l7%x0anHMvPinbwRs9KIMa_LW0psdEHV1K}=m=axqtIPP(besQWa0S]b,@k8x{Uig'QE(rq!0gU(*@ZH@JBIy.=lmyULw7VO_=Eh$sdZynV&m^h(z}lSR=%6Tlq@MAOdAdz$^oREa=cQ2zSNQfpSo^Cxx}anQAdk~Eml24S3'8?_D[m%H9e@1ZXQgdB?7aev4cge^?MQ*fYUaY~6yA9Q`ZkGU9fZ$spxLU(p!5e6fj,.V@Y'_M'&im]-%!9`jWZVq@~=CYaG~`!-d@!6I.}PcA4gzOYSeZ(s3)N@%GdC-9Mic{o4(c*.]Z8%!EMt!=wwF$S*zuX6fo=aUP*E]AsAdO2gb,D7]Hz*kb0Ut=kw*zR,LR[UlnYgbu,XD@0)_1katnT&nn*(D6'mZ9(FTQwn9mP=HHSOfi[DQ@t9XJK}HafeVufMkBT,9Apk,T@fDcj4=Rhay?ihT9xM=~QZzjXLF4=9d%hB{9Q*'xzgiX*Tq0BN0-fB2@7DLyXa[CzP!K^[biJ1n=-x(1=[$)mikIB?U5L.e9B[GUw-2YPeCDs2DUf`Z?zEH.N?Q,rGA`i.?vsm5A]+s5+V3SrAS1nf'6nYN=~Q5j$ciil!0!?[SZ)8FA^At-s4Gb!F3eip]}QeH9E^!5,SEdEaamM,AxD9{=Fk0Emz+(DwWyK-,-%5L?NRdgc{0Y&HC5A[]RWYK9XBP]'wqAW@L.FqhwIV0A][!EMY(S-*Veq@U^N[T@]]ARI3$S.(AbY=`)4=d=v+OrAvZ1(Q'es~2f6?99]B_Mb{EwKzyxbYOn{Hs=EXuqOX+nwau85g+Rs5s9CoNGpDMG'QudX=HPB!e8+myCy{IHVIW(Ss^KDC1AjC$UT*]aJ1(6joD06cy@~CZFoaUtbpmJU_d%]Y1=lI}.da4TWP`UOWjlFev?.bdR.Pz4}ivWZyC!r&N?!@kd6c`!p.DMrXkBvj{8Vje*wT{'Kv$^kcdp@NQAkp$p8GN]ZF]v08`l@Y`99!9?9v=8L4-AoV,P?Cm=s5O{`&V+3$YiC85KQ6s=XM{%1By[Bm,[jLg,z-N@Aa{R2EnPhqFA$LEQvel8S1Br'@j+?RXUPB_RioO@?`t5S6QWd2N=WE0@YBp9}7%&8fQEYU?Gb6q5WRt?q$DwW-^-iy0-c,C-dr+9GLTgAclesAOp)zgNQf%@D4h){2$Sz^Z6J?XkKn]8AB0&ejW^Vuyxl[W)M{1?^-{!I.y},WT!-x=)CtLA!`8%&oO^@V@}FW'Ef=A@6D3&E!)'Hwp$5m16sQ39gqc-,a9aRJ5!fXx$GrbA?^+FGgm*a[h].%`kwda9RD$?SXLOKEh(!gK)kb7=p*Y9h&']!1%I@~3^!CU@9AevJ'%6rDY+zsO84iu95p8yGHhHIwEiVsuR-jJAsp&xRDvdsi0}[IUfttm8K(+@jbeP?+q$Wim?2rg9S[v$Ta!0Eo+Ka70t]g(=hVBh4f(ii47?N$sb)dj={B!jrr+1Tslnj2Sn86^?f$'Iu0?Tcq^NTLLMtYz@cYj3FlY.kC!VxxO~?mK=hzU8LbP5dYsC3PSzkZVArY[{$=@YRN?~Qc'~j0X?b!RX2D8M264qWnY^N-d89i}T7_s$A&k3N(U6x!~=]6fZuv6Hjd&AYxgtP!g=,Kx7$,L[Ka^)c02G~F99PiEmLdR.p[YNWw2]D%j81_jXt{RojlhC1AmmQ15AB)}^j[V}!XMX(PWWg-I9Jz?[K,.ceWg3_ML4[^t8{N$J17Jkb8yU]U`TsP2AlT),RnR8Z7vkzA=!6zd@*xnJM}hrVW4_@xNcdRN9g*(iSL$V9G$[]0''+}bA9MQtM=sTP97?~@KQ$x==_UG42ftPb]Nh[Cc2aYI9bzu%PKy-6)UipOQg+.I9nmL!dF)Bh[yL~8X!yvC=%0`S9lNiGCI]Y+'-nt!9KuIOS2$0?-,ck@vUO_V9I*6Qiovl2iVzPpVF^j.=FeCKKZMkS(8!22^HcHa@r)lNH!2b_F7Hea4dX48AgY$bU'E{4gHG]lef,Op9Fo^uKj,Vh495]!uPlL`AcvYmm0kc.$]S`-y[{?f?m[vsdmVY_U*i(7SFvd3A)euy$@6{Lr6%lr7vzT5=i=$NkmT5JIlQBF`CaSM=W?ddsbv{~PlWVY_300b90[[-Ezx!so0VEKIl^Kh=!Wl1Uanga,5vLP@82cB9wf@LJgKf^mLu`22]efg8zfZd[(Z)e`'.K7TdGpG9Ek1e=~wq+*]25,$440P?Y_py+dZLt6nDs?*f$mRAVCAu6lj.29i6@]of&SH=4.t!lOyk(lmR?Li75`X84YV21Pd8ss$*DJ+TiKA?%&kurFU!34Hb4=.gugw83ct@AO`a)3CY5yL[C50@@6AL$4fLonezN1Sjqa}=Z(2e4@hJM@Y^{)!U-YD@Rs65,.7oNzDGf)J]w3.?CY5+EXW]@)`BDbNAr*J?{qVv'Vz^~x`L75u[p2q9DM_KnA10jjphAJ!OMNR=DHH~B7??uv8WC]e`7$9@$N6rDB9Vp4k@lD1ctb'@n^pKZ$jga&FLWK?AY56?$PMZay1H0,7yApLLp4`8-6gcp@X'pwXRD,MdL)o=~.Cyr`O(+d=GAg+,S-1?t48yZ_uN8VT9~(aJo@m@k)g{MhET9ITq{+I5Zgt?T0@.16NYnFUMBa5!wrT@Qo-*+m_0n[XN{GL,Gzt@bM25KHOXudX0GrBAX^P@h2v}PWN6t6qvsP)}5?t9FI^m-MOA]vxCO!=[IPG=SLY)B=rv3zcw6vr_sDM@T'D}E@xQxSIN3F_op9p@zc$}LAZsu=BfP0Cv?3J?l2BYk0uplkM}XhwNA7]A[tQ4uq(q}8!rhGVj]v4=m$KprP_+`NOdZYdDb2I9.0g_I8]bUM!-9rtY?5I=tAeX_~Xt{Bp`C6V{Rwo8.nyel4+oU&it39OUy`o9[t3ta[q?FUE~fA3DPFL@ij${^4HcIoi`2oeMUkr?W.R7OD%xEWuLE_A=P4b94?RpI@&Wt&^Dj'Kr2Mg=hm`~Le!l}W[)L&-(`J]@]Ax.%Frc3uAAfC3jq4k99a%M3ISJ,'I1@_v)$mw?@A8n8~2Jo5pj&kj3294AkQH,ypC)y+Rz&[vtUY==,_'xJ^T0@UyyNyC65Uc9(IiK`A}'?0J!Q8fZ-&Y@?qG.({oe}Fctj^zy$@u8M0FIvYJ07*5Ge?CjsRx@Dql*fJqf_ahiUN%?Q~Y?$eEMO4fn61Y0ps%V_tM@tBIOQ^fd&?ZOGu7_z17=M.sk[c=&0F,1N9tqj*-?9ZrMetf[~C{_R_OvfwV9)ag~_Z&p(h_a7eB3e_w8TM&DC(yoefkb'g90o(q9wG7vW1`4K?U2Bo)!2SMABsJKL-+&Z-p=!TWz+(B?m)QD,$XQkh^mMR_Tmlr?[OEe+aXEfA=oLKT^%a'?7cuBb,'@*?uFr`UJxUt?Q(]u?Hz?A.Ez0Ys![@k@AqAI9^0xB=a!&{Ube8.9h^'vWj63.fN?P0T@pkP9LUVWYl=w(TRMLeZs4%Q9yhDf@?Olw[6cudmXujn@K@5v6yRNCvW~biweQS)=[J7bEiRhN2SG@4E(IpE97j'*eAxEUGQ=-?VH8{6zH,!B@%@CMV&hs8303neXa7t.QH_QUkd(N?f3)LtIS)we+]X,upzfy8Hc'Kw0Qqj[WRKol$C`!9seOE-x8.-jkc]ml7r0V9]eY8`^%CN=sO1vH*7an9?zBH_Dk75E94b6z6!D59^Dr]VS0?FY(GG7U~*LGA_qV.`dD(PUs$B`y(wZ!=xgU5Eo0k9zXu1c@F&44=!Tf88pjFJ9K7X7Ro{+_8`t1`FfZ),[3SjE6T[rF@1,k.{UnBWxXeFQ!ckOp=GD)FH_wr$opl~6sZgjj@b]E3SyR1avvPSZ6NWwe8jn9-9+YqE-*^zT1Sf.]AuI2McW*Mnpt]%EHi5ND?=R%3_9OhU[JnL+%m5F4=NM0I!8&rz6DHYC9NLSf??Nfwv@YWi4t0!44htB$?i3u0rMuVAWzXZTT@Ca09t7'ZSFoq8i8j7oWWf)I?M]8J=C2HVS8qzr!TyWT?9$kf46wtbqO[uU7M8kJ=A}mW,lCoc,XNkJipy1a@Ap)RdMc8yPgkYK$x2=]9~v`l(Zg`DcF0)&6tz-^@.4]b-+s9@pWX&.RyK8z?KSwy'.jFB]8b$~@Or0,?_}^]IRODl-VuWf*{]Bn=V=Bd'Js0p(IAQzmd*+v8f-eWAg67?EdV?Zt0pKM9oA-2j5.sp7MK2W[h*P}80wVXO9V@tnb+^fR1]{w=k7WNlT3B~-H}0blqBU}9vgiumH[mOae}hqND_Mu9JH,hG0%=[O5H`$zf^fl9C~^AdR,(HhXO}2)9FG)A~B^NCo[w_93)gm''cx=A[`5^_Oyu]wz8Xb=R7Qx=?T6KJatK$2_q5q1-Ebu=Hr+[i2Eg)`4HrScgS1[?4+~t54s!E4UmU=rLp_z9)(,gTEZ,{w)*1lVT@9o8L+KU3?zRDt!')_^b%Sf9LpEd8,FL-c+aCj@@ze$A]{Nm8)K8?j-3nM&J3q(AM^_6Nrx8Jyv5CLR4sl4?Ml6MwkGi(Wup'4pj[.j89KjUtcaiNqNt-Fton3'?IM1,4R*!E%rZV$C-Urs=W~SgxrfY)3JM`v2&0r4=Ybo%s_dQrFFi]?rC_Y@AO^s*!Fd,]H{jBjSj6Q*?,em_^Pub'{.nx314$=p=)Acg?O@vU8~4&4RM_-X@9^x@E&hxT]nraxghK$g9BqaRi{K@!1nraxg}K$g9BqaRi{K@!1nraxgiK$g9BqaRi{K@!1nraxgjK$g9BqaRi{K@!1nraxgkK$g9BqaRi{K@!1nraxg{K$g9BqaRi{K@!1nraxgyK$g9BqaRi{K@!1nraxgzK$g9BqaRi{K@!1nraxgnK$g9BqaRi{K@!1nraxgmK$g9BqaRi{K@!1nraxglK$g9BqaRi{K@!1nraxgoK$g9BqaRi{K@!1nraxgwK$g9BqaRi{K@!1(Q4}.0901AaVL%iwQ=+0nJwGE`Yw,=oX@cN77u{t}yZi^M.Eg(RG2XaPN'?te@h34kv?)9hQ'[xY@f3683DaxlO?I@u)=js+Tie[dW=]84&wm8VFjYZ_f)eFtV5F,N.yD9E4`w5K'uZSlRt-qG[UH@!+fYUk[JXfTAE'L2*=R@gxXFS7[Ow`7q2W&RwSa80O09o}Ae]i.-7xjnRDq?}x3Tp3W-Yc&Y)k*T%[]?,ZzLPljVNx5G!eFHgV_=CWSg?*I,Z'Jg&d)4~C^96,S53n&e6c?{FU$4?3=9Iq174+}f!F39lVwEd_}?DDKbuYc]c'8SogG'bFP?E]koPW0LL_rjkJENe][8cGF)'9w72s4w9=.Cy@{@1V7iqX{VEw2g-2d'tsm8D^VsN92_^&xsJ_lMQqi?Z-aGIo+{EbE.k3y%AQ2=CG*!SOkz_15Vr?n)CqA?Hl+jXI$_~.uK,P7rX%p@pxc.mEUcaf7Z]!_]LJJ@L15wU^+Zg$_uuPbvKOIA6PI0aR%(fuFMQX[.%XE@0F%w1TkDixcEO4N[uwC=,chfV=kG~XVK2Nqyom_?!LeKwf0J@cV^nU8,X[u@$bC'jElraB[CIk=IM]QAWP&78R!vg+=.7=.5d${@f?1.2*sIjLk+*09r,BD?Ad3+AqtqEw$7sSEB&[,Ao(%`Q?6xu&fsJ)kBt@I?R*&$JH1@Bg[o2Sab{,[8$'1$r15_^dNm_f4@q1z85QpJ.Z@,SYpX8(mEL@,9{QNW$QC.ZU&a*5Xhd4M@G=j5BPdBC+bf$R?YUko?=+4dk%&N7$qC[!n1N$$?ziMNC`]e&32wo]`(DeX9}f_MVav+uIFb(N!Rw6K?O$aI!&`a^QJT+(dRO?3A}.-,KoupmwRR.22*=BJA2n[nr}%Fwy.-Dre@K'Z@uNqIpD.`iq7@`Q$!0,69Yo+=48.]oue*%mJ=+er@cTi4^.W?w6-u$2au4c(A%C2f4+LBI._j0,Y]s!Soe8MkbIdFwU_j0,Y]s!So*9MkbIdFwU_j0,Y]s!Sou8MkbIdFwU%9YbWIfIbe?9MkbIdFwU!M!&ZZc0%ne8MkbIdFwU!M!&ZZc0%n*9MkbIdFwU!M!&ZZc0%nu8MkbIdFwU+SnXWTvLne?9MkbIdFwUaZO,H*K2`Ee8MkbIdFwUaZO,H*K2`E*9MkbIdFwU=$k`IN]I8Ce8MkbIdFwU=$k`IN]I8C*9MkbIdFwU70-T$!(*&Ne8MkbIdFwU70-T$!(*&N*9MkbIdFwU7y)eW8l7_eO9MkbIdFwUpR^pXI`Quoe8MkbIdFwUpR^pXI`Quo*9MkbIdFwUpR^pXI`Quou8MkbIdFwU7y)eW8l7_e?9MkbIdFwUiE$[M1%.d'e8MkbIdFwUiE$[M1%.d'*9MkbIdFwUiE$[M1%.d'u8MkbIdFwU86J8lG[%Q5?9MkbIdFwU6k}pHLH$SDe8MkbIdFwU6k}pHLH$SD*9MkbIdFwUfr8_l(m2NDe8MkbIdFwUfr8_l(m2ND*9MkbIdFwUNWgNOjBW^@nB=N'E.&_$T%^AER6{5@Ktm~Z}^volADCr6SpgY?OdJcxNUYmNXN$Xr[2ae=3{16t8`kM76*oF9~j,S9r}t,gBece48ThRiaJZ)9&{~dfnK'%L"
"CADStandards"="$T([EMAIL="x2L}20@(.](S=K*1xm~i)qe3Tj=UpMH4$oO6*ArCGm(S_39zqa^Vzz$})(2k!%N4yN@5Et+tfI,4Tlu.fOZOAH=*fb8)*FAwx{4YXMQ8}-9EN?&&2N-AN@Af{8B3Z_@DaH2aB1)erY%K%N8&La?a!sWGLsGM4$'dlg}F2}?W..aJ7n6IZZQThCpXgJ9Ei0xenTV9YxBZ,6b~uN?{iNDZKdh-rU4d4+_d16=v3$FQHw4G?0rI(YK=y?@FwY&8c3"]x2L}20@(.](S=K*1xm~i)qe3Tj=UpMH4$oO6*ArCGm(S_39zqa^Vzz$})(2k!%N4yN@5Et+tfI,4Tlu.fOZOAH=*fb8)*FAwx{4YXMQ8}-9EN?&&2N-AN@Af{8B3Z_@DaH2aB1)erY%K%N8&La?a!sWGLsGM4$'dlg}F2}?W..aJ7n6IZZQThCpXgJ9Ei0xenTV9YxBZ,6b~uN?{iNDZKdh-rU4d4+_d16=v3$FQHw4G?0rI(YK=y?@FwY&8c3[/EMAIL][wkP"
"EaseOfUse"="[EMAIL="V20B?Pkjw?WTN}k'O^rKB_UuK7Nok?~VxaZ=s9fW06CzcbM=h@M)-+tQubxPhw4~Pl"]V20B?Pkjw?WTN}k'O^rKB_UuK7Nok?~VxaZ=s9fW06CzcbM=h@M)-+tQubxPhw4~Pl[/EMAIL][s)9A-TC0FYgNdRNx)&HJtEA`x)N5-0MDzA,1?Z4*^r?7'vQzHd^]U$Of114tE`?4bQP@ovhK,Zb1Qr.5TE@,Zi=A*g`m=8`b=-V!1m?9vXk&~p9?1Jnf5PiD.o9k06u?x9_G&~bh(P0[A!9OW=mw.uv@MCm[`GkI@C@]Pp5JQ+AG6X}__lkhIg8&mSjyDIt`22z'jek0EL=NXT8UhhZFTcPxh!87gf9d-Hh+L`t@odmCM6^Df}@aF[D=+rJV%X1Cc*wnfp8(R+XDV$Z9ey{K3)%rf'A`FasQKQepWLHM2u!.Rm?E@JdvtBRcT5AVAfWaLd?}dA[IJXV[E0oy=6B0Cx?)etO8La@dp*sWISsHid9TAOWw%%}_w"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"aux1"="3740728561.CPX"
[HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBCINST.INI\Conversor de página de código MS]
"Translator"="C:\\WINDOWS\\system32\\MSCPXL32.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBCINST.INI\Conversor de página de código MS]
"Setup"="C:\\WINDOWS\\system32\\MSCPXL32.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBCINST.INI\MS Code Page Translator]
"Translator"="C:\\WINDOWS\\system32\\MSCPXL32.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBCINST.INI\MS Code Page Translator]
"Setup"="C:\\WINDOWS\\system32\\MSCPXL32.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBCINST.INI\MS Code Page-Übersetzer]
"Translator"="C:\\WINDOWS\\system32\\MSCPXL32.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBCINST.INI\MS Code Page-Übersetzer]
"Setup"="C:\\WINDOWS\\system32\\MSCPXL32.dll"
[HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CPX]
[HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CPX\OpenWithList]
[HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1003\Software\WinRAR\ArcHistory]
"2"="C:\\Documents and Settings\\Propietario\\Mis documentos\\LOGS\\112.CPX.rar"
[HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1003\Software\WinRAR\DialogEditHistory\ArcName]
"2"="112.CPX.rar"
[HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1003\Software\WinRAR\DialogEditHistory\ArcName]
"3"="112.cpx.rar"

Thomas

By coincidence there is some encrypted registry information that search picked up with "cpx" in it which has nothing to do with our work. Since the huge lines cause my browser to force a hard left/right scroll, if you would use the Edit button in your last post and just remove all that code starting with ""P"="q2+GX3I8N9XI]8Jm..."


For using RegDelNull, did you do this:

copy and paste RegDelNull.exe to your C folder (so it will then be C:\RegDelNull.exe).

From the registry information of course it shows a some point a 112.CPX.rar was created - the registry information is only a record that that occurred. I suspect this is when you made a zip copy to submit for me to check.

frolma

Hi, the log seemed me also too long.Here's the shorter

REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "cpx" 07/09/2008 18:56:39
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"aux1"="3740728561.CPX"
[HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBCINST.INI\Conversor de página de código MS]
"Translator"="C:\\WINDOWS\\system32\\MSCPXL32.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBCINST.INI\Conversor de página de código MS]
"Setup"="C:\\WINDOWS\\system32\\MSCPXL32.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBCINST.INI\MS Code Page Translator]
"Translator"="C:\\WINDOWS\\system32\\MSCPXL32.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBCINST.INI\MS Code Page Translator]
"Setup"="C:\\WINDOWS\\system32\\MSCPXL32.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBCINST.INI\MS Code Page-Übersetzer]
"Translator"="C:\\WINDOWS\\system32\\MSCPXL32.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBCINST.INI\MS Code Page-Übersetzer]
"Setup"="C:\\WINDOWS\\system32\\MSCPXL32.dll"
[HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CPX]
[HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CPX\OpenWithList]
[HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1003\Software\WinRAR\ArcHistory]
"2"="C:\\Documents and Settings\\Propietario\\Mis documentos\\LOGS\\112.CPX.rar"
[HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1003\Software\WinRAR\DialogEditHistory\ArcName]
"2"="112.CPX.rar"
[HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1003\Software\WinRAR\DialogEditHistory\ArcName]
"3"="112.cpx.rar"

About RegDelNull.exe I'm sorry,but I can't run it

I've deleted 112.cpx.rar. It was exactly created by me.

Thomas

I have yet to see where RegDelNull does not work. That error suggests it is not security blocking it, but still some step not quite done there. A simple question - is it unzipped (uncompressed)? The RegDelNull download is a zipped file - it must be extracted, then the new file, RegDelNull.exe, placed in the C folder.

@ECHO OFF
if exist Regsearch4.txt del /q Regsearch4.txt
regedit /e Regsearch4.txt "HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CPX"
Notepad Regsearch4.txt

Open Notepad (Start - Run, type notepad and press Enter).

Copy/paste the above text into the open text box, then save this to your desktop as "cpxcheck.bat"

Be sure to include the "" quotes in the name. Then click on cpxcheck.bat. When the scan completes a textbox will open - copy/paste those contents back here please.

---

For now, to test for effect, we will also return one of the drivers32 values to default. In case that brings on unexpected changes I will also provide the method to undo the changes.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"aux1"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"aux1"="3740728561.CPX"

Open Notepad (Start - Run, type Notepad then press OK), and copy the text in the box above and paste it into the open Notepad textbox.

Save this to your desktop as "wimaudback.reg"

Be sure to include the "" quotes in the name.

Save this - if the next Regedit causes undesirable change (it shouldn't) then you can right click/Merge wimaudback.reg to undo the changes.

---

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"aux1"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"aux1"="wdmaud.drv"

Open Notepad (Start - Run, type Notepad then press OK), and copy the text in the box above and paste it into the open Notepad textbox.

Save this to your desktop as "wimaud1.reg"

Be sure to include the "" quotes in the name.

Then right click wimaud1.reg, select Merge, and allow it to merge the new information with the Registry.

frolma

Well,........eeeem (I'm sylly) I only typed Regdelnull in the command line
but... I hadn't downloaded RegDelNull.Sorry
Finally here's the log

Microsoft Windows XP [Versión 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Propietario>cd\
C:\>regdelnull hklm -s
RegDelNull v1.10 - Delete Registry keys with embedded Nulls
Copyright (C) 2005-2006 Mark Russinovich
Sysinternals - www.sysinternals.com
Null-embedded key (Nulls are replaced by '*'):
HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer3
2*
Delete? (y/n) n
Null-embedded key (Nulls are replaced by '*'):
HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer3
2*
Delete? (y/n) n
Null-embedded key (Nulls are replaced by '*'):
HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer3
2*
Delete? (y/n) n
Null-embedded key (Nulls are replaced by '*'):
HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer3
2*
Delete? (y/n) n
Null-embedded key (Nulls are replaced by '*'):
HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer3
2*
Delete? (y/n) n
Null-embedded key (Nulls are replaced by '*'):
HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer3
2*
Delete? (y/n) n
Null-embedded key (Nulls are replaced by '*'):
HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer3
2*
Delete? (y/n) n
Null-embedded key (Nulls are replaced by '*'):
HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer3
2*
Delete? (y/n) n
Null-embedded key (Nulls are replaced by '*'):
HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer3
2*
Delete? (y/n) n
Null-embedded key (Nulls are replaced by '*'):
HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer3
2*
Delete? (y/n) n
Null-embedded key (Nulls are replaced by '*'):
HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer3
2*
Delete? (y/n) n
Null-embedded key (Nulls are replaced by '*'):
HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer3
2*
Delete? (y/n) n
Scan complete.

C:\>


Must I to ****inue with the nexts steps that you said me in the last post?

Thomas

Haha - you misspelled an innocent word by one letter, and the silly vulgar language filter the forums use replaced it with ****. Sorry, but sometimes I enjoy how automatic functions do such silly things.

Good you corrected that RegDelNull use - this type of work is not something that is an expected skill, so small errors are not uncommon. In getting a clearer look at those null keys from the RegDelNull list, and doing a web search, I see they are part of a Pinnacle software "hive" storage there. So good we checked with RegDelNull, and since you do have Pinnacle installed you will not have to use RegDelNull again now.

Yes, go ahead with the other steps I posted please.

frolma

Yes, I know my english isn't very good but i didn't know what the asterisks
means. Now I know it .

For the moment "wimaud1.reg" seems to work well. I havn't noticed
anything strange.

Windows Registry Editor Version 5.00
[HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CPX]
[HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CPX\OpenWithList]
"a"="notepad.exe"
"MRUList"="a"

Thomas

Not a comment on your English though - just making fun of the odd errors that happen when programs have rigid rules.

That registry entry indicates that user, which is probably your current user, opened or tried to open a .cpx type file using notepad. Still no indication of what the Gmer scan shows as hooking into some net access processes there.


Go here and download USEC.at's radix_installer_trial.zip. Then unzip that and click the radixgui.exe to open the scan display.

Then without making any changes click the Check button to start the scan. Once it has completed click the Save Log button and save that to a location you can return to. Then click the "X" to close the Radix scanner.

Post that log back here for review please.

!!!Caution - the Radix scanner has many settings and options, including many that can cause quick and permanent corruption to your operating system. Avoid the temptation to try any other options, scans or settings when using it.

frolma

Hi, here's the log
Part one

---- Check started at 9.9.2008 19:31:48 ----
Running on: Microsoft Windows NT 5.1 Build 2600 Service Pack 2
[X] Filter common false alarms.
19:31:48 - Performing check: "Hidden files":
This check can take some time depending on your harddisk size. You can interrupt it with the ESC key.
Cannot open directory C:\System Volume Information\: (null)
19:32:8 - Performing check: "Alternate Data Streams":
This check can take some time depending on your harddisk size. You can interrupt it with the ESC key.
[*] C:\Archivos de programa\DP-Book\.cache\imgs\Thumbs.db:encryptable:$DATA
[*] C:\Archivos de programa\DP-Book\recursos\Thumbs.db:encryptable:$DATA
[*] C:\Archivos de programa\Drivers\Thumbs.db:encryptable:$DATA
[*] C:\Archivos de programa\eMule\Incoming\Thumbs.db:encryptable:$DATA
[*] C:\Archivos de programa\Windows Media Connect 2\Thumbs.db:encryptable:$DATA
[*] C:\Documents and Settings\All Users\Datos de programa\Kaspersky Lab\AVP8\Data:extended:$DATA
[-] Error scanning file C:\Documents and Settings\All Users\Datos de programa\Kaspersky Lab\AVP8\Data\av176.tmp: 0x05::0x06: El proceso no tiene acceso al archivo porque está siendo utilizado por otro proceso.
[*] C:\Documents and Settings\All Users\Documentos\Mis imágenes\Imágenes de muestra\Thumbs.db:encryptable:$DATA
[-] Error scanning file C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat: 0x05::0x06: El proceso no tiene acceso al archivo porque está siendo utilizado por otro proceso.
[-] Error scanning file C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG: 0x05::0x06: El proceso no tiene acceso al archivo porque está siendo utilizado por otro proceso.
[-] Error scanning file C:\Documents and Settings\LocalService\NTUSER.DAT: 0x05::0x06: El proceso no tiene acceso al archivo porque está siendo utilizado por otro proceso.
[-] Error scanning file C:\Documents and Settings\LocalService\ntuser.dat.LOG: 0x05::0x06: El proceso no tiene acceso al archivo porque está siendo utilizado por otro proceso.
[-] Error scanning file C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat: 0x05::0x06: El proceso no tiene acceso al archivo porque está siendo utilizado por otro proceso.
[-] Error scanning file C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG: 0x05::0x06: El proceso no tiene acceso al archivo porque está siendo utilizado por otro proceso.
[-] Error scanning file C:\Documents and Settings\NetworkService\NTUSER.DAT: 0x05::0x06: El proceso no tiene acceso al archivo porque está siendo utilizado por otro proceso.
[-] Error scanning file C:\Documents and Settings\NetworkService\ntuser.dat.LOG: 0x05::0x06: El proceso no tiene acceso al archivo porque está siendo utilizado por otro proceso.
[-] Error scanning file C:\Documents and Settings\Propietario\Configuración local\Datos de programa\Microsoft\Messenger\elisabetbr91@hotmail.com\SharingMetadata\neus_91@hotmail.com\DFSR\Staging\CS{6AF09F49-A819-ECDB-94C6-4945E28473B3}\01\10-{6AF09F49-A819-ECDB-94C6-4945E28473B3}-v1: 0x05::0x06: El nombre de archivo, directorio o etiqueta del volumen no es válido.
[-] Error scanning file C:\Documents and Settings\Propietario\Configuración local\Datos de programa\Microsoft\Messenger\gfralo@hotmail.com\SharingMetadata\raul_five@hotmail.es\DFSR\Staging\CS{93C0B61E-1457-4A61-B05F-A460528C2265}\01\15-{93C0B61E-1457-4A61-B05F-A460528C2265}-v1-{C4C: 0x05::0x06: El nombre de archivo, directorio o etiqueta del volumen no es válido.

frolma

Part two

apphelp.dll (77B10000 - 77B32000)
msctfime.ime (75160000 - 7518E000)
OLEAUT32.DLL (770F0000 - 7717B000)
Selftest complete.
19:33:49 - Performing check: "Patched modules":
Module information:
Index Base Size Module
0 804D7000 001F6F00 ntkrnlpa.exe
The code of FsRtlCheckLockForReadAccess at 804E9E54 (0) got patched. Here is the diff:
Address New-Original
804E9E54: E9 - 8B
804E9E55: C3 - FF
804E9E56: 41 - 55
804E9E57: E6 - 8B
804E9E58: 29 - EC
--> JMP DWORD PTR DS:[AA34E01C]
The code of IoIsOperationSynchronous at 804EE738 (0) got patched. Here is the diff:
Address New-Original
804EE738: E9 - 8B
804EE739: 99 - FF
804EE73A: FC - 55
804EE73B: E5 - 8B
804EE73C: 29 - EC
--> JMP DWORD PTR DS:[AA34E3D6]
1 806CE000 00020380 hal.dll
2 F79FC000 00002000 KDCOM.DLL
3 F790C000 00003000 BOOTVID.dll
4 F73CC000 0002F000 ACPI.sys
5 F79FE000 00002000 WMILIB.SYS
6 F73BB000 00011000 pci.sys
7 F74FC000 00009000 isapnp.sys
8 F750C000 0000F000 ohci1394.sys
9 F751C000 0000D000 1394BUS.SYS
10 F7910000 00003000 compbatt.sys
11 F7914000 00004000 BATTC.SYS
12 F7AC4000 00001000 pciide.sys
13 F777C000 00007000 PCIIDEX.SYS
14 F7A00000 00002000 intelide.sys
15 F739D000 0001E000 pcmcia.sys
16 F752C000 0000B000 MountMgr.sys
17 F737E000 0001F000 ftdisk.sys
18 F7784000 00005000 PartMgr.sys
19 F753C000 0000D000 VolSnap.sys
20 F7366000 00018000 atapi.sys
21 F754C000 00009000 disk.sys
22 F755C000 0000D000 CLASSPNP.SYS
23 F7346000 00020000 fltMgr.sys
24 F756C000 0000B000 klbg.sys
25 F778C000 00005000 PxHelp20.sys
26 F732F000 00017000 KSecDD.sys
27 F731C000 00013000 WudfPf.sys
28 F728F000 0008D000 Ntfs.sys
29 F7262000 0002D000 NDIS.sys
30 F7247000 0001B000 Mup.sys
31 F6D28000 0051F000 kl1.sys
32 F7794000 00005000 TDI.SYS
33 F75FC000 0000A000 intelppm.sys
34 F79E4000 00004000 CmBatt.sys
35 F62D9000 00569000 igxpmp32.sys
36 F62C5000 00014000 VIDEOPRT.SYS
37 F62A0000 00025000 HDAudBus.sys
38 F77D4000 00005000 usbuhci.sys
39 F627D000 00023000 USBPORT.SYS
40 F77DC000 00007000 usbehci.sys
41 F5F5B000 00322000 w29n51.sys
42 F760C000 00010000 nic1394.sys
43 F5F33000 00028000 tifm21.sys
44 F5F22000 00011000 sdbus.sys
45 F761C000 0000B000 bcm4sbxp.sys
46 F762C000 0000E000 i8042prt.sys
47 F7A96000 00002000 EKBfltr.sys
48 F77E4000 00007000 kbdclass.sys
49 F77EC000 00006000 mouclass.sys
50 F763C000 0000B000 imapi.sys
51 F79E8000 00003000 iviaspi.sys
52 F79EC000 00003000 pfc.sys
53 F764C000 0000D000 cdrom.sys
54 F765C000 0000F000 redbook.sys
55 F5EFF000 00023000 ks.sys
56 F77F4000 00007000 GEARAspiWDM.sys
57 F5EC2000 0003D000 iwca.sys
58 F77FC000 00008000 klim5.sys
59 F7B00000 00001000 audstub.sys
60 F766C000 0000D000 rasl2tp.sys
61 F6CF3000 00003000 ndistapi.sys
62 F5E55000 00017000 ndiswan.sys
63 F767C000 0000B000 raspppoe.sys
64 F768C000 0000C000 raspptp.sys
65 F5E44000 00011000 psched.sys
66 F769C000 00009000 msgpc.sys
67 F7804000 00005000 ptilink.sys
68 F780C000 00005000 raspti.sys
69 F76BC000 0000A000 termdd.sys
70 F7A98000 00002000 swenum.sys
71 F5D23000 00059000 update.sys
72 F6862000 00004000 mssmbios.sys
73 F5CF5000 0002E000 MarvinBus.sys
74 F76CC000 0000A000 NDProxy.SYS
75 AA479000 0031F000 RtkHDAud.sys
76 AA457000 00022000 portcls.sys
77 F76FC000 0000F000 drmk.sys
78 AA389000 000CE000 smserial.sys
79 F7814000 00008000 Modem.SYS
80 F770C000 0000F000 usbhub.sys
81 F7A9E000 00002000 USBD.SYS
82 AA329000 00038000 klif.sys
83 F7AA4000 00002000 Fs_Rec.SYS
84 F7BD0000 00001000 Null.SYS
85 F7AA6000 00002000 Beep.SYS
86 F7844000 00006000 vga.sys
87 F7AA8000 00002000 mnmdd.SYS
88 F7AAA000 00002000 RDPCDD.sys
89 F784C000 00005000 Msfs.SYS
90 F7854000 00008000 Npfs.SYS
91 F79A8000 00003000 rasacd.sys
92 AA2F6000 00013000 ipsec.sys
93 AA29E000 00058000 tcpip.sys
94 AA276000 00028000 netbt.sys
95 AA254000 00022000 afd.sys
96 F774C000 00009000 netbios.sys
97 AA229000 0002B000 rdbss.sys
98 AA192000 0006F000 mrxsmb.sys
99 F775C000 00009000 Fips.SYS
100 AA171000 00021000 ipnat.sys
101 F759C000 00009000 wanarp.sys
102 F75AC000 0000F000 arp1394.sys
103 F75EC000 00010000 Cdfs.SYS
104 F787C000 00008000 usbccgp.sys
105 AA7B0000 00003000 hidusb.sys
106 F5E0C000 00009000 HIDCLASS.SYS
107 F7884000 00007000 HIDPARSE.SYS
108 F788C000 00007000 usbprint.sys
109 AA7AC000 00004000 BrScnUsb.sys
110 AA7A8000 00004000 mouhid.sys
111 AA091000 00018000 dump_atapi.sys
112 F7A24000 00002000 dump_WMILIB.SYS
113 BF800000 001C3000 win32k.sys
114 F79A0000 00003000 Dxapi.sys
115 F78AC000 00005000 watchdog.sys
116 BF000000 00012000 dxg.sys
117 F7B61000 00001000 dxgthk.sys
118 BF024000 0002A000 igxpgd32.dll
119 BF012000 00012000 igxprd32.dll
120 BF04E000 0017E000 igxpdv32.DLL
121 BF1CC000 0026A000 igxpdx32.DLL
122 A9F29000 00004000 AegisP.sys
123 A9F21000 00003000 s24trans.sys
124 A9F0D000 00004000 ndisuio.sys
125 A9C2D000 0002C000 mrxdav.sys
126 A9B9C000 00041000 HTTP.sys
127 A9B22000 00052000 srv.sys
128 A9DD9000 0000A000 secdrv.sys
129 A9775000 00015000 wdmaud.sys
130 A9952000 0000F000 sysaudio.sys
131 A954A000 00023000 Fastfat.SYS
132 F7B0A000 00001000 winio.sys
133 BFFA0000 00046000 ATMFD.DLL
134 A8D27000 0002B000 kmixer.sys
135 AA7A4000 00003000 sdthlpr.sys
136 7C910000 000B6000 ntdll.dll
Number of Module Table entries patched = 1
19:33:54 - Performing check: "SDT hooks":
0 ZwAcceptConnectPort 80598746
1 ZwAccessCheck 805E5914
2 ZwAccessCheckAndAuditAlarm 805E915A
3 ZwAccessCheckByType 805E5946
4 ZwAccessCheckByTypeAndAuditAlarm 805E9194
5 ZwAccessCheckByTypeResultList 805E597C
6 ZwAccessCheckByTypeResultListAndAuditAlarm 805E91D8
7 ZwAccessCheckByTypeResultListAndAuditAlarmByHandle 805E921C
8 ZwAddAtom 8060A880
9 ZwAddBootEntry 8060B5D2
10 ZwAdjustGroupsToken 805E0CAC
11 ZwAdjustPrivilegesToken --[HOOKED]-- AA33781A klif.sys
12 ZwAlertResumeThread 805C9928
13 ZwAlertThread 805C98D8
14 ZwAllocateLocallyUniqueId 8060AEA6
15 ZwAllocateUserPhysicalPages 805AA334
16 ZwAllocateUuids 8060A4BE
17 ZwAllocateVirtualMemory 8059CBBC
18 ZwAreMappedFilesTheSame 805A4786
19 ZwAssignProcessToJobObject 805CB406
20 ZwCallbackReturn 804FEED0
21 ZwCancelDeviceWakeupRequest 8060B5C4
22 ZwCancelIoFile 8056AE64
23 ZwCancelTimer 805343F2
24 ZwClearEvent 80603B90
25 ZwClose --[HOOKED]-- AA337DC6 klif.sys
26 ZwCloseObjectAuditAlarm 805E9694
27 ZwCompactKeys 80618A56
28 ZwCompareTokens 805EDB86
29 ZwCompleteConnectPort 80598E34
30 ZwCompressKey 80618CAA
31 ZwConnectPort --[HOOKED]-- AA33982A klif.sys
32 ZwContinue 805401F0
33 ZwCreateDebugObject 80636C9C
34 ZwCreateDirectoryObject 805B28BC
35 ZwCreateEvent 80603BE0
36 ZwCreateEventPair 8060BE48
37 ZwCreateFile --[HOOKED]-- AA3391E0 klif.sys
38 ZwCreateIoCompletion 8056BC5C
39 ZwCreateJobObject 805CA3CA
40 ZwCreateJobSet 805CA102
41 ZwCreateKey --[HOOKED]-- AA336F90 klif.sys
42 ZwCreateMailslotFile 8056D4D8
43 ZwCreateMutant 8060C240
44 ZwCreateNamedPipeFile 8056D404
45 ZwCreatePagingFile 8059FBA6
46 ZwCreatePort 80599202
47 ZwCreateProcess 805C5F8E
48 ZwCreateProcessEx 805C5ED8
49 ZwCreateProfile 8060C660
50 ZwCreateSection 8059F4EA
51 ZwCreateSemaphore 80609BDC
52 ZwCreateSymbolicLinkObject --[HOOKED]-- AA33B18C klif.sys
53 ZwCreateThread --[HOOKED]-- AA337BC2 klif.sys
54 ZwCreateTimer 8060BB10
55 ZwCreateToken 805EDF2E
56 ZwCreateWaitablePort 80599226
57 ZwDebugActiveProcess 80637D78
58 ZwDebugContinue 80637EC8
59 ZwDelayExecution 8060B514
60 ZwDeleteAtom 8060AD36
61 ZwDeleteBootEntry 8060B5C4
62 ZwDeleteFile 8056AFAA
63 ZwDeleteKey --[HOOKED]-- AA3373D2 klif.sys
64 ZwDeleteObjectAuditAlarm 805E97A0
65 ZwDeleteValueKey --[HOOKED]-- AA3375D2 klif.sys
66 ZwDeviceIoControlFile --[HOOKED]-- AA3394EC klif.sys
67 ZwDisplayString 80607B50
68 ZwDuplicateObject --[HOOKED]-- AA33B698 klif.sys
69 ZwDuplicateToken 805E1B4A
70 ZwEnumerateBootEntries 8060B5D2
71 ZwEnumerateKey --[HOOKED]-- AA3376E8 klif.sys
72 ZwEnumerateSystemEnvironmentValuesEx 8060B5B6
73 ZwEnumerateValueKey --[HOOKED]-- AA337750 klif.sys
74 ZwExtendSection 805A7EAC
75 ZwFilterToken 805E1CF6
76 ZwFindAtom 8060AAEA
77 ZwFlushBuffersFile 8056B076
78 ZwFlushInstructionCache 805AABBE
79 ZwFlushKey 80619B9A
80 ZwFlushVirtualMemory 805A08B6
81 ZwFlushWriteBuffer 805AAB60
82 ZwFreeUserPhysicalPages 805AA6D0
83 ZwFreeVirtualMemory 805A7186
84 ZwFsControlFile --[HOOKED]-- AA3393A2 klif.sys
85 ZwGetContextThread 805C62A0
86 ZwGetDevicePowerState 805BD0D6
87 ZwGetPlugPlayEvent 8058D5D8
88 ZwGetWriteWatch 8051CE1A
89 ZwImpersonateAnonymousToken 805ED87A
90 ZwImpersonateClientOfPort 80599290
91 ZwImpersonateThread 805CC59E
92 ZwInitializeRegistry 80616E5E
93 ZwInitiatePowerAction 805BCEBC
94 ZwIsProcessInJob 805C9FC6
95 ZwIsSystemResumeAutomatic 805BD0C2
96 ZwListenPort 8059949C
97 ZwLoadDriver --[HOOKED]-- AA33AC50 klif.sys
98 ZwLoadKey 8061ABB6
99 ZwLoadKey2 8061A800
100 ZwLockFile 8056D5F8

frolma

Part three

101 ZwLockProductActivationKeys 806080B2
102 ZwLockRegistryKey 80618D56
103 ZwLockVirtualMemory 805AACC6
104 ZwMakePermanentObject 805B3D3C
105 ZwMakeTemporaryObject 805B0A64
106 ZwMapUserPhysicalPages 805A9628
107 ZwMapUserPhysicalPagesScatter 805A9C00
108 ZwMapViewOfSection 805A6206
109 ZwModifyBootEntry 8060B5C4
110 ZwNotifyChangeDirectoryFile 8056E228
111 ZwNotifyChangeKey 8061AB80
112 ZwNotifyChangeMultipleKeys 80619C9C
113 ZwOpenDirectoryObject 805B298E
114 ZwOpenEvent 80603CE0
115 ZwOpenEventPair 8060BF20
116 ZwOpenFile --[HOOKED]-- AA33903C klif.sys
117 ZwOpenIoCompletion 8056BD34
118 ZwOpenJobObject 805CA550
119 ZwOpenKey --[HOOKED]-- AA3370F2 klif.sys
120 ZwOpenMutant 8060C318
121 ZwOpenObjectAuditAlarm 805E9262
122 ZwOpenProcess --[HOOKED]-- AA3379E8 klif.sys
123 ZwOpenProcessToken 805E2542
124 ZwOpenProcessTokenEx 805E2148
125 ZwOpenSection --[HOOKED]-- AA33B1B6 klif.sys
126 ZwOpenSemaphore 80609CD6
127 ZwOpenSymbolicLinkObject 805B98AA
128 ZwOpenThread --[HOOKED]-- AA33793E klif.sys
129 ZwOpenThreadToken 805E2560
130 ZwOpenThreadTokenEx 805E22B8
131 ZwOpenTimer 8060BC32
132 ZwPlugPlayControl 80639F6A
133 ZwPowerInformation 805BDF0A
134 ZwPrivilegeCheck 805EC92C
135 ZwPrivilegeObjectAuditAlarm 805E8574
136 ZwPrivilegedServiceAuditAlarm 805E8760
137 ZwProtectVirtualMemory 805AC78E
138 ZwPulseEvent 80603D98
139 ZwQueryAttributesFile 8056B25C
140 ZwQueryBootEntryOrder 8060B5D2
141 ZwQueryBootOptions 8060B5D2
142 ZwQueryDebugFilterState 8053B426
143 ZwQueryDefaultLocale 80605904
144 ZwQueryDefaultUILanguage 80606564
145 ZwQueryDirectoryFile 8056E1C2
146 ZwQueryDirectoryObject 805B2A2E
147 ZwQueryEaFile 8056E518
148 ZwQueryEvent 80603E60
149 ZwQueryFullAttributesFile 8056B394
150 ZwQueryInformationAtom 8060AD5E
151 ZwQueryInformationFile 8056ED94
152 ZwQueryInformationJobObject 805CAA22
153 ZwQueryInformationPort 805994FA
154 ZwQueryInformationProcess 805C1784
155 ZwQueryInformationThread 805C0350
156 ZwQueryInformationToken 805E2640
157 ZwQueryInstallUILanguage 80605D02
158 ZwQueryIntervalProfile 8060CAE2
159 ZwQueryIoCompletion 8056BDDC
160 ZwQueryKey --[HOOKED]-- AA3377B8 klif.sys
161 ZwQueryMultipleValueKey --[HOOKED]-- AA3374BC klif.sys
162 ZwQueryMutant 8060C3C0
163 ZwQueryObject 805B8D84
164 ZwQueryOpenSubKeys 806186BA
165 ZwQueryPerformanceCounter 8060CB70
166 ZwQueryQuotaInformationFile 8056FBDE
167 ZwQuerySection 805AC950
168 ZwQuerySecurityObject 805B4708
169 ZwQuerySemaphore 80609D8E
170 ZwQuerySymbolicLinkObject 805B994A
171 ZwQuerySystemEnvironmentValue 8060B5EE
172 ZwQuerySystemEnvironmentValueEx 8060B5A8
173 ZwQuerySystemInformation 806065E4
174 ZwQuerySystemTime 80608466
175 ZwQueryTimer 8060BCEA
176 ZwQueryTimerResolution 80607D1E
177 ZwQueryValueKey --[HOOKED]-- AA33729A klif.sys
178 ZwQueryVirtualMemory 805ACFD6
179 ZwQueryVolumeInformationFile 805700CE
180 ZwQueueApcThread --[HOOKED]-- AA33AEB8 klif.sys
181 ZwRaiseException 80540238
182 ZwRaiseHardError 80609A00
183 ZwReadFile 80570896
184 ZwReadFileScatter 80570E24
185 ZwReadRequestData 80599F82
186 ZwReadVirtualMemory 805A8498
187 ZwRegisterThreadTerminatePort 805C7522
188 ZwReleaseMutant 8060C4F8
189 ZwReleaseSemaphore 80609EBE
190 ZwRemoveIoCompletion 8056C0D4
191 ZwRemoveProcessDebug 80637E48
192 ZwRenameKey 806188AC
193 ZwReplaceKey --[HOOKED]-- AA336C12 klif.sys
194 ZwReplyPort 80599602
195 ZwReplyWaitReceivePort 8059A5CA
196 ZwReplyWaitReceivePortEx 80599FD2
197 ZwReplyWaitReplyPort 805998EC
198 ZwRequestDeviceWakeup 805BD054
199 ZwRequestPort 80596B60
200 ZwRequestWaitReplyPort --[HOOKED]-- AA33A0B4 klif.sys
201 ZwRequestWakeupLatency 805BCE62
202 ZwResetEvent 80603F72
203 ZwResetWriteWatch 8051D2FA
204 ZwRestoreKey --[HOOKED]-- AA336D74 klif.sys
205 ZwResumeProcess 805C9882
206 ZwResumeThread --[HOOKED]-- AA33B568 klif.sys
207 ZwSaveKey --[HOOKED]-- AA336A10 klif.sys
208 ZwSaveKeyEx 806173C0
209 ZwSaveMergedKeys 8061748C
210 ZwSecureConnectPort --[HOOKED]-- AA3396CC klif.sys
211 ZwSetBootEntryOrder 8060B5D2
212 ZwSetBootOptions 8060B5D2
213 ZwSetContextThread --[HOOKED]-- AA337CC0 klif.sys
214 ZwSetDebugFilterState 8063AB00
215 ZwSetDefaultHardErrorPort 806098AA
216 ZwSetDefaultLocale 80605A54
217 ZwSetDefaultUILanguage 806062C6
218 ZwSetEaFile 8056EA34
219 ZwSetEvent 80604032
220 ZwSetEventBoostPriority 806040FC
221 ZwSetHighEventPair 8060C1DC
222 ZwSetHighWaitLowEventPair 8060C10C
223 ZwSetInformationDebugObject 80637812
224 ZwSetInformationFile 8056F398
225 ZwSetInformationJobObject 805CB732
226 ZwSetInformationKey 80617C20
227 ZwSetInformationObject 805B81C8
228 ZwSetInformationProcess 805C28DC
229 ZwSetInformationThread 805C089C
230 ZwSetInformationToken 805EECA8
231 ZwSetIntervalProfile 8060C644
232 ZwSetIoCompletion 8056C072
233 ZwSetLdtEntries 805C86AE
234 ZwSetLowEventPair 8060C178
235 ZwSetLowWaitHighEventPair 8060C0A0
236 ZwSetQuotaInformationFile 8056FBBC
237 ZwSetSecurityObject --[HOOKED]-- AA33AD4A klif.sys
238 ZwSetSystemEnvironmentValue 8060B872
239 ZwSetSystemEnvironmentValueEx 8060B5A8
240 ZwSetSystemInformation --[HOOKED]-- AA33B1E0 klif.sys
241 ZwSetSystemPowerState 806470E8
242 ZwSetSystemTime 80609026
243 ZwSetThreadExecutionState 805BCD76
244 ZwSetTimer 8053452E
245 ZwSetTimerResolution 806084F8
246 ZwSetUuidSeed 8060A374
247 ZwSetValueKey --[HOOKED]-- AA337148 klif.sys
248 ZwSetVolumeInformationFile 805704F2
249 ZwShutdownSystem 80607B14
250 ZwSignalAndWaitForSingleObject 805220AC
251 ZwStartProfile 8060C88E
252 ZwStopProfile 8060CA38
253 ZwSuspendProcess --[HOOKED]-- AA33B2C4 klif.sys
254 ZwSuspendThread --[HOOKED]-- AA33B3F0 klif.sys
255 ZwSystemDebugControl --[HOOKED]-- AA33AB7C klif.sys
256 ZwTerminateJobObject 805CC29C
257 ZwTerminateProcess --[HOOKED]-- AA337A92 klif.sys
258 ZwTerminateThread 805C7966
259 ZwTestAlert 805C99EC
260 ZwTraceEvent 80530C0C
261 ZwTranslateFilePath 8060B5E0
262 ZwUnloadDriver 80578778
263 ZwUnloadKey 8061780E
264 ZwUnloadKeyEx 806179FC
265 ZwUnlockFile 8056D9A4
266 ZwUnlockVirtualMemory 805AB254
267 ZwUnmapViewOfSection 805A701C
268 ZwVdmControl 805F0060
269 ZwWaitForDebugEvent 8063757A
270 ZwWaitForMultipleObjects 805B4D74
271 ZwWaitForSingleObject 805B4C8A
272 ZwWaitHighEventPair 8060C03C
273 ZwWaitLowEventPair 8060BFD8
274 ZwWriteFile 80571334
275 ZwWriteFileGather 80571944
276 ZwWriteRequestData 80599FAA
277 ZwWriteVirtualMemory --[HOOKED]-- AA337B04 klif.sys
278 ZwYieldExecution 8050189C
279 ZwCreateKeyedEvent 8060D0B4
280 ZwOpenKeyedEvent 8060D19E
281 ZwReleaseKeyedEvent 8060D250
282 ZwWaitForKeyedEvent 8060D4DC
283 ZwQueryPortInformationProcess 805C0320
Number of Service Table entries hooked = 39
Number of Service Table entries patched = 0
19:34:7 - Performing check: "IDT hooks":
IDT offset in kernel: 0x017D6D18
IDT address: 0x8003F400 (phys.: 0x0127F400)
INT# SegType DPL ISR
000(00) IntG32 00 0008:8053D58C
001(01) IntG32 00 0008:8053D704
002(02) TaskG32 00 0058:8054A496
003(03) IntG32 03 0008:8053DAD4
004(04) IntG32 03 0008:8053DC54
005(05) IntG32 00 0008:8053DDB0
006(06) IntG32 00 0008:8053DF24
007(07) IntG32 00 0008:8053E58C
008(08) TaskG32 00 0050:8054A488
009(09) IntG32 00 0008:8053E9B0
010(0A) IntG32 00 0008:8053EAD0
011(0B) IntG32 00 0008:8053EC10
012(0C) IntG32 00 0008:8053EE6C
013(0D) IntG32 00 0008:8053F150
014(0E) IntG32 00 0008:8053F840
015(0F) IntG32 00 0008:8053FB70
016(10) IntG32 00 0008:8053FC90
017(11) IntG32 00 0008:8053FDC8
018(12) TaskG32 00 00A0:072FEEE8 (hooked)
019(13) IntG32 00 0008:8053FF30
020(14) IntG32 00 0008:8053FB70
021(15) IntG32 00 0008:8053FB70
022(16) IntG32 00 0008:8053FB70
023(17) IntG32 00 0008:8053FB70
024(18) IntG32 00 0008:8053FB70
025(19) IntG32 00 0008:8053FB70
026(1A) IntG32 00 0008:8053FB70
027(1B) IntG32 00 0008:8053FB70
028(1C) IntG32 00 0008:8053FB70
029(1D) IntG32 00 0008:8053FB70
030(1E) IntG32 00 0008:8053FB70
031(1F) IntG32 00 0008:806CFFD0
032(20) Not present
033(21) Not present
034(22) Not present
035(23) Not present
036(24) Not present
037(25) Not present
038(26) Not present
039(27) Not present
040(28) Not present
041(29) Not present
042(2A) IntG32 03 0008:8053CDCE
043(2B) IntG32 03 0008:8053CED0
044(2C) IntG32 03 0008:8053D070
045(2D) IntG32 03 0008:8053D9B0
046(2E) IntG32 03 0008:8053C871
047(2F) IntG32 00 0008:8053FB70
048(30) IntG32 00 0008:8053BF30
049(31) IntG32 00 0008:8053BF3A
050(32) IntG32 00 0008:8053BF44
051(33) IntG32 00 0008:8053BF4E
052(34) IntG32 00 0008:8053BF58
053(35) IntG32 00 0008:8053BF62
054(36) IntG32 00 0008:8053BF6C
055(37) IntG32 00 0008:806CF728
056(38) IntG32 00 0008:8053BF80
057(39) IntG32 00 0008:8053BF8A
058(3A) IntG32 00 0008:8053BF94
059(3B) IntG32 00 0008:8053BF9E
060(3C) IntG32 00 0008:8053BFA8
061(3D) IntG32 00 0008:806D0B70
062(3E) IntG32 00 0008:8053BFBC
063(3F) IntG32 00 0008:8053BFC6
064(40) IntG32 00 0008:8053BFD0
065(41) IntG32 00 0008:806D09CC
066(42) IntG32 00 0008:8053BFE4
067(43) IntG32 00 0008:8053BFEE
068(44) IntG32 00 0008:8053BFF8
069(45) IntG32 00 0008:8053C002
070(46) IntG32 00 0008:8053C00C
071(47) IntG32 00 0008:8053C016
072(48) IntG32 00 0008:8053C020
073(49) IntG32 00 0008:8053C02A
074(4A) IntG32 00 0008:8053C034
075(4B) IntG32 00 0008:8053C03E
076(4C) IntG32 00 0008:8053C048
077(4D) IntG32 00 0008:8053C052
078(4E) IntG32 00 0008:8053C05C
079(4F) IntG32 00 0008:8053C066
080(50) IntG32 00 0008:806CF800
081(51) IntG32 00 0008:8053C07A
082(52) IntG32 00 0008:8053C084
083(53) IntG32 00 0008:8053C08E
084(54) IntG32 00 0008:8053C098
085(55) IntG32 00 0008:8053C0A2
086(56) IntG32 00 0008:8053C0AC
087(57) IntG32 00 0008:8053C0B6
088(58) IntG32 00 0008:8053C0C0
089(59) IntG32 00 0008:8053C0CA
090(5A) IntG32 00 0008:8053C0D4
091(5B) IntG32 00 0008:8053C0DE
092(5C) IntG32 00 0008:8053C0E8
093(5D) IntG32 00 0008:8053C0F2
094(5E) IntG32 00 0008:8053C0FC
095(5F) IntG32 00 0008:8053C106
096(60) IntG32 00 0008:8053C110
097(61) IntG32 00 0008:8053C11A
098(62) IntG32 00 0008:86D53614 (hooked)
099(63) IntG32 00 0008:86D8F3D4 (hooked)
100(64) IntG32 00 0008:8053C138
101(65) IntG32 00 0008:8053C142
102(66) IntG32 00 0008:8053C14C
103(67) IntG32 00 0008:8053C156
104(68) IntG32 00 0008:8053C160
105(69) IntG32 00 0008:8053C16A
106(6A) IntG32 00 0008:8053C174
107(6B) IntG32 00 0008:8053C17E
108(6C) IntG32 00 0008:8053C188
109(6D) IntG32 00 0008:8053C192
110(6E) IntG32 00 0008:8053C19C
111(6F) IntG32 00 0008:8053C1A6
112(70) IntG32 00 0008:8053C1B0
113(71) IntG32 00 0008:8053C1BA
114(72) IntG32 00 0008:8053C1C4
115(73) IntG32 00 0008:86D1E684 (hooked)
116(74) IntG32 00 0008:8053C1D8
117(75) IntG32 00 0008:8053C1E2
118(76) IntG32 00 0008:8053C1EC
119(77) IntG32 00 0008:8053C1F6
120(78) IntG32 00 0008:8053C200
121(79) IntG32 00 0008:8053C20A
122(7A) IntG32 00 0008:8053C214
123(7B) IntG32 00 0008:8053C21E
124(7C) IntG32 00 0008:8053C228
125(7D) IntG32 00 0008:8053C232
126(7E) IntG32 00 0008:8053C23C
127(7F) IntG32 00 0008:8053C246
128(80) IntG32 00 0008:8053C250
129(81) IntG32 00 0008:8053C25A
130(82) IntG32 00 0008:86D37DD4 (hooked)
131(83) IntG32 00 0008:85E0FDD4 (hooked)
132(84) IntG32 00 0008:8053C278
133(85) IntG32 00 0008:8053C282
134(86) IntG32 00 0008:8053C28C
135(87) IntG32 00 0008:8053C296
136(88) IntG32 00 0008:8053C2A0
137(89) IntG32 00 0008:8053C2AA
138(8A) IntG32 00 0008:8053C2B4
139(8B) IntG32 00 0008:8053C2BE
140(8C) IntG32 00 0008:8053C2C8
141(8D) IntG32 00 0008:8053C2D2
142(8E) IntG32 00 0008:8053C2DC
143(8F) IntG32 00 0008:8053C2E6
144(90) IntG32 00 0008:8053C2F0
145(91) IntG32 00 0008:8053C2FA
146(92) IntG32 00 0008:8053C304
147(93) IntG32 00 0008:8686DDD4 (hooked)
148(94) IntG32 00 0008:8053C318
149(95) IntG32 00 0008:8053C322
150(96) IntG32 00 0008:8053C32C
151(97) IntG32 00 0008:8053C336
152(98) IntG32 00 0008:8053C340
153(99) IntG32 00 0008:8053C34A
154(9A) IntG32 00 0008:8053C354
155(9B) IntG32 00 0008:8053C35E
156(9C) IntG32 00 0008:8053C368
157(9D) IntG32 00 0008:8053C372
158(9E) IntG32 00 0008:8053C37C
159(9F) IntG32 00 0008:8053C386
160(A0) IntG32 00 0008:8053C390
161(A1) IntG32 00 0008:8053C39A
162(A2) IntG32 00 0008:8053C3A4
163(A3) IntG32 00 0008:869D3DD4 (hooked)
164(A4) IntG32 00 0008:86BD2044 (hooked)
165(A5) IntG32 00 0008:8053C3C2
166(A6) IntG32 00 0008:8053C3CC
167(A7) IntG32 00 0008:8053C3D6
168(A8) IntG32 00 0008:8053C3E0
169(A9) IntG32 00 0008:8053C3EA
170(AA) IntG32 00 0008:8053C3F4
171(AB) IntG32 00 0008:8053C3FE
172(AC) IntG32 00 0008:8053C408
173(AD) IntG32 00 0008:8053C412
174(AE) IntG32 00 0008:8053C41C
175(AF) IntG32 00 0008:8053C426
176(B0) IntG32 00 0008:8053C430
177(B1) IntG32 00 0008:86D8CD34 (hooked)
178(B2) IntG32 00 0008:8053C444
179(B3) IntG32 00 0008:8053C44E
180(B4) IntG32 00 0008:86899A7C (hooked)
181(B5) IntG32 00 0008:8053C462
182(B6) IntG32 00 0008:8053C46C
183(B7) IntG32 00 0008:8053C476
184(B8) IntG32 00 0008:8053C480
185(B9) IntG32 00 0008:8053C48A
186(BA) IntG32 00 0008:8053C494
187(BB) IntG32 00 0008:8053C49E
188(BC) IntG32 00 0008:8053C4A8
189(BD) IntG32 00 0008:8053C4B2
190(BE) IntG32 00 0008:8053C4BC
191(BF) IntG32 00 0008:8053C4C6
192(C0) IntG32 00 0008:8053C4D0
193(C1) IntG32 00 0008:806CF984
194(C2) IntG32 00 0008:8053C4E4
195(C3) IntG32 00 0008:8053C4EE
196(C4) IntG32 00 0008:8053C4F8
197(C5) IntG32 00 0008:8053C502
198(C6) IntG32 00 0008:8053C50C
199(C7) IntG32 00 0008:8053C516
200(C8) IntG32 00 0008:8053C520
201(C9) IntG32 00 0008:8053C52A
202(CA) IntG32 00 0008:8053C534
203(CB) IntG32 00 0008:8053C53E
204(CC) IntG32 00 0008:8053C548
205(CD) IntG32 00 0008:8053C552
206(CE) IntG32 00 0008:8053C55C
207(CF) IntG32 00 0008:8053C566
208(D0) IntG32 00 0008:8053C570
209(D1) IntG32 00 0008:806CED34
210(D2) IntG32 00 0008:8053C584
211(D3) IntG32 00 0008:8053C58E
212(D4) IntG32 00 0008:8053C598
213(D5) IntG32 00 0008:8053C5A2
214(D6) IntG32 00 0008:8053C5AC
215(D7) IntG32 00 0008:8053C5B6
216(D8) IntG32 00 0008:8053C5C0
217(D9) IntG32 00 0008:8053C5CA
218(DA) IntG32 00 0008:8053C5D4
219(DB) IntG32 00 0008:8053C5DE
220(DC) IntG32 00 0008:8053C5E8
221(DD) IntG32 00 0008:8053C5F2
222(DE) IntG32 00 0008:8053C5FC
223(DF) IntG32 00 0008:8053C606
224(E0) IntG32 00 0008:8053C610
225(E1) IntG32 00 0008:806CFF0C
226(E2) IntG32 00 0008:8053C624
227(E3) IntG32 00 0008:806CFC70
228(E4) IntG32 00 0008:8053C638
229(E5) IntG32 00 0008:8053C642
230(E6) IntG32 00 0008:8053C64C
231(E7) IntG32 00 0008:8053C656
232(E8) IntG32 00 0008:8053C660
233(E9) IntG32 00 0008:8053C66A
234(EA) IntG32 00 0008:8053C674
235(EB) IntG32 00 0008:8053C67E
236(EC) IntG32 00 0008:8053C688
237(ED) IntG32 00 0008:8053C692
238(EE) IntG32 00 0008:8053C699
239(EF) IntG32 00 0008:8053C6A0
240(F0) IntG32 00 0008:8053C6A7
241(F1) IntG32 00 0008:8053C6AE
242(F2) IntG32 00 0008:8053C6B5
243(F3) IntG32 00 0008:8053C6BC
244(F4) IntG32 00 0008:8053C6C3
245(F5) IntG32 00 0008:8053C6CA
246(F6) IntG32 00 0008:8053C6D1
247(F7) IntG32 00 0008:8053C6D8
248(F8) IntG32 00 0008:8053C6DF
249(F9) IntG32 00 0008:8053C6E6
250(FA) IntG32 00 0008:8053C6ED
251(FB) IntG32 00 0008:8053C6F4
252(FC) IntG32 00 0008:8053C6FB
253(FD) IntG32 00 0008:806D0464
254(FE) IntG32 00 0008:806D0604
255(FF) IntG32 00 0008:8053C710
19:34:26 - Performing check: "SYSENTER hook":
SYSENTER offset in kernel: 0x00465930 (=0x8053C930)
SYSENTER EIP: 0008:8053C930 [OK]
---- Check ended at 9.9.2008 19:34:26 ----

Thomas

That scan has a friendly use of words to tell what it sees, and there it sees Kaspersky's hooks again, but in better details now. But no indications of what is still doing crypt net accesses hooked into processes there. there is a piece of the log not showing though - could you check to see if you left out the part that starts like this:

0 streams found.
5:37:48 - Performing check: "Hidden processes":
PID: 0 [00000000] (Idle)


Post back that part please, and some additional checks against, again, known issues of the infection that has shown there.

@ECHO OFF
if exist Regsearch1.txt del /q Regsearch1.txt
regedit /e Regsearch1.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options"
Notepad Regsearch1.txt

Open Notepad (Start - Run, type notepad and press Enter).

Copy/paste the above text into the open text box, then save this to your desktop as "hookcheck.bat"

Be sure to include the "" quotes in the name. Then click on hookcheck.bat. When the scan completes a textbox will open - copy/paste those contents back here please. Sorry - it will be another large log file.

---

Then use the Registry Search tool again and do a search using the following term:

MS alchemy

frolma

Here's the "hidden part".

197 streams found.
19:33:43 - Performing check: "Hidden processes":
(01) PID: 0 [00000000] (Idle)
(85) PID: 4 [86DC67C0] (System)
(127) PID: 148 [8680C718] (svchost.exe)
(127) PID: 156 [869E3DA0] (svchost.exe)
(127) PID: 252 [86890278] (svchost.exe)
(109) PID: 316 [86746560] (wscntfy.exe)
(127) PID: 412 [8672E278] (EvtEng.exe)
(127) PID: 444 [868C1578] (S24EvMon.exe)
(127) PID: 456 [869A25A0] (ZCfgSvc.exe)
(127) PID: 532 [86801C18] (CALMAIN.exe)
(127) PID: 792 [8697A340] (svchost.exe)
(125) PID: 1024 [86940420] (alg.exe)
(127) PID: 1044 [868FADA0] (explorer.exe)
(127) PID: 1176 [86797728] (1XConfig.exe)
(111) PID: 1224 [86794398] (brsvc01a.exe)
(127) PID: 1240 [869F63D0] (brss01a.exe)
(111) PID: 1248 [869FEBE0] (spoolsv.exe)
(71) PID: 1388 [869E1020] (smss.exe)
(127) PID: 1448 [867B0A28] (AppleMobileDeviceService.exe)
(127) PID: 1464 [86C33500] (avp.exe)
(127) PID: 1540 [86864558] (csrss.exe)
(127) PID: 1564 [8684A6A8] (winlogon.exe)
(127) PID: 1608 [8670D240] (services.exe)
(127) PID: 1620 [86982390] (lsass.exe)
(111) PID: 1696 [867BE5D8] (OProtSvc.exe)
(127) PID: 1780 [86C37BE8] (svchost.exe)
(127) PID: 1892 [867CF3E8] (svchost.exe)
(111) PID: 2028 [868F18D8] (RegSrvc.exe)
(111) PID: 2600 [8693C890] (sm56hlpr.exe)
(127) PID: 2612 [8693C610] (RTHDCPL.EXE)
(127) PID: 2632 [86836860] (PM.exe)
(111) PID: 2664 [8672F500] (iFrmewrk.exe)
(111) PID: 2676 [869516A0] (EOUWiz.exe)
(111) PID: 2684 [867F2860] (jusched.exe)
(111) PID: 2716 [869583A8] (pptd40nt.exe)
(127) PID: 2744 [869436A0] (brctrcen.exe)
(111) PID: 2756 [86944BE0] (qttask.exe)
(111) PID: 2764 [8672F880] (sprtcmd.exe)
(111) PID: 2776 [868A25E8] (PowerDVD.exe)
(111) PID: 2796 [8683F4A0] (hkcmd.exe)
(111) PID: 2808 [868A9A20] (igfxpers.exe)
(127) PID: 2828 [8681E680] (avp.exe)
(109) PID: 2848 [867D56A0] (iTunesHelper.exe)
(109) PID: 2860 [8682DDA0] (ctfmon.exe)
(109) PID: 2872 [867F2510] (msmsgs.exe)
(125) PID: 2968 [868E35C0] (iPodService.exe)
(109) PID: 3656 [86C5ACD0] (radixgui.exe)
19:33:47 - Performing check: "Selftest":
Doing a short selftest...
-> Checking IAT


Regsearch1

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apitrap.dll]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASSTE.dll]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSTE.dll]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cleanup.dll]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe]
"ApplicationGoo"=hex:14,02,00,00,10,02,00,00,00,02,00,00,90,04,34,00,00,00,56,\
00,53,00,5f,00,56,00,45,00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,\
46,00,4f,00,00,00,00,00,bd,04,ef,fe,00,00,01,00,00,00,07,00,0b,00,00,00,00,\
00,07,00,0b,00,00,00,3f,00,00,00,02,00,00,00,04,00,01,00,01,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,44,00,00,00,01,00,56,00,61,00,72,00,46,00,69,\
00,6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,00,00,24,00,04,00,00,00,54,00,\
72,00,61,00,6e,00,73,00,6c,00,61,00,74,00,69,00,6f,00,6e,00,00,00,00,00,09,\
04,e4,04,f0,03,00,00,01,00,53,00,74,00,72,00,69,00,6e,00,67,00,46,00,69,00,\
6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,cc,03,00,00,01,00,30,00,34,00,30,\
00,39,00,30,00,34,00,45,00,34,00,00,00,4a,00,19,00,01,00,43,00,6f,00,6d,00,\
6d,00,65,00,6e,00,74,00,73,00,00,00,43,00,72,00,79,00,73,00,74,00,61,00,6c,\
00,20,00,53,00,51,00,4c,00,20,00,44,00,65,00,73,00,69,00,67,00,6e,00,65,00,\
72,00,20,00,37,00,2e,00,30,00,00,00,00,00,88,00,34,00,01,00,43,00,6f,00,6d,\
00,70,00,61,00,6e,00,79,00,4e,00,61,00,6d,00,65,00,00,00,00,00,53,00,65,00,\
61,00,67,00,61,00,74,00,65,00,20,00,53,00,6f,00,66,00,74,00,77,00,61,00,72,\
00,65,00,20,00,49,00,6e,00,66,00,6f,00,72,00,6d,00,61,00,74,00,69,00,6f,00,\
6e,00,20,00,4d,00,61,00,6e,00,61,00,67,00,65,00,6d,00,65,00,6e,00,74,00,20,\
00,47,00,72,00,6f,00,75,00,70,00,2c,00,20,00,49,00,6e,00,63,00,2e,00,00,00,\
ae,00,45,00,01,00,4c,00,65,00,67,00,61,00,6c,00,43,00,6f,00,70,00,79,00,72,\
00,69,00,67,00,68,00,74,00,00,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,\
68,00,74,00,20,00,28,00,63,00,29,00,20,00,31,00,39,00,39,00,31,00,2d,00,31,\
00,39,00,39,00,10,00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.dll]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divxdec.ax]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DJSMAR00.dll]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRMINST.dll]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE]
"DisableHeapLookAside"="1"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncodeDivXExt.dll]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncryptPatchVer.dll]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe]
"ApplicationGoo"=hex:54,09,00,00,54,02,00,00,00,02,00,00,8c,03,34,00,00,00,56,\
00,53,00,5f,00,56,00,45,00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,\
46,00,4f,00,00,00,00,00,bd,04,ef,fe,00,00,01,00,02,00,a8,11,2e,04,00,00,02,\
00,a8,11,2e,04,00,00,3f,00,00,00,20,00,00,00,04,00,00,00,01,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,ec,02,00,00,01,00,53,00,74,00,72,00,69,00,6e,\
00,67,00,46,00,69,00,6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,c8,02,00,00,\
01,00,30,00,30,00,30,00,30,00,30,00,34,00,62,00,30,00,00,00,38,00,10,00,01,\
00,43,00,6f,00,6d,00,6d,00,65,00,6e,00,74,00,73,00,00,00,4f,00,72,00,69,00,\
67,00,6e,00,61,00,6c,00,20,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,00,\
00,42,00,11,00,01,00,43,00,6f,00,6d,00,70,00,61,00,6e,00,79,00,4e,00,61,00,\
6d,00,65,00,00,00,00,00,53,00,41,00,50,00,20,00,41,00,47,00,2c,00,20,00,57,\
00,61,00,6c,00,6c,00,64,00,6f,00,72,00,66,00,00,00,00,00,5a,00,19,00,01,00,\
46,00,69,00,6c,00,65,00,44,00,65,00,73,00,63,00,72,00,69,00,70,00,74,00,69,\
00,6f,00,6e,00,00,00,00,00,53,00,41,00,50,00,20,00,46,00,72,00,6f,00,6e,00,\
74,00,65,00,6e,00,64,00,20,00,66,00,6f,00,72,00,20,00,57,00,69,00,6e,00,64,\
00,6f,00,77,00,73,00,00,00,00,00,3c,00,0e,00,01,00,46,00,69,00,6c,00,65,00,\
56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,00,00,00,00,34,00,35,00,32,00,30,\
00,2e,00,32,00,2e,00,30,00,2e,00,31,00,30,00,37,00,30,00,00,00,32,00,09,00,\
01,00,49,00,6e,00,74,00,65,00,72,00,6e,00,61,00,6c,00,4e,00,61,00,6d,00,65,\
00,00,00,46,00,45,00,57,00,46,00,52,00,4f,00,4e,00,54,00,00,00,00,00,7a,00,\
2b,00,01,00,4c,00,65,00,67,00,61,00,6c,00,43,00,6f,00,70,00,79,00,72,00,69,\
00,67,00,68,00,02,00,00,00,00,00,00,00,01,00,00,00,4c,00,00,00,3c,fd,06,00,\
04,00,00,00,00,00,00,00,65,05,00,00,02,00,00,00,03,00,00,00,00,00,01,00,53,\
00,65,00,72,00,76,00,69,00,63,00,65,00,20,00,50,00,61,00,63,00,6b,00,20,00,\
33,00,00,00,23,00,54,02,00,00,00,02,00,00,8c,03,34,00,00,00,56,00,53,00,5f,\
00,56,00,45,00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,46,00,4f,00,\
00,00,00,00,bd,04,ef,fe,00,00,01,00,03,00,9e,11,26,04,00,00,03,00,9e,11,26,\
04,00,00,3f,00,00,00,20,00,00,00,04,00,00,00,01,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,ec,02,00,00,01,00,53,00,74,00,72,00,69,00,6e,00,67,00,46,\
00,69,00,6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,c8,02,00,00,01,00,30,00,\
30,00,30,00,30,00,30,00,34,00,62,00,30,00,00,00,38,00,10,00,01,00,43,00,6f,\
00,6d,00,6d,00,65,00,6e,00,74,00,73,00,00,00,4f,00,72,00,69,00,67,00,6e,00,\
61,00,6c,00,20,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,00,00,42,00,11,\
00,01,00,43,00,6f,00,6d,00,70,00,61,00,6e,00,79,00,4e,00,61,00,6d,00,65,00,\
00,00,00,00,53,00,41,00,50,00,20,00,41,00,47,00,2c,00,20,00,57,00,61,00,6c,\
00,6c,00,64,00,6f,00,72,00,66,00,00,00,00,00,5a,00,19,00,01,00,46,00,69,00,\
6c,00,65,00,44,00,65,00,73,00,63,00,72,00,69,00,70,00,74,00,69,00,6f,00,6e,\
00,00,00,00,00,53,00,41,00,50,00,20,00,46,00,72,00,6f,00,6e,00,74,00,65,00,\
6e,00,64,00,20,00,66,00,6f,00,72,00,20,00,57,00,69,00,6e,00,64,00,6f,00,77,\
00,73,00,00,00,00,00,3c,00,0e,00,01,00,46,00,69,00,6c,00,65,00,56,00,65,00,\
72,00,73,00,69,00,6f,00,6e,00,00,00,00,00,34,00,35,00,31,00,30,00,2e,00,33,\
00,2e,00,30,00,2e,00,31,00,30,00,36,00,32,00,00,00,32,00,09,00,01,00,49,00,\
6e,00,74,00,65,00,72,00,6e,00,61,00,6c,00,4e,00,61,00,6d,00,65,00,00,00,46,\
00,45,00,57,00,46,00,52,00,4f,00,4e,00,54,00,00,00,00,00,7a,00,2b,00,01,00,\
4c,00,65,00,67,00,61,00,6c,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,\
00,02,00,00,00,00,00,00,00,01,00,00,00,4c,00,00,00,3c,fd,06,00,04,00,00,00,\
00,00,00,00,65,05,00,00,02,00,00,00,03,00,00,00,00,00,01,00,53,00,65,00,72,\
00,76,00,69,00,63,00,65,00,20,00,50,00,61,00,63,00,6b,00,20,00,33,00,00,00,\
23,00,54,02,00,00,00,02,00,00,20,03,34,00,00,00,56,00,53,00,5f,00,56,00,45,\
00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,46,00,4f,00,00,00,00,00,\
bd,04,ef,fe,00,00,01,00,00,00,04,00,f0,03,00,00,00,00,04,00,f0,03,00,00,3f,\
00,00,00,00,00,00,00,04,00,01,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,7e,02,00,00,01,00,53,00,74,00,72,00,69,00,6e,00,67,00,46,00,69,00,6c,\
00,65,00,49,00,6e,00,66,00,6f,00,00,00,5a,02,00,00,01,00,30,00,34,00,30,00,\
39,00,30,00,34,00,45,00,34,00,00,00,2e,00,07,00,01,00,43,00,6f,00,6d,00,70,\
00,61,00,6e,00,79,00,4e,00,61,00,6d,00,65,00,00,00,00,00,53,00,41,00,50,00,\
20,00,41,00,47,00,00,00,00,00,5a,00,19,00,01,00,46,00,69,00,6c,00,65,00,44,\
00,65,00,73,00,63,00,72,00,69,00,70,00,74,00,69,00,6f,00,6e,00,00,00,00,00,\
53,00,41,00,50,00,20,00,46,00,72,00,6f,00,6e,00,74,00,65,00,6e,00,64,00,20,\
00,66,00,6f,00,72,00,20,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,00,00,\
00,00,36,00,0b,00,01,00,46,00,69,00,6c,00,65,00,56,00,65,00,72,00,73,00,69,\
00,6f,00,6e,00,00,00,00,00,34,00,2e,00,30,00,2e,00,30,00,2e,00,31,00,30,00,\
30,00,38,00,00,00,00,00,2c,00,06,00,01,00,49,00,6e,00,74,00,65,00,72,00,6e,\
00,61,00,6c,00,4e,00,61,00,6d,00,65,00,00,00,46,00,52,00,4f,00,4e,00,54,00,\
00,00,5e,00,1d,00,01,00,4c,00,65,00,67,00,61,00,6c,00,43,00,6f,00,70,00,79,\
00,72,00,69,00,67,00,68,00,74,00,00,00,43,00,6f,00,70,00,79,00,72,00,69,00,\
67,00,68,00,74,00,20,00,a9,00,20,00,31,00,39,00,39,00,33,00,2d,00,31,00,39,\
00,39,00,37,00,20,00,53,00,41,00,50,00,20,00,41,00,47,00,00,00,00,00,28,00,\
00,00,01,00,4c,00,65,00,67,00,61,00,6c,00,54,00,72,00,61,00,64,00,02,00,00,\
00,00,00,00,00,01,00,00,00,4c,00,00,00,3c,fd,06,00,04,00,00,00,00,00,00,00,\
65,05,00,00,02,00,00,00,03,00,00,00,00,00,01,00,53,00,65,00,72,00,76,00,69,\
00,63,00,65,00,20,00,50,00,61,00,63,00,6b,00,20,00,33,00,00,00,23,00,54,02,\
00,00,00,02,00,00,18,03,34,00,00,00,56,00,53,00,5f,00,56,00,45,00,52,00,53,\
00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,46,00,4f,00,00,00,00,00,bd,04,ef,fe,\
00,00,01,00,00,00,04,00,dd,03,00,00,00,00,04,00,dd,03,00,00,3f,00,00,00,00,\
00,00,00,04,00,01,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,78,02,\
00,00,01,00,53,00,74,00,72,00,69,00,6e,00,67,00,46,00,69,00,6c,00,65,00,49,\
00,6e,00,66,00,6f,00,00,00,54,02,00,00,01,00,30,00,34,00,30,00,39,00,30,00,\
34,00,45,00,34,00,00,00,2e,00,07,00,01,00,43,00,6f,00,6d,00,70,00,61,00,6e,\
00,79,00,4e,00,61,00,6d,00,65,00,00,00,00,00,53,00,41,00,50,00,20,00,41,00,\
47,00,00,00,00,00,5a,00,19,00,01,00,46,00,69,00,6c,00,65,00,44,00,65,00,73,\
00,63,00,72,00,69,00,70,00,74,00,69,00,6f,00,6e,00,00,00,00,00,53,00,41,00,\
50,00,20,00,46,00,72,00,6f,00,6e,00,74,00,65,00,6e,00,64,00,20,00,66,00,6f,\
00,72,00,20,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,00,00,00,00,34,00,\
0a,00,01,00,46,00,69,00,6c,00,65,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,\
00,00,00,00,00,34,00,2e,00,30,00,2e,00,30,00,2e,00,39,00,38,00,39,00,00,00,\
2c,00,06,00,01,00,49,00,6e,00,74,00,65,00,72,00,6e,00,61,00,6c,00,4e,00,61,\
00,6d,00,65,00,00,00,46,00,52,00,4f,00,4e,00,54,00,00,00,5e,00,1d,00,01,00,\
4c,00,65,00,67,00,61,00,6c,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,\
00,74,00,00,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,00,74,00,20,00,\
a9,00,20,00,31,00,39,00,39,00,33,00,2d,00,31,00,39,00,39,00,37,00,20,00,53,\
00,41,00,50,00,20,00,41,00,47,00,00,00,00,00,28,00,00,00,01,00,4c,00,65,00,\
67,00,61,00,6c,00,54,00,72,00,61,00,64,00,65,00,6d,00,02,00,00,00,00,00,00,\
00,01,00,00,00,4c,00,00,00,3c,fd,06,00,04,00,00,00,00,00,00,00,65,05,00,00,\
02,00,00,00,03,00,00,00,00,00,01,00,53,00,65,00,72,00,76,00,69,00,63,00,65,\
00,20,00,50,00,61,00,63,00,6b,00,20,00,33,00,00,00,23,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fullsoft.dll]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GBROWSER.DLL]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmarq.ocx]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmm.ocx]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe]
"ApplicationGoo"=hex:58,02,00,00,54,02,00,00,00,02,00,00,6c,07,34,00,00,00,56,\
00,53,00,5f,00,56,00,45,00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,\
46,00,4f,00,00,00,00,00,bd,04,ef,fe,00,00,01,00,05,00,05,00,07,00,a8,07,05,\
00,05,00,07,00,a8,07,3f,00,00,00,00,00,00,00,04,00,04,00,01,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,cc,06,00,00,01,00,53,00,74,00,72,00,69,00,6e,\
00,67,00,46,00,69,00,6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,54,03,00,00,\
01,00,30,00,34,00,30,00,39,00,30,00,34,00,42,00,30,00,00,00,18,00,00,00,01,\
00,43,00,6f,00,6d,00,6d,00,65,00,6e,00,74,00,73,00,00,00,4c,00,16,00,01,00,\
43,00,6f,00,6d,00,70,00,61,00,6e,00,79,00,4e,00,61,00,6d,00,65,00,00,00,00,\
00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,43,00,6f,00,\
72,00,70,00,6f,00,72,00,61,00,74,00,69,00,6f,00,6e,00,00,00,68,00,20,00,01,\
00,46,00,69,00,6c,00,65,00,44,00,65,00,73,00,63,00,72,00,69,00,70,00,74,00,\
69,00,6f,00,6e,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,\
00,74,00,20,00,45,00,78,00,63,00,68,00,61,00,6e,00,67,00,65,00,20,00,53,00,\
65,00,72,00,76,00,65,00,72,00,20,00,53,00,65,00,74,00,75,00,70,00,00,00,36,\
00,0b,00,01,00,46,00,69,00,6c,00,65,00,56,00,65,00,72,00,73,00,69,00,6f,00,\
6e,00,00,00,00,00,35,00,2e,00,35,00,2e,00,31,00,39,00,36,00,30,00,2e,00,37,\
00,00,00,00,00,2c,00,06,00,01,00,49,00,6e,00,74,00,65,00,72,00,6e,00,61,00,\
6c,00,4e,00,61,00,6d,00,65,00,00,00,53,00,65,00,74,00,75,00,70,00,00,00,9c,\
00,3c,00,01,00,4c,00,65,00,67,00,61,00,6c,00,43,00,6f,00,70,00,79,00,72,00,\
69,00,67,00,68,00,74,00,00,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,\
00,74,00,20,00,02,00,00,00,00,00,00,00,01,00,00,00,4c,00,00,00,3c,fd,06,00,\
05,00,00,00,00,00,00,00,65,05,00,00,02,00,00,00,03,00,00,00,02,00,00,00,53,\
00,65,00,72,00,76,00,69,00,63,00,65,00,20,00,50,00,61,00,63,00,6b,00,20,00,\
34,00,00,00,23,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ishscan.dll]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ISSTE.dll]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\javai.dll]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm.dll]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm_g.dll]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\main123w.dll]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe]
"ApplicationGoo"=hex:58,02,00,00,54,02,00,00,00,02,00,00,44,02,34,00,00,00,56,\
00,53,00,5f,00,56,00,45,00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,\
46,00,4f,00,00,00,00,00,bd,04,ef,fe,00,00,01,00,01,00,01,00,0c,00,00,00,01,\
00,01,00,0c,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,01,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,44,00,00,00,00,00,56,00,61,00,72,00,46,00,69,\
00,6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,00,00,24,00,04,00,00,00,54,00,\
72,00,61,00,6e,00,73,00,6c,00,61,00,74,00,69,00,6f,00,6e,00,00,00,00,00,09,\
04,b0,04,a4,01,00,00,01,00,53,00,74,00,72,00,69,00,6e,00,67,00,46,00,69,00,\
6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,80,01,00,00,01,00,30,00,34,00,30,\
00,39,00,30,00,34,00,42,00,30,00,00,00,40,00,20,00,01,00,43,00,6f,00,6d,00,\
70,00,61,00,6e,00,79,00,4e,00,61,00,6d,00,65,00,00,00,00,00,44,00,65,00,4c,\
00,6f,00,72,00,6d,00,65,00,20,00,4d,00,61,00,70,00,70,00,69,00,6e,00,67,00,\
00,00,44,00,22,00,01,00,50,00,72,00,6f,00,64,00,75,00,63,00,74,00,4e,00,61,\
00,6d,00,65,00,00,00,00,00,52,00,65,00,67,00,20,00,28,00,44,00,4c,00,69,00,\
62,00,62,00,79,00,5c,00,6d,00,73,00,66,00,29,00,00,00,00,00,34,00,14,00,01,\
00,46,00,69,00,6c,00,65,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,00,00,\
00,00,31,00,2e,00,30,00,31,00,2e,00,30,00,30,00,31,00,32,00,00,00,38,00,14,\
00,01,00,50,00,72,00,6f,00,64,00,75,00,63,00,74,00,56,00,65,00,72,00,73,00,\
69,00,6f,00,6e,00,00,00,31,00,2e,00,30,00,31,00,2e,00,30,00,30,00,31,00,32,\
00,00,00,34,00,12,00,01,00,49,00,6e,00,74,00,65,00,72,00,6e,00,61,00,6c,00,\
4e,00,61,00,6d,00,65,00,00,00,4d,00,4e,00,47,00,52,00,45,00,47,00,33,00,32,\
00,00,00,00,00,02,00,00,00,00,00,00,00,01,00,00,00,4c,00,00,00,3c,fd,06,00,\
04,00,00,00,00,00,00,00,65,05,00,00,02,00,00,00,03,00,00,00,00,00,01,00,53,\
00,65,00,72,00,76,00,69,00,63,00,65,00,20,00,50,00,61,00,63,00,6b,00,20,00,\
33,00,00,00,23,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msci_uno.dll]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscoree.dll]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvr.dll]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorwks.dll]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msjava.dll]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mso.dll]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVOPTRF.dll]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NeVideoFX.dll]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPMLIC.dll]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NSWSTE.dll]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE]
"GlobalFlag"="0x00200000"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PMSTE.dll]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppw32hlp.dll]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE]
"GlobalFlag"="0x00200000"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE]
"DisableHeapLookAside"="1"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE]
"DisableHeapLookAside"="1"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe]
"ApplicationGoo"=hex:14,02,00,00,10,02,00,00,00,02,00,00,b4,02,34,00,00,00,56,\
00,53,00,5f,00,56,00,45,00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,\
46,00,4f,00,00,00,00,00,bd,04,ef,fe,00,00,01,00,35,00,07,00,00,00,00,00,35,\
00,07,00,00,00,00,00,3f,00,00,00,00,00,00,00,04,00,00,00,01,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,12,02,00,00,01,00,53,00,74,00,72,00,69,00,6e,\
00,67,00,46,00,69,00,6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,ee,01,00,00,\
01,00,30,00,34,00,30,00,39,00,30,00,34,00,62,00,30,00,00,00,42,00,11,00,01,\
00,43,00,6f,00,6d,00,70,00,61,00,6e,00,79,00,4e,00,61,00,6d,00,65,00,00,00,\
00,00,50,00,65,00,6f,00,70,00,6c,00,65,00,53,00,6f,00,66,00,74,00,2c,00,20,\
00,49,00,6e,00,63,00,2e,00,00,00,00,00,28,00,00,00,01,00,46,00,69,00,6c,00,\
65,00,44,00,65,00,73,00,63,00,72,00,69,00,70,00,74,00,69,00,6f,00,6e,00,00,\
00,00,00,2a,00,05,00,01,00,46,00,69,00,6c,00,65,00,56,00,65,00,72,00,73,00,\
69,00,6f,00,6e,00,00,00,00,00,37,00,2e,00,35,00,33,00,00,00,00,00,9c,00,3c,\
00,01,00,4c,00,65,00,67,00,61,00,6c,00,43,00,6f,00,70,00,79,00,72,00,69,00,\
67,00,68,00,74,00,00,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,00,74,\
00,20,00,a9,00,20,00,31,00,39,00,38,00,38,00,2d,00,31,00,39,00,39,00,38,00,\
20,00,50,00,65,00,6f,00,70,00,6c,00,65,00,53,00,6f,00,66,00,74,00,2c,00,20,\
00,49,00,6e,00,63,00,2e,00,20,00,20,00,41,00,6c,00,6c,00,20,00,52,00,69,00,\
67,00,68,00,74,00,73,00,20,00,52,00,65,00,73,00,65,00,72,00,76,00,65,00,64,\
00,00,00,3c,00,0a,00,01,00,4f,00,72,00,69,00,67,00,69,00,6e,00,61,00,6c,00,\
46,00,69,00,6c,00,65,00,6e,00,61,00,6d,00,65,00,00,00,70,00,73,00,64,00,6d,\
00,74,00,2e,00,10,00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE]
"DisableHeapLookAside"="1"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE]
"DisableHeapLookAside"="1"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\salwrap.dll]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe]
"ApplicationGoo"=hex:00,07,00,00,54,02,00,00,00,02,00,00,84,07,34,00,00,00,56,\
00,53,00,5f,00,56,00,45,00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,\
46,00,4f,00,00,00,00,00,bd,04,ef,fe,00,00,01,00,05,00,05,00,07,00,a8,07,05,\
00,05,00,07,00,a8,07,3f,00,00,00,00,00,00,00,04,00,04,00,01,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,e4,06,00,00,01,00,53,00,74,00,72,00,69,00,6e,\
00,67,00,46,00,69,00,6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,60,03,00,00,\
01,00,30,00,34,00,30,00,39,00,30,00,34,00,42,00,30,00,00,00,18,00,00,00,01,\
00,43,00,6f,00,6d,00,6d,00,65,00,6e,00,74,00,73,00,00,00,4c,00,16,00,01,00,\
43,00,6f,00,6d,00,70,00,61,00,6e,00,79,00,4e,00,61,00,6d,00,65,00,00,00,00,\
00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,43,00,6f,00,\
72,00,70,00,6f,00,72,00,61,00,74,00,69,00,6f,00,6e,00,00,00,68,00,20,00,01,\
00,46,00,69,00,6c,00,65,00,44,00,65,00,73,00,63,00,72,00,69,00,70,00,74,00,\
69,00,6f,00,6e,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,\
00,74,00,20,00,45,00,78,00,63,00,68,00,61,00,6e,00,67,00,65,00,20,00,53,00,\
65,00,72,00,76,00,65,00,72,00,20,00,53,00,65,00,74,00,75,00,70,00,00,00,36,\
00,0b,00,01,00,46,00,69,00,6c,00,65,00,56,00,65,00,72,00,73,00,69,00,6f,00,\
6e,00,00,00,00,00,35,00,2e,00,35,00,2e,00,31,00,39,00,36,00,30,00,2e,00,37,\
00,00,00,00,00,2c,00,06,00,01,00,49,00,6e,00,74,00,65,00,72,00,6e,00,61,00,\
6c,00,4e,00,61,00,6d,00,65,00,00,00,53,00,65,00,74,00,75,00,70,00,00,00,9e,\
00,3d,00,01,00,4c,00,65,00,67,00,61,00,6c,00,43,00,6f,00,70,00,79,00,72,00,\
69,00,67,00,68,00,74,00,00,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,\
00,74,00,20,00,02,00,00,00,00,00,00,00,01,00,00,00,4c,00,00,00,3c,fd,06,00,\
05,00,00,00,00,00,00,00,65,05,00,00,02,00,00,00,00,00,00,00,00,00,00,00,53,\
00,65,00,72,00,76,00,69,00,63,00,65,00,20,00,50,00,61,00,63,00,6b,00,20,00,\
33,00,00,00,24,00,54,02,00,00,00,02,00,00,a4,08,34,00,00,00,56,00,53,00,5f,\
00,56,00,45,00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,46,00,4f,00,\
00,00,00,00,bd,04,ef,fe,00,00,01,00,05,00,05,00,07,00,a8,07,05,00,05,00,07,\
00,a8,07,3f,00,00,00,00,00,00,00,04,00,04,00,01,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,04,08,00,00,01,00,53,00,74,00,72,00,69,00,6e,00,67,00,46,\
00,69,00,6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,f0,03,00,00,01,00,30,00,\
34,00,30,00,39,00,30,00,34,00,42,00,30,00,00,00,18,00,00,00,01,00,43,00,6f,\
00,6d,00,6d,00,65,00,6e,00,74,00,73,00,00,00,4c,00,16,00,01,00,43,00,6f,00,\
6d,00,70,00,61,00,6e,00,79,00,4e,00,61,00,6d,00,65,00,00,00,00,00,4d,00,69,\
00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,43,00,6f,00,72,00,70,00,\
6f,00,72,00,61,00,74,00,69,00,6f,00,6e,00,00,00,68,00,20,00,01,00,46,00,69,\
00,6c,00,65,00,44,00,65,00,73,00,63,00,72,00,69,00,70,00,74,00,69,00,6f,00,\
6e,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,\
00,45,00,78,00,63,00,68,00,61,00,6e,00,67,00,65,00,20,00,53,00,65,00,72,00,\
76,00,65,00,72,00,20,00,53,00,65,00,74,00,75,00,70,00,00,00,36,00,0b,00,01,\
00,46,00,69,00,6c,00,65,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,00,00,\
00,00,35,00,2e,00,35,00,2e,00,31,00,39,00,36,00,30,00,2e,00,37,00,00,00,00,\
00,2c,00,06,00,01,00,49,00,6e,00,74,00,65,00,72,00,6e,00,61,00,6c,00,4e,00,\
61,00,6d,00,65,00,00,00,53,00,65,00,74,00,75,00,70,00,00,00,a6,00,41,00,01,\
00,4c,00,65,00,67,00,61,00,6c,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,\
68,00,74,00,00,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,00,74,00,20,\
00,02,00,00,00,00,00,00,00,01,00,00,00,4c,00,00,00,3c,fd,06,00,05,00,00,00,\
00,00,00,00,65,05,00,00,02,00,00,00,00,00,00,00,00,00,00,00,53,00,65,00,72,\
00,76,00,69,00,63,00,65,00,20,00,50,00,61,00,63,00,6b,00,20,00,33,00,00,00,\
24,00,54,02,00,00,00,02,00,00,18,04,34,00,00,00,56,00,53,00,5f,00,56,00,45,\
00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,46,00,4f,00,00,00,00,00,\
bd,04,ef,fe,00,00,01,00,05,00,05,00,07,00,a8,07,05,00,05,00,07,00,a8,07,3f,\
00,00,00,00,00,00,00,04,00,04,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,78,03,00,00,01,00,53,00,74,00,72,00,69,00,6e,00,67,00,46,00,69,00,6c,\
00,65,00,49,00,6e,00,66,00,6f,00,00,00,54,03,00,00,01,00,30,00,34,00,30,00,\
39,00,30,00,34,00,42,00,30,00,00,00,18,00,00,00,01,00,43,00,6f,00,6d,00,6d,\
00,65,00,6e,00,74,00,73,00,00,00,4c,00,16,00,01,00,43,00,6f,00,6d,00,70,00,\
61,00,6e,00,79,00,4e,00,61,00,6d,00,65,00,00,00,00,00,4d,00,69,00,63,00,72,\
00,6f,00,73,00,6f,00,66,00,74,00,20,00,43,00,6f,00,72,00,70,00,6f,00,72,00,\
61,00,74,00,69,00,6f,00,6e,00,00,00,68,00,20,00,01,00,46,00,69,00,6c,00,65,\
00,44,00,65,00,73,00,63,00,72,00,69,00,70,00,74,00,69,00,6f,00,6e,00,00,00,\
00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,45,00,78,\
00,63,00,68,00,61,00,6e,00,67,00,65,00,20,00,53,00,65,00,72,00,76,00,65,00,\
72,00,20,00,53,00,65,00,74,00,75,00,70,00,00,00,36,00,0b,00,01,00,46,00,69,\
00,6c,00,65,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,00,00,00,00,35,00,\
2e,00,35,00,2e,00,31,00,39,00,36,00,30,00,2e,00,37,00,00,00,00,00,2c,00,06,\
00,01,00,49,00,6e,00,74,00,65,00,72,00,6e,00,61,00,6c,00,4e,00,61,00,6d,00,\
65,00,00,00,53,00,65,00,74,00,75,00,70,00,00,00,9a,00,3b,00,01,00,4c,00,65,\
00,67,00,61,00,6c,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,00,74,00,\
00,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,00,74,00,20,00,02,00,00,\
00,00,00,00,00,01,00,00,00,4c,00,00,00,3c,fd,06,00,05,00,00,00,00,00,00,00,\
65,05,00,00,02,00,00,00,00,00,00,00,00,00,00,00,53,00,65,00,72,00,76,00,69,\
00,63,00,65,00,20,00,50,00,61,00,63,00,6b,00,20,00,33,00,00,00,24,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll]
"ApplicationGoo"=hex:14,02,00,00,10,02,00,00,00,02,00,00,04,03,34,00,00,00,56,\
00,53,00,5f,00,56,00,45,00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,\
46,00,4f,00,00,00,00,00,bd,04,ef,fe,00,00,01,00,1c,00,08,00,00,00,00,00,00,\
00,08,00,00,00,00,00,3f,00,00,00,00,00,00,00,04,00,00,00,01,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,64,02,00,00,01,00,53,00,74,00,72,00,69,00,6e,\
00,67,00,46,00,69,00,6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,40,02,00,00,\
01,00,30,00,34,00,30,00,39,00,30,00,34,00,62,00,30,00,00,00,44,00,12,00,01,\
00,43,00,6f,00,6d,00,70,00,61,00,6e,00,79,00,4e,00,61,00,6d,00,65,00,00,00,\
00,00,43,00,6f,00,72,00,65,00,6c,00,20,00,43,00,6f,00,72,00,70,00,6f,00,72,\
00,61,00,74,00,69,00,6f,00,6e,00,00,00,4e,00,13,00,01,00,46,00,69,00,6c,00,\
65,00,44,00,65,00,73,00,63,00,72,00,69,00,70,00,74,00,69,00,6f,00,6e,00,00,\
00,00,00,43,00,6f,00,72,00,65,00,6c,00,20,00,53,00,65,00,74,00,75,00,70,00,\
20,00,57,00,69,00,7a,00,61,00,72,00,64,00,00,00,00,00,2c,00,06,00,01,00,46,\
00,69,00,6c,00,65,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,00,00,00,00,\
38,00,2e,00,30,00,32,00,38,00,00,00,46,00,13,00,01,00,49,00,6e,00,74,00,65,\
00,72,00,6e,00,61,00,6c,00,4e,00,61,00,6d,00,65,00,00,00,43,00,6f,00,72,00,\
65,00,6c,00,20,00,53,00,65,00,74,00,75,00,70,00,20,00,57,00,69,00,7a,00,61,\
00,72,00,64,00,00,00,00,00,6c,00,24,00,01,00,4c,00,65,00,67,00,61,00,6c,00,\
43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,00,74,00,00,00,43,00,6f,00,70,\
00,79,00,72,00,69,00,67,00,68,00,74,00,20,00,a9,00,20,00,31,00,39,00,39,00,\
37,00,2c,00,20,00,43,00,6f,00,72,00,65,00,6c,00,20,00,43,00,6f,00,72,00,70,\
00,6f,00,72,00,08,00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe]
"ApplicationGoo"=hex:14,02,00,00,10,02,00,00,00,02,00,00,38,03,34,00,00,00,56,\
00,53,00,5f,00,56,00,45,00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,\
46,00,4f,00,00,00,00,00,bd,04,ef,fe,00,00,01,00,02,00,0a,00,01,00,0a,00,02,\
00,0a,00,01,00,0a,00,00,00,00,00,00,00,00,00,04,00,01,00,01,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,98,02,00,00,01,00,53,00,74,00,72,00,69,00,6e,\
00,67,00,46,00,69,00,6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,74,02,00,00,\
01,00,30,00,34,00,30,00,39,00,30,00,34,00,45,00,34,00,00,00,4a,00,15,00,01,\
00,43,00,6f,00,6d,00,70,00,61,00,6e,00,79,00,4e,00,61,00,6d,00,65,00,00,00,\
00,00,53,00,79,00,6d,00,61,00,6e,00,74,00,65,00,63,00,20,00,43,00,6f,00,72,\
00,70,00,6f,00,72,00,61,00,74,00,69,00,6f,00,6e,00,00,00,00,00,60,00,1c,00,\
01,00,46,00,69,00,6c,00,65,00,44,00,65,00,73,00,63,00,72,00,69,00,70,00,74,\
00,69,00,6f,00,6e,00,00,00,00,00,53,00,79,00,6d,00,61,00,6e,00,74,00,65,00,\
63,00,20,00,53,00,79,00,6d,00,65,00,76,00,65,00,6e,00,74,00,20,00,49,00,6e,\
00,73,00,74,00,61,00,6c,00,6c,00,65,00,72,00,00,00,34,00,0a,00,01,00,46,00,\
69,00,6c,00,65,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,00,00,00,00,31,\
00,30,00,2e,00,32,00,2e,00,31,00,30,00,2e,00,31,00,00,00,30,00,08,00,01,00,\
49,00,6e,00,74,00,65,00,72,00,6e,00,61,00,6c,00,4e,00,61,00,6d,00,65,00,00,\
00,53,00,45,00,56,00,49,00,4e,00,53,00,54,00,00,00,7e,00,2d,00,01,00,4c,00,\
65,00,67,00,61,00,6c,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,00,74,\
00,00,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,00,74,00,20,00,28,00,\
43,00,29,00,20,00,53,00,79,00,6d,00,61,00,6e,00,74,00,65,00,63,00,20,00,43,\
00,6f,00,72,00,01,00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcnet.dll]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcore_ebook.dll]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFDTCTT8.DLL]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE]
"DisableHeapLookAside"="1"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\udtapi.dll]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ums.dll]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vb40032.dll]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbe6.dll]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE]
"DisableHeapLookAside"="1"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xlmlEN.dll]
"CheckAppHelp"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE]
"ApplicationGoo"=hex:14,02,00,00,10,02,00,00,00,02,00,00,7c,03,34,00,00,00,56,\
00,53,00,5f,00,56,00,45,00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,\
46,00,4f,00,00,00,00,00,bd,04,ef,fe,00,00,01,00,00,00,01,00,09,00,26,00,00,\
00,01,00,09,00,26,00,3f,00,00,00,00,00,00,00,04,00,00,00,01,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,dc,02,00,00,01,00,53,00,74,00,72,00,69,00,6e,\
00,67,00,46,00,69,00,6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,b8,02,00,00,\
01,00,30,00,34,00,30,00,39,00,30,00,34,00,62,00,30,00,00,00,66,00,27,00,01,\
00,43,00,6f,00,6d,00,6d,00,65,00,6e,00,74,00,73,00,00,00,42,00,75,00,73,00,\
69,00,6e,00,65,00,73,00,73,00,20,00,49,00,6e,00,74,00,65,00,6c,00,6c,00,69,\
00,67,00,65,00,6e,00,63,00,65,00,20,00,6f,00,6e,00,20,00,45,00,76,00,65,00,\
72,00,79,00,20,00,44,00,65,00,73,00,6b,00,74,00,6f,00,70,00,00,00,00,00,48,\
00,14,00,01,00,43,00,6f,00,6d,00,70,00,61,00,6e,00,79,00,4e,00,61,00,6d,00,\
65,00,00,00,00,00,43,00,6f,00,67,00,6e,00,6f,00,73,00,20,00,49,00,6e,00,63,\
00,6f,00,72,00,70,00,6f,00,72,00,61,00,74,00,65,00,64,00,00,00,60,00,1c,00,\
01,00,46,00,69,00,6c,00,65,00,44,00,65,00,73,00,63,00,72,00,69,00,70,00,74,\
00,69,00,6f,00,6e,00,00,00,00,00,43,00,6f,00,67,00,6e,00,6f,00,73,00,20,00,\
47,00,65,00,6e,00,65,00,72,00,69,00,63,00,20,00,49,00,6e,00,73,00,74,00,61,\
00,6c,00,6c,00,61,00,74,00,69,00,6f,00,6e,00,00,00,38,00,0c,00,01,00,46,00,\
69,00,6c,00,65,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,00,00,00,00,31,\
00,2c,00,20,00,30,00,2c,00,20,00,33,00,38,00,2c,00,20,00,39,00,00,00,30,00,\
08,00,01,00,49,00,6e,00,74,00,65,00,72,00,6e,00,61,00,6c,00,4e,00,61,00,6d,\
00,65,00,00,00,01,00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path]
"Debugger"="ntsd -d"
"GlobalFlag"="0x000010F0"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE]
"ApplicationGoo"=hex:14,02,00,00,10,02,00,00,00,02,00,00,a4,02,34,00,00,00,56,\
00,53,00,5f,00,56,00,45,00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,\
46,00,4f,00,00,00,00,00,bd,04,ef,fe,00,00,01,00,00,00,01,00,01,00,00,00,00,\
00,01,00,01,00,00,00,3f,00,00,00,00,00,00,00,01,00,01,00,01,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,04,02,00,00,01,00,53,00,74,00,72,00,69,00,6e,\
00,67,00,46,00,69,00,6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,e0,01,00,00,\
01,00,30,00,34,00,30,00,39,00,30,00,34,00,45,00,34,00,00,00,20,00,00,00,01,\
00,43,00,6f,00,6d,00,70,00,61,00,6e,00,79,00,4e,00,61,00,6d,00,65,00,00,00,\
00,00,58,00,18,00,01,00,46,00,69,00,6c,00,65,00,44,00,65,00,73,00,63,00,72,\
00,69,00,70,00,74,00,69,00,6f,00,6e,00,00,00,00,00,49,00,4e,00,53,00,54,00,\
41,00,4c,00,4c,00,20,00,4d,00,46,00,43,00,20,00,41,00,70,00,70,00,6c,00,69,\
00,63,00,61,00,74,00,69,00,6f,00,6e,00,00,00,30,00,08,00,01,00,46,00,69,00,\
6c,00,65,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,00,00,00,00,31,00,2e,\
00,30,00,2e,00,30,00,30,00,31,00,00,00,30,00,08,00,01,00,49,00,6e,00,74,00,\
65,00,72,00,6e,00,61,00,6c,00,4e,00,61,00,6d,00,65,00,00,00,49,00,4e,00,53,\
00,54,00,41,00,4c,00,4c,00,00,00,24,00,00,00,01,00,4c,00,65,00,67,00,61,00,\
6c,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,00,74,00,00,00,28,00,00,\
00,01,00,4c,00,65,00,67,00,61,00,6c,00,54,00,72,00,61,00,64,00,65,00,6d,00,\
61,00,72,00,6b,00,73,00,00,00,00,00,40,00,0c,00,01,00,4f,00,72,00,69,00,67,\
00,69,00,6e,00,61,00,6c,00,46,00,69,00,6c,00,65,00,6e,00,61,00,6d,00,65,00,\
00,00,49,00,4e,00,53,00,54,00,41,00,4c,00,4c,00,2e,00,45,00,58,00,45,00,00,\
00,30,00,08,00,08,00,00,00,00,00,00,00


No instances found of MS alchemy

Thomas

Nothing new in those, but again I see something capable of at least the cryptkey and other functions Gmer showed earlier:

C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

Showing at least here related to iPhone. Do you have that device?

Since I have not asked recently, what issues/problems are you experiencing there now?

frolma

Hi, yes I've the device, but now I've unchecked it from startup with
msconfig .

Problems remain the same.
I have been thinking that it might be best to format the hard disk directly
What do you think about this?

Thomas

A reformat and reinstall is always the most complete method to remove almost all types of infection. Also the more difficult of the options for repairs.

These tell me so far something is masquerading as a codec driver there:

Directorio de c:\WINDOWS\system32
02/09/2008 16:57 298 112.CPX
02/09/2008 16:57 408 121.CPX
02/03/2006 14:00 2.151 12520437.cpx
02/03/2006 14:00 2.233 12520850.cpx
17/04/2007 21:54 326 37407285612.CPX
20/04/2007 18:54 1.626 37407285631.CPX
Directorio de c:\WINDOWS\system32\dllcache
02/03/2006 14:00 2.151 12520437.cpx
02/03/2006 14:00 2.233 12520850.cpx

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
aux1 REG_SZ 3740728561.CPX


What say we do two more checks then yes, I must admit I am not coming to a solutions for you here. One if a file check based on both the methods of a Tofger worm type infection, and the other just more checking the information we already have.


Go to Start - Run, type notepad (and Enter). In the open text box copy/paste all the text hilighted below:

@ECHO OFF
cd C:\Windows
dir /O:E > c:\show2.txt
cd C:\Windows\System32
dir /O:E >> c:\show2.txt & start notepad c:\show2.txt

Then go to File - Save as..., and save the file to your desktop as "Lookbig.bat"

(be sure to include the quotes "" in the name). Then click on lookbig.bat to run the file check. Once that completes a text box will open, however this will be a very large log file. Zip a copy of it, and send it to [noparse]jintan@cfl.rr.com[/noparse] as an attachment. Please place "Submitted Files - frolma - Icrontic" as the email Subject.


Then also use the Registry Search Tool for the following terms:

37407285612

3740728561


Post those results for review please.

frolma

Hi, here are the the regsearch logs

REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "37407285612" 11/09/2008 9:21:51
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1003\Software\WinRAR\DialogEditHistory\ArcName]
"1"="37407285612.rar"



REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "3740728561" 11/09/2008 9:27:00
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"aux1"="3740728561.CPX"
[HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1003\Software\WinRAR\DialogEditHistory\ArcName]
"1"="37407285612.rar"

Thomas

The registry setting returned itself I see for aux1. I received the file, as well as was able to locate a trial an earlier version of this same type infostealer banker infection. In looking back through the logs here I also see an autorun worm type startup, so let's do a more complete job of things right now to at least silence the malware. I also looked again at the Kaspersky log you created - are you sure that is the scan that locates and removes infection? The entire log reflects instead a type scan that assesses systems for vulnerable areas - it didn't actually point to any infection or unknown files.


To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.



Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"

Close all browsers and open windows, and do a search ( Start - Search/Find - Files or Folders) for the following hilighted files/folders (shown in Bold), and if found, rename them by adding .old to the name (so mscpx32r.dLL becomes mscpx32r.dLL.old ).

C:\WINDOWS\system32\mscpx32r.dLL
C:\WINDOWS\system32\mscpxl32.dLL

These are code page translator files that .cpx operate with. If you experience any errors that show those as missing or other event you can always change the names back.

---

Right click/Merge the wimaud1.reg file you created earlier - look back through our posts to see which one if needed.

---

Go here and download Flash_Disinfector.exe and save it to your desktop.

Doubleclick on Flash_Disinfector.exe to run it and follow the prompts. Wait until it has finished scanning and then exit the program.

The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.

If they contain autoload-type infection we may need to make new repairs. Unfortunately here is where an online Kaspersky scan does well, but we will check a different one to see first.

---

Click OTMoveIt2.exe to run it again.

Copy the file path(s) below to the clipboard by highlighting ALL of them and pressing CTRL + C, or right-click and choose Copy):

C:\WINDOWS\Tasks\Sa.dat
C:\WINDOWS\system32\37407285651.CPX
C:\WINDOWS\system32\12520850.cpx
C:\WINDOWS\system32\3740728561.CPX
C:\WINDOWS\system32\37407285612.CPX
C:\WINDOWS\system32\408 37407285621.CPX
C:\WINDOWS\system32\12520437.cpx
C:\WINDOWS\system32\37407285631.CPX
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints 2

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window and select Paste. Then click the red MoveIt! button. A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder, in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".

---

Then Go here for an online AV scan. Follow all prompts to Allow all ActiveX objects to install. If your AV alerts you while the scan installs ignore this - Panda's Active Scan method is often mistaken for infection activity.

When the scan completes do not click any of the disinfection links provided. Click the small "Export to:" button and save the log file to your desktop. Then copy the contents of that ActiveScan.txt file back here for review please.

---

Run a new scan with OTViewIt, and post that along with the OTMoveIt log (OT is very busy helping with good tools) and the Panda log please.

frolma

I'm sure kaspersky didn't find anything or erased.
I've followed all steps you've said me except AV scan.
I neither can downloaded it.When the activex objects seems to be installed, it gives me an error.I've tried it several times but all times the same.

It seems to be a nasty piece,it knows all is bad for it.
Here are everything that Icould do.

C:\WINDOWS\Tasks\Sa.dat moved successfully.
C:\WINDOWS\system32\37407285651.CPX moved successfully.
C:\WINDOWS\system32\12520850.cpx moved successfully.
C:\WINDOWS\system32\3740728561.CPX moved successfully.
C:\WINDOWS\system32\37407285612.CPX moved successfully.
File/Folder C:\WINDOWS\system32\408 37407285621.CPX not found.
C:\WINDOWS\system32\12520437.cpx moved successfully.
C:\WINDOWS\system32\37407285631.CPX moved successfully.
< HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints 2 >
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints 2\\ not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09122008_184804



OTViewIt logfile created on: 12/09/2008 19:13:58 - Run 3
OTViewIt by OldTimer - Version 1.0.0.15 Folder = C:\Documents and Settings\Propietario\Mis documentos\Pirateo\Old Timer
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000C0A | Country: España | Language: ESN | Date Format: dd/MM/yyyy

1014,42 Mb Total Physical Memory | 517,86 Mb Available Physical Memory | 51,05% Memory free
2,38 Gb Paging File | 1,94 Gb Available in Paging File | 81,66% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Archivos de programa
Drive C: | 74,53 Gb Total Space | 39,51 Gb Free Space | 53,01% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: ORGANIZA-6EEEB6
Current User Name: Propietario
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
===== Processes - Non-Microsoft Only =====
[06/03/2005 02:25 AM | 00,086,016 | ---- | M] (Intel Corporation) - C:\Archivos de programa\Intel\Wireless\Bin\EvtEng.exe
[06/03/2005 02:28 AM | 00,372,809 | ---- | M] (Intel Corporation ) - C:\Archivos de programa\Intel\Wireless\Bin\S24EvMon.exe
[04/12/2002 01:00 AM | 00,057,344 | ---- | M] (brother Industries Ltd) - C:\WINDOWS\system32\brsvc01a.exe
[12/13/2001 01:01 AM | 00,045,056 | ---- | M] (brother Industries Ltd) - C:\WINDOWS\system32\brss01a.exe
[05/31/2005 11:46 PM | 00,401,408 | ---- | M] (Intel Corporation) - C:\Archivos de programa\Intel\Wireless\Bin\ZCfgSvc.exe
[06/28/2007 04:06 AM | 00,106,496 | ---- | M] (Apple, Inc.) - C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
[07/29/2008 08:20 PM | 00,206,088 | ---- | M] (Kaspersky Lab) - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
[05/31/2005 11:50 PM | 00,098,304 | ---- | M] (Intel Corporation) - C:\Archivos de programa\Intel\Wireless\Bin\OProtSvc.exe
[06/03/2005 02:25 AM | 00,139,264 | ---- | M] (Intel Corporation) - C:\Archivos de programa\Intel\Wireless\Bin\RegSrvc.exe
[06/03/2005 02:26 AM | 00,245,760 | ---- | M] (Intel) - C:\Archivos de programa\Intel\Wireless\Bin\1XConfig.exe
[07/05/2005 10:47 PM | 00,544,768 | R--- | M] (Motorola Inc.) - C:\WINDOWS\sm56hlpr.exe
[08/08/2005 11:13 AM | 00,163,840 | ---- | M] () - C:\Archivos de programa\Power Manager\PM.exe
[06/03/2005 02:31 AM | 00,385,024 | ---- | M] (Intel Corporation) - C:\Archivos de programa\Intel\Wireless\Bin\iFrmewrk.exe
[05/31/2005 11:50 PM | 00,356,352 | ---- | M] (Intel Corporation) - C:\Archivos de programa\Intel\Wireless\Bin\EOUWiz.exe
[03/18/2005 11:52 AM | 00,057,393 | ---- | M] (ScanSoft, Inc.) - C:\Archivos de programa\ScanSoft\PaperPort\pptd40nt.exe
[05/17/2005 06:42 PM | 00,933,888 | ---- | M] (Brother Industries, Ltd.) - C:\Archivos de programa\Brother\ControlCenter2\brctrcen.exe
[01/13/2007 10:47 AM | 00,163,840 | ---- | M] (Intel Corporation) - C:\WINDOWS\system32\hkcmd.exe
[01/13/2007 10:46 AM | 00,135,168 | ---- | M] (Intel Corporation) - C:\WINDOWS\system32\igfxpers.exe
[07/29/2008 08:20 PM | 00,206,088 | ---- | M] (Kaspersky Lab) - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
===== Win32 Services - Non-Microsoft Only =====
(Apple Mobile Device) Apple Mobile Device [Auto | Running]
[06/28/2007 04:06 AM | 00,106,496 | ---- | M] (Apple, Inc.) - C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
(Autodesk Licensing Service) Autodesk Licensing Service [On_Demand | Stopped]
[01/23/2007 10:00 PM | 00,077,944 | ---- | M] (Autodesk) - C:\Archivos de programa\Archivos comunes\Autodesk Shared\Service\AdskScSrv.exe
(AVP) Kaspersky Anti-Virus [Auto | Running]
[07/29/2008 08:20 PM | 00,206,088 | ---- | M] (Kaspersky Lab) - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
(Brother XP spl Service) BrSplService [Auto | Running]
[04/12/2002 01:00 AM | 00,057,344 | ---- | M] (brother Industries Ltd) - C:\WINDOWS\system32\brsvc01a.exe
(dmadmin) Servicio del administrador de discos lógicos [On_Demand | Stopped]
[03/02/2006 02:00 PM | 00,225,792 | ---- | M] (Microsoft Corp., VERITAS Software) - C:\WINDOWS\system32\dmadmin.exe
(EvtEng) EvtEng [Auto | Running]
[06/03/2005 02:25 AM | 00,086,016 | ---- | M] (Intel Corporation) - C:\Archivos de programa\Intel\Wireless\Bin\EvtEng.exe
(FirebirdServerMAGIXInstance) Firebird Server - MAGIX Instance [On_Demand | Stopped]
[11/17/2005 03:18 PM | 01,527,900 | ---- | M] (MAGIX®) - C:\Archivos de programa\MAGIX\Common\Database\bin\fbserver.exe
(OwnershipProtocol) OwnershipProtocol [Auto | Running]
[05/31/2005 11:50 PM | 00,098,304 | ---- | M] (Intel Corporation) - C:\Archivos de programa\Intel\Wireless\Bin\OProtSvc.exe
(RegSrvc) RegSrvc [Auto | Running]
[06/03/2005 02:25 AM | 00,139,264 | ---- | M] (Intel Corporation) - C:\Archivos de programa\Intel\Wireless\Bin\RegSrvc.exe
(S24EventMonitor) Spectrum24 Event Monitor [Auto | Running]
[06/03/2005 02:28 AM | 00,372,809 | ---- | M] (Intel Corporation ) - C:\Archivos de programa\Intel\Wireless\Bin\S24EvMon.exe
===== Driver Services - Non-Microsoft Only =====
(BrScnUsb) Brother USB Still Image driver [On_Demand | Stopped]
[10/15/2004 01:50 PM | 00,015,295 | ---- | M] (Brother Industries Ltd.) - C:\WINDOWS\system32\drivers\BrScnUsb.sys
(catchme) catchme [On_Demand | Stopped]
File not found - C:\DOCUME~1\PROPIE~1\CONFIG~1\Temp\catchme.sys
(EKBfltr) ENE Keyboard Controller [On_Demand | Running]
[01/14/2005 11:22 AM | 00,005,504 | R--- | M] (EnE Technology Inc.) - C:\WINDOWS\system32\drivers\EKBfltr.sys
(gmer) gmer [On_Demand | Stopped]
[09/06/2008 07:42 PM | 00,085,969 | ---- | M] (GMER) - C:\WINDOWS\system32\drivers\gmer.sys
(ialm) ialm [On_Demand | Running]
[01/13/2007 11:33 AM | 05,672,032 | ---- | M] (Intel Corporation) - C:\WINDOWS\system32\drivers\igxpmp32.sys
(Iviaspi) IVI ASPI Shell [On_Demand | Running]
[09/20/2005 05:27 PM | 00,010,368 | ---- | M] (InterVideo, Inc.) - C:\WINDOWS\system32\drivers\iviaspi.sys
(IWCA) Intel Wireless Connection Agent Miniport for Win XP [On_Demand | Running]
[08/12/2004 09:44 AM | 00,234,496 | ---- | M] (Intel Corporation) - C:\WINDOWS\system32\drivers\iwca.sys
(kl1) kl1 [Boot | Running]
[07/21/2008 06:34 PM | 00,121,872 | ---- | M] (Kaspersky Lab) - C:\WINDOWS\system32\drivers\kl1.sys
(klbg) Kaspersky Lab Boot Guard Driver [Boot | Running]
[01/29/2008 06:29 PM | 00,032,784 | ---- | M] (Kaspersky Lab) - C:\WINDOWS\system32\drivers\klbg.sys
(KLIF) Kaspersky Lab Driver [System | Running]
[08/23/2008 03:22 AM | 00,213,008 | ---- | M] (Kaspersky Lab) - C:\WINDOWS\system32\drivers\klif.sys
(klim5) Kaspersky Anti-Virus NDIS Filter [On_Demand | Running]
[04/30/2008 06:06 PM | 00,024,592 | ---- | M] (Kaspersky Lab) - C:\WINDOWS\system32\drivers\klim5.sys
(pcouffin) VSO Software pcouffin [On_Demand | Stopped]
[05/30/2008 06:30 PM | 00,047,360 | ---- | M] (VSO Software) - C:\WINDOWS\system32\drivers\pcouffin.sys
(s24trans) Transporte WLAN [Auto | Running]
[05/03/2005 08:03 AM | 00,011,354 | ---- | M] (Intel Corporation) - C:\WINDOWS\system32\drivers\s24trans.sys
(smserial) smserial [On_Demand | Running]
[07/05/2005 10:54 PM | 00,840,100 | R--- | M] (Motorola Inc.) - C:\WINDOWS\system32\drivers\smserial.sys
(tifm21) tifm21 [On_Demand | Running]
[06/03/2005 11:50 PM | 00,162,176 | ---- | M] (Texas Instruments) - C:\WINDOWS\system32\drivers\tifm21.sys
(TSP) TSP [On_Demand | Stopped]
[08/23/2008 03:22 AM | 00,213,008 | ---- | M] (Kaspersky Lab) - C:\WINDOWS\system32\drivers\klif.sys
(WINIO) WINIO [On_Demand | Running]
[03/02/2002 12:21 AM | 00,004,944 | ---- | M] () - C:\Archivos de programa\Power Manager\WinIo.sys
===== Run Keys =====
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Alcmtr" = ALCMTR.EXE [05/03/2005 12:43 PM | 00,069,632 | ---- | M] (Realtek Semiconductor Corp.)
"AVP" = "C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [07/29/2008 08:20 PM | 00,206,088 | ---- | M] (Kaspersky Lab)
"ControlCenter2.0" = C:\Archivos de programa\Brother\ControlCenter2\brctrcen.exe /autorun [05/17/2005 06:42 PM | 00,933,888 | ---- | M] (Brother Industries, Ltd.)
"EOUApp" = C:\Archivos de programa\Intel\Wireless\Bin\EOUWiz.exe [05/31/2005 11:50 PM | 00,356,352 | ---- | M] (Intel Corporation)
"High Definition Audio Property Page Shortcut" = HDAShCut.exe [01/07/2005 06:07 PM | 00,061,952 | ---- | M] (Windows (R) Server 2003 DDK provider)
"HotKeysCmds" = C:\WINDOWS\system32\hkcmd.exe [01/13/2007 10:47 AM | 00,163,840 | ---- | M] (Intel Corporation)
"IgfxTray" = C:\WINDOWS\system32\igfxtray.exe [01/13/2007 10:47 AM | 00,131,072 | ---- | M] (Intel Corporation)
"IndexSearch" = C:\Archivos de programa\ScanSoft\PaperPort\IndexSearch.exe [03/18/2005 12:04 PM | 00,040,960 | ---- | M] (ScanSoft, Inc.)
"IntelWireless" = C:\Archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless [06/03/2005 02:31 AM | 00,385,024 | ---- | M] (Intel Corporation)
"IntelZeroConfig" = C:\Archivos de programa\Intel\Wireless\bin\ZCfgSvc.exe [05/31/2005 11:46 PM | 00,401,408 | ---- | M] (Intel Corporation)
"NeroFilterCheck" = C:\WINDOWS\system32\NeroCheck.exe [07/09/2001 11:50 AM | 00,155,648 | ---- | M] (Ahead Software Gmbh)
"PaperPort PTD" = C:\Archivos de programa\ScanSoft\PaperPort\pptd40nt.exe [03/18/2005 11:52 AM | 00,057,393 | ---- | M] (ScanSoft, Inc.)
"Persistence" = C:\WINDOWS\system32\igfxpers.exe [01/13/2007 10:46 AM | 00,135,168 | ---- | M] (Intel Corporation)
"PowerDVD" = C:\Archivos de programa\CyberLink\PowerDVD\PowerDVD.exe /autostart [06/13/2002 06:08 PM | 00,389,120 | ---- | M] (CyberLink Corp.)
"PowerManager" = C:\Archivos de programa\Power Manager\PM.exe [08/08/2005 11:13 AM | 00,163,840 | ---- | M] ()
"QuickTime Task" = "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime [04/27/2007 09:41 AM | 00,282,624 | ---- | M] (Apple Inc.)
"RTHDCPL" = RTHDCPL.EXE [06/08/2005 08:42 AM | 14,565,376 | ---- | M] (Realtek Semiconductor Corp.)
"SetDefPrt" = C:\Archivos de programa\Brother\Brmfl05a\BrStDvPt.exe [01/26/2005 07:02 PM | 00,049,152 | ---- | M] (Brother Industories, Ltd.)
"SMSERIAL" = sm56hlpr.exe [07/05/2005 10:47 PM | 00,544,768 | R--- | M] (Motorola Inc.)
"SSBkgdUpdate" = "C:\Archivos de programa\Archivos comunes\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot [10/14/2003 11:22 AM | 00,155,648 | R--- | M] (Scansoft, Inc.)
"SunJavaUpdateSched" = "C:\Archivos de programa\Java\jre1.5.0_09\bin\jusched.exe" [10/12/2006 04:10 AM | 00,049,263 | ---- | M] (Sun Microsystems, Inc.)
"Telefonica" = "C:\Archivos de programa\Telefonica\bin\sprtcmd.exe" /P Telefonica [10/06/2005 05:44 PM | 00,192,512 | ---- | M] (SupportSoft, Inc.)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = Reg Error: Value load does not exist or could not be read.
"run" = Reg Error: Value run does not exist or could not be read.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchList" = C:\Archivos de programa\Pinnacle\Studio 11\LaunchList2.exe [03/21/2007 04:41 PM | 00,145,496 | ---- | M] (Pinnacle Systems)
"NBJ" = "C:\Archivos de programa\Ahead\Nero BackItUp\NBJ.exe" [10/11/2005 07:25 PM | 01,961,984 | ---- | M] (Ahead Software AG)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" =
"run" = Reg Error: Value run does not exist or could not be read.
===== Startup Folders =====
[All Users Startup Folder - C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio]
[03/05/2006 03:43 PM | 00,011,000 | ---- | M] (Autodesk, Inc) - C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Acelerador de inicio de AutoCAD.lnk = C:\Archivos de programa\Archivos comunes\Autodesk Shared\acstart17.exe
[09/23/2005 11:05 PM | 00,029,696 | ---- | M] (Adobe Systems Incorporated) - C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
[04/23/2005 08:12 PM | 00,802,816 | ---- | M] (Brother Industries, Ltd.) - C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Monitor de estado.lnk = C:\Archivos de programa\Brother\Brmfcmon\BrMfcWnd.exe
[Propietario Startup Folder - C:\Documents and Settings\Propietario\Menú Inicio\Programas\Inicio]
===== BHO's =====
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
HKLM CLSID: (Adobe PDF Reader Link Helper) - [01/12/2006 09:38 PM | 00,063,128 | ---- | M] (Adobe Systems Incorporated) C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}]
HKLM CLSID: (IEVkbdBHO Class) - [07/29/2008 08:21 PM | 00,062,728 | ---- | M] (Kaspersky Lab) C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
HKLM CLSID: (SSVHelper Class) - [10/12/2006 04:25 AM | 00,434,279 | ---- | M] (Sun Microsystems, Inc.) C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
HKLM CLSID: (Reg Error: Key does not exist or could not be opened.) - File not found Reg Error: Key does not exist or could not be opened.
===== Toolbars =====
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
HKLM CLSID: (Yahoo! Toolbar) - File not found Reg Error: Key does not exist or could not be opened.
===== Policies =====
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername" = 0
"legalnoticecaption" =
"legalnoticetext" =
"shutdownwithoutlogon" = 1
"undockwithoutlogon" = 1
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 36
"NoDriveAutoRun" = FF FF FF FF [binary data]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
===== Desktop Components =====
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"FriendlyName" = "Mi página de inicio actual"
"Source" = "about:Home"
"SubscribedURL" = "about:Home"
===== Shared Task Scheduler =====
===== AppInit_Dlls =====
===== Lsa Authentication Packages =====
===== Lsa Security Packages =====
===== Authorized Applications List =====
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = C:\WINDOWS\system32\sessmgr.exe [03/02/2006 02:00 PM | 00,142,848 | ---- | M] (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = C:\WINDOWS\network diagnostic\xpnetdiag.exe [10/10/2006 02:44 PM | 00,557,568 | ---- | M] (Microsoft Corporation)
"C:\Archivos de programa\MSN Messenger\msncall.exe" = C:\Archivos de programa\MSN Messenger\msncall.exe File not found
"C:\Archivos de programa\MSN Messenger\msnmsgr.exe" = C:\Archivos de programa\MSN Messenger\msnmsgr.exe [01/19/2007 12:55 PM | 05,674,352 | ---- | M] (Microsoft Corporation)
"C:\Archivos de programa\MSN Messenger\livecall.exe" = C:\Archivos de programa\MSN Messenger\livecall.exe [01/04/2007 04:10 PM | 00,297,752 | ---- | M] (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Archivos de programa\Telefonica\AsistCfg71\awcbrwsr.exe" = C:\Archivos de programa\Telefonica\AsistCfg71\awcbrwsr.exe [03/29/2007 01:00 AM | 00,053,248 | ---- | M] ()
"C:\WINDOWS\system32\sessmgr.exe" = C:\WINDOWS\system32\sessmgr.exe [03/02/2006 02:00 PM | 00,142,848 | ---- | M] (Microsoft Corporation)
"C:\WINDOWS\Network Diagnostic\xpnetdiag.exe" = C:\WINDOWS\network diagnostic\xpnetdiag.exe [10/10/2006 02:44 PM | 00,557,568 | ---- | M] (Microsoft Corporation)
"C:\WINDOWS\Explorer.EXE" = C:\WINDOWS\explorer.exe [06/13/2007 03:22 PM | 01,035,776 | ---- | M] (Microsoft Corporation)
"C:\Archivos de programa\Internet Explorer\iexplore.exe" = C:\Archivos de programa\Internet Explorer\iexplore.exe [06/23/2008 11:20 AM | 00,625,664 | ---- | M] (Microsoft Corporation)
"C:\Archivos de programa\iTunes\iTunes.exe" = C:\Archivos de programa\iTunes\iTunes.exe [06/28/2007 09:14 AM | 15,330,616 | ---- | M] (Apple Inc.)
"C:\Archivos de programa\Microsoft Office\OFFICE11\OUTLOOK.EXE" = C:\Archivos de programa\Microsoft Office\OFFICE11\OUTLOOK.EXE [07/15/2003 06:45 AM | 00,196,152 | ---- | M] (Microsoft Corporation)
"C:\Archivos de programa\Pinnacle\Studio 11\programs\PMSRegisterFile.exe" = C:\Archivos de programa\Pinnacle\Studio 11\programs\PMSRegisterFile.exe [11/21/2006 06:05 AM | 00,024,576 | ---- | M] ( )
"C:\Archivos de programa\Pinnacle\Studio 11\programs\RM.exe" = C:\Archivos de programa\Pinnacle\Studio 11\programs\RM.exe [04/06/2007 02:17 PM | 00,073,728 | ---- | M] (Pinnacle Systems)
"C:\Archivos de programa\Pinnacle\Studio 11\programs\Studio.exe" = C:\Archivos de programa\Pinnacle\Studio 11\programs\Studio.exe [04/06/2007 02:40 PM | 05,505,024 | ---- | M] (Pinnacle Systems)
"C:\Archivos de programa\Pinnacle\Studio 11\programs\umi.exe" = C:\Archivos de programa\Pinnacle\Studio 11\programs\umi.exe [04/06/2007 02:16 PM | 00,081,920 | ---- | M] (Pinnacle Systems)
"C:\Archivos de programa\MSN Messenger\msncall.exe" = C:\Archivos de programa\MSN Messenger\msncall.exe File not found
"C:\Archivos de programa\MSN Messenger\msnmsgr.exe" = C:\Archivos de programa\MSN Messenger\msnmsgr.exe [01/19/2007 12:55 PM | 05,674,352 | ---- | M] (Microsoft Corporation)
"C:\Archivos de programa\MSN Messenger\livecall.exe" = C:\Archivos de programa\MSN Messenger\livecall.exe [01/04/2007 04:10 PM | 00,297,752 | ---- | M] (Microsoft Corporation)
"C:\Archivos de programa\Messenger\msmsgs.exe" = C:\Archivos de programa\Messenger\msmsgs.exe [10/13/2004 06:24 PM | 01,694,208 | ---- | M] (Microsoft Corporation)
===== HKLM Winlogon Settings =====
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell]
"Explorer.exe" - [06/13/2007 03:22 PM | 01,035,776 | ---- | M] (Microsoft Corporation) C:\WINDOWS\explorer.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit]
"C:\WINDOWS\system32\userinit.exe" - [03/02/2006 02:00 PM | 00,025,088 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\userinit.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UIHost]
"logonui.exe" - [03/02/2006 02:00 PM | 00,515,584 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\logonui.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet]
"rundll32 shell32" - [10/25/2007 06:43 PM | 08,502,272 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\shell32.dll
"Control_RunDLL "sysdm.cpl"" - [03/02/2006 02:00 PM | 00,302,592 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\sysdm.cpl
===== User's Winlogon Settings =====
===== Winlogon Notify Settings =====
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
"DllName" = C:\WINDOWS\system32\igfxdev.dll [01/13/2007 10:46 AM | 00,204,800 | ---- | M] (Intel Corporation)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IntelWireless]
"DllName" = C:\Archivos de programa\Intel\Wireless\Bin\LgNotify.dll [05/31/2005 11:46 PM | 00,110,592 | ---- | M] (Intel Corporation)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]
"DllName" = C:\WINDOWS\system32\klogon.dll [07/29/2008 08:21 PM | 00,218,376 | ---- | M] (Kaspersky Lab)
===== Safeboot Options =====
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
"AlternateShell" = cmd.exe

frolma

OTVievit (part two)

===== Disabled MsConfig Items =====
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^ WinCinema Manager.lnk]
"path" = C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\ WinCinema Manager.lnk File not found
"backup" = C:\WINDOWS\pss\ WinCinema Manager.lnk File not found
"location" = Common Startup
"command" = C:\Archivos de programa\Sandisk\Common\Bin\WinCinemaMgr.exe [09/26/2006 02:29 PM | 00,303,104 | ---- | M] (InterVideo Inc.)
"item" = WinCinema Manager
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Propietario^Menú Inicio^Programas^Inicio^OpenOffice.org 2.0.lnk]
"path" = C:\Documents and Settings\Propietario\Menú Inicio\Programas\Inicio\OpenOffice.org 2.0.lnk File not found
"backup" = C:\WINDOWS\pss\OpenOffice.org File not found
"location" = Startup
"command" = C:\Archivos de programa\OpenOffice.org 2.0\program\quickstart.exe File not found
"item" = OpenOffice.org 2.0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper]
"key" = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"item" = iTunesHelper
"hkey" = HKLM
"command" = C:\Archivos de programa\iTunes\iTunesHelper.exe [06/28/2007 09:14 AM | 00,270,648 | ---- | M] (Apple Inc.)
"inimapping" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
"system.ini" = 0
"win.ini" = 0
"bootini" = 0
"services" = 0
"startup" = 2
===== DNS Name Servers =====
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{472F2256-6B58-4784-9CD8-32BD2E21A4F7}]
Servers: | Description: Intel(R) PRO/Wireless 2200BG Network Connection
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{59B3C720-E9B0-45FE-B97C-2BD8CCDC2EB2}]
Servers: 80.58.61.254,80.58.61.250 | Description: Broadcom 440x 10/100 Integrated Controller
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{A5175BD6-662B-46EA-A446-EECCE2055DAC}]
Servers: 80.58.61.254,80.58.61.250 | Description: Adaptador de red 1394
===== CDRom AutoRun Settings =====
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1
===== Autorun Files on Drives =====
AUTOEXEC.BAT [SET PATH=C:\Archivos de programa\Pinnacle\Shared Files;C:\Archivos de programa\Pinnacle\Shared Files\Filter | ]
[03/23/2008 11:37 PM | 00,000,109 | ---- | M] () C:\AUTOEXEC.BAT [ NTFS ]
autorun.inf []
[09/12/2008 06:42 PM | RHSD | M] C:\autorun.inf [ NTFS ]
===== MountPoints2 =====
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{008e5a07-940e-11db-b04b-00166f4e7cbd}\Shell]
"" = None
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{008e5a07-940e-11db-b04b-00166f4e7cbd}\Shell\Autoplay]
"MUIVerb" = C:\WINDOWS\system32\shell32.dll [10/25/2007 06:43 PM | 08,502,272 | ---- | M] (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{008e5a07-940e-11db-b04b-00166f4e7cbd}\Shell\Autoplay\DropTarget]
"CLSID" = {f26a669a-bcbb-4e37-abf9-7325da15f931}
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{010e4825-b7ad-11db-b0c9-00166f4e7cbd}\Shell]
"" = None
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{010e4825-b7ad-11db-b0c9-00166f4e7cbd}\Shell\Autoplay]
"MUIVerb" = C:\WINDOWS\system32\shell32.dll [10/25/2007 06:43 PM | 08,502,272 | ---- | M] (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{010e4825-b7ad-11db-b0c9-00166f4e7cbd}\Shell\Autoplay\DropTarget]
"CLSID" = {f26a669a-bcbb-4e37-abf9-7325da15f931}
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{04b59145-89f5-11db-b046-00166f4e7cbd}\Shell]
"" = None
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{04b59145-89f5-11db-b046-00166f4e7cbd}\Shell\Autoplay]
"MUIVerb" = C:\WINDOWS\system32\shell32.dll [10/25/2007 06:43 PM | 08,502,272 | ---- | M] (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{04b59145-89f5-11db-b046-00166f4e7cbd}\Shell\Autoplay\DropTarget]
"CLSID" = {f26a669a-bcbb-4e37-abf9-7325da15f931}
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{187aefec-943d-11db-b051-00166f4e7cbd}\Shell]
"" = None
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{187aefec-943d-11db-b051-00166f4e7cbd}\Shell\Autoplay]
"MUIVerb" = C:\WINDOWS\system32\shell32.dll [10/25/2007 06:43 PM | 08,502,272 | ---- | M] (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{187aefec-943d-11db-b051-00166f4e7cbd}\Shell\Autoplay\DropTarget]
"CLSID" = {f26a669a-bcbb-4e37-abf9-7325da15f931}
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1b3388ea-eecb-11dc-b2d4-00166f4e7cbd}\Shell]
"" = Open
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1b3388ea-eecb-11dc-b2d4-00166f4e7cbd}\Shell\Autoplay]
"MUIVerb" = C:\WINDOWS\system32\shell32.dll [10/25/2007 06:43 PM | 08,502,272 | ---- | M] (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1b3388ea-eecb-11dc-b2d4-00166f4e7cbd}\Shell\Autoplay\DropTarget]
"CLSID" = {f26a669a-bcbb-4e37-abf9-7325da15f931}
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1b3388ea-eecb-11dc-b2d4-00166f4e7cbd}\Shell\AutoRun]
"Extended" =
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1b3388ea-eecb-11dc-b2d4-00166f4e7cbd}\Shell\AutoRun\command]
"" = dh66ln.cmd
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1b3388ea-eecb-11dc-b2d4-00166f4e7cbd}\Shell\explore]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1b3388ea-eecb-11dc-b2d4-00166f4e7cbd}\Shell\explore\Command]
"" = dh66ln.cmd
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1b3388ea-eecb-11dc-b2d4-00166f4e7cbd}\Shell\open]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1b3388ea-eecb-11dc-b2d4-00166f4e7cbd}\Shell\open\Command]
"" = dh66ln.cmd
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1b3388ea-eecb-11dc-b2d4-00166f4e7cbd}\Shell\open\Default]
"" = 1
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{208331b2-dd63-11db-b10e-00166f4e7cbd}\Shell]
"" = None
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{208331b2-dd63-11db-b10e-00166f4e7cbd}\Shell\Autoplay]
"MUIVerb" = C:\WINDOWS\system32\shell32.dll [10/25/2007 06:43 PM | 08,502,272 | ---- | M] (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{208331b2-dd63-11db-b10e-00166f4e7cbd}\Shell\Autoplay\DropTarget]
"CLSID" = {f26a669a-bcbb-4e37-abf9-7325da15f931}
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{24dbd769-2e6a-11dd-b316-00166f4e7cbd}\Shell]
"" = None
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{24dbd769-2e6a-11dd-b316-00166f4e7cbd}\Shell\Autoplay]
"MUIVerb" = C:\WINDOWS\system32\shell32.dll [10/25/2007 06:43 PM | 08,502,272 | ---- | M] (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{24dbd769-2e6a-11dd-b316-00166f4e7cbd}\Shell\Autoplay\DropTarget]
"CLSID" = {f26a669a-bcbb-4e37-abf9-7325da15f931}
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2589628e-1783-11dc-b168-00166f4e7cbd}\Shell]
"" = None
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2589628e-1783-11dc-b168-00166f4e7cbd}\Shell\Autoplay]
"MUIVerb" = C:\WINDOWS\system32\shell32.dll [10/25/2007 06:43 PM | 08,502,272 | ---- | M] (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2589628e-1783-11dc-b168-00166f4e7cbd}\Shell\Autoplay\DropTarget]
"CLSID" = {f26a669a-bcbb-4e37-abf9-7325da15f931}
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2589628f-1783-11dc-b168-00166f4e7cbd}\Shell]
"" = None
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2589628f-1783-11dc-b168-00166f4e7cbd}\Shell\Autoplay]
"MUIVerb" = C:\WINDOWS\system32\shell32.dll [10/25/2007 06:43 PM | 08,502,272 | ---- | M] (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2589628f-1783-11dc-b168-00166f4e7cbd}\Shell\Autoplay\DropTarget]
"CLSID" = {f26a669a-bcbb-4e37-abf9-7325da15f931}
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{32cbf123-2734-11dc-b18d-00166f4e7cbd}\Shell]
"" = None
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{32cbf123-2734-11dc-b18d-00166f4e7cbd}\Shell\Autoplay]
"MUIVerb" = C:\WINDOWS\system32\shell32.dll [10/25/2007 06:43 PM | 08,502,272 | ---- | M] (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{32cbf123-2734-11dc-b18d-00166f4e7cbd}\Shell\Autoplay\DropTarget]
"CLSID" = {f26a669a-bcbb-4e37-abf9-7325da15f931}
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3f836d6e-89fa-11db-b047-00166f4e7cbd}\Shell]
"" = None
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3f836d6e-89fa-11db-b047-00166f4e7cbd}\Shell\Autoplay]
"MUIVerb" = C:\WINDOWS\system32\shell32.dll [10/25/2007 06:43 PM | 08,502,272 | ---- | M] (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3f836d6e-89fa-11db-b047-00166f4e7cbd}\Shell\Autoplay\DropTarget]
"CLSID" = {f26a669a-bcbb-4e37-abf9-7325da15f931}
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{481da3ed-f9ab-11db-b135-00166f4e7cbd}\Shell]
"" = None
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{481da3ed-f9ab-11db-b135-00166f4e7cbd}\Shell\Autoplay]
"MUIVerb" = C:\WINDOWS\system32\shell32.dll [10/25/2007 06:43 PM | 08,502,272 | ---- | M] (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{481da3ed-f9ab-11db-b135-00166f4e7cbd}\Shell\Autoplay\DropTarget]
"CLSID" = {f26a669a-bcbb-4e37-abf9-7325da15f931}
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8043784d-aef5-11db-b0b6-00166f4e7cbd}\Shell]
"" = None
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8043784d-aef5-11db-b0b6-00166f4e7cbd}\Shell\Autoplay]
"MUIVerb" = C:\WINDOWS\system32\shell32.dll [10/25/2007 06:43 PM | 08,502,272 | ---- | M] (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8043784d-aef5-11db-b0b6-00166f4e7cbd}\Shell\Autoplay\DropTarget]
"CLSID" = {f26a669a-bcbb-4e37-abf9-7325da15f931}
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8bd9687c-388a-11dd-b317-00166f4e7cbd}\Shell]
"" = None
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8bd9687c-388a-11dd-b317-00166f4e7cbd}\Shell\Autoplay]
"MUIVerb" = C:\WINDOWS\system32\shell32.dll [10/25/2007 06:43 PM | 08,502,272 | ---- | M] (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8bd9687c-388a-11dd-b317-00166f4e7cbd}\Shell\Autoplay\DropTarget]
"CLSID" = {f26a669a-bcbb-4e37-abf9-7325da15f931}
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91541350-a907-11dc-b29f-00166f4e7cbd}\Shell]
"" = None
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91541350-a907-11dc-b29f-00166f4e7cbd}\Shell\Autoplay]
"MUIVerb" = C:\WINDOWS\system32\shell32.dll [10/25/2007 06:43 PM | 08,502,272 | ---- | M] (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91541350-a907-11dc-b29f-00166f4e7cbd}\Shell\Autoplay\DropTarget]
"CLSID" = {f26a669a-bcbb-4e37-abf9-7325da15f931}
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9f7c12ec-4c2e-11dc-b1db-00166f4e7cbd}\Shell]
"" = None
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9f7c12ec-4c2e-11dc-b1db-00166f4e7cbd}\Shell\Autoplay]
"MUIVerb" = C:\WINDOWS\system32\shell32.dll [10/25/2007 06:43 PM | 08,502,272 | ---- | M] (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9f7c12ec-4c2e-11dc-b1db-00166f4e7cbd}\Shell\Autoplay\DropTarget]
"CLSID" = {f26a669a-bcbb-4e37-abf9-7325da15f931}
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a22665ff-1687-11dc-b165-00166f4e7cbd}\Shell]
"" = None
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a22665ff-1687-11dc-b165-00166f4e7cbd}\Shell\Autoplay]
"MUIVerb" = C:\WINDOWS\system32\shell32.dll [10/25/2007 06:43 PM | 08,502,272 | ---- | M] (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a22665ff-1687-11dc-b165-00166f4e7cbd}\Shell\Autoplay\DropTarget]
"CLSID" = {f26a669a-bcbb-4e37-abf9-7325da15f931}
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{caa0508c-9761-11db-b064-00166f4e7cbd}\Shell]
"" = None
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{caa0508c-9761-11db-b064-00166f4e7cbd}\Shell\Autoplay]
"MUIVerb" = C:\WINDOWS\system32\shell32.dll [10/25/2007 06:43 PM | 08,502,272 | ---- | M] (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{caa0508c-9761-11db-b064-00166f4e7cbd}\Shell\Autoplay\DropTarget]
"CLSID" = {f26a669a-bcbb-4e37-abf9-7325da15f931}
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d144cc08-3f8e-11dc-b1b8-00166f4e7cbd}\Shell]
"" = None
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d144cc08-3f8e-11dc-b1b8-00166f4e7cbd}\Shell\Autoplay]
"MUIVerb" = C:\WINDOWS\system32\shell32.dll [10/25/2007 06:43 PM | 08,502,272 | ---- | M] (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d144cc08-3f8e-11dc-b1b8-00166f4e7cbd}\Shell\Autoplay\DropTarget]
"CLSID" = {f26a669a-bcbb-4e37-abf9-7325da15f931}
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{de387366-846f-11dc-b283-00166f4e7cbd}\Shell]
"" = None
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{de387366-846f-11dc-b283-00166f4e7cbd}\Shell\Autoplay]
"MUIVerb" = C:\WINDOWS\system32\shell32.dll [10/25/2007 06:43 PM | 08,502,272 | ---- | M] (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{de387366-846f-11dc-b283-00166f4e7cbd}\Shell\Autoplay\DropTarget]
"CLSID" = {f26a669a-bcbb-4e37-abf9-7325da15f931}
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{de38736a-846f-11dc-b283-00166f4e7cbd}\Shell]
"" = None
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{de38736a-846f-11dc-b283-00166f4e7cbd}\Shell\Autoplay]
"MUIVerb" = C:\WINDOWS\system32\shell32.dll [10/25/2007 06:43 PM | 08,502,272 | ---- | M] (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{de38736a-846f-11dc-b283-00166f4e7cbd}\Shell\Autoplay\DropTarget]
"CLSID" = {f26a669a-bcbb-4e37-abf9-7325da15f931}
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f0edb6da-d8bb-11db-b105-00166f4e7cbd}\Shell]
"" = None
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f0edb6da-d8bb-11db-b105-00166f4e7cbd}\Shell\Autoplay]
"MUIVerb" = C:\WINDOWS\system32\shell32.dll [10/25/2007 06:43 PM | 08,502,272 | ---- | M] (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f0edb6da-d8bb-11db-b105-00166f4e7cbd}\Shell\Autoplay\DropTarget]
"CLSID" = {f26a669a-bcbb-4e37-abf9-7325da15f931}
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f215f2e8-4085-11dc-b1ba-00166f4e7cbd}\Shell]
"" = None
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f215f2e8-4085-11dc-b1ba-00166f4e7cbd}\Shell\Autoplay]
"MUIVerb" = C:\WINDOWS\system32\shell32.dll [10/25/2007 06:43 PM | 08,502,272 | ---- | M] (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f215f2e8-4085-11dc-b1ba-00166f4e7cbd}\Shell\Autoplay\DropTarget]
"CLSID" = {f26a669a-bcbb-4e37-abf9-7325da15f931}
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f52782d4-5c99-11dc-b21e-00166f4e7cbd}\Shell]
"" = None
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f52782d4-5c99-11dc-b21e-00166f4e7cbd}\Shell\Autoplay]
"MUIVerb" = C:\WINDOWS\system32\shell32.dll [10/25/2007 06:43 PM | 08,502,272 | ---- | M] (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f52782d4-5c99-11dc-b21e-00166f4e7cbd}\Shell\Autoplay\DropTarget]
"CLSID" = {f26a669a-bcbb-4e37-abf9-7325da15f931}
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f7437be1-6f70-11dc-b25e-00166f4e7cbd}\Shell]
"" = None
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f7437be1-6f70-11dc-b25e-00166f4e7cbd}\Shell\Autoplay]
"MUIVerb" = C:\WINDOWS\system32\shell32.dll [10/25/2007 06:43 PM | 08,502,272 | ---- | M] (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f7437be1-6f70-11dc-b25e-00166f4e7cbd}\Shell\Autoplay\DropTarget]
"CLSID" = {f26a669a-bcbb-4e37-abf9-7325da15f931}
===== Hosts File =====
HOSTS File = (792 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

[Files/Folders - Created Within 30 days]
[08/30/2008 11:11 AM | ---D | C] - C:\_OTMoveIt
[08/30/2008 11:18 AM | ---D | C] - C:\SDFix
[09/03/2008 03:41 PM | ---D | C] - C:\0f118ff24134c722b11e1296b6b1d026
[09/08/2008 06:27 PM | 00,162,616 | ---- | C] (Sysinternals - www.sysinternals.com) - C:\RegDelNull.exe
[09/12/2008 06:42 PM | RHSD | C] - C:\autorun.inf
[08/23/2008 03:22 AM | 00,213,008 | ---- | C] (Kaspersky Lab) - C:\WINDOWS\System32\drivers\klif.sys
[08/23/2008 03:23 AM | 00,002,788 | -HS- | C] () - C:\WINDOWS\System32\drivers\fidbox2.idx
[08/23/2008 03:23 AM | 00,026,616 | -HS- | C] () - C:\WINDOWS\System32\drivers\fidbox.idx
[08/23/2008 03:23 AM | 00,499,744 | -HS- | C] () - C:\WINDOWS\System32\drivers\fidbox2.dat
[08/23/2008 03:23 AM | 03,268,640 | -HS- | C] () - C:\WINDOWS\System32\drivers\fidbox.dat
[08/23/2008 03:24 AM | 00,087,855 | ---- | C] () - C:\WINDOWS\System32\drivers\klick.dat
[08/23/2008 03:24 AM | 00,096,976 | ---- | C] () - C:\WINDOWS\System32\drivers\klin.dat
[09/06/2008 07:42 PM | 00,085,969 | ---- | C] (GMER) - C:\WINDOWS\System32\drivers\gmer.sys
[09/12/2008 07:10 PM | 00,028,544 | ---- | C] (Panda Security, S.L.) - C:\WINDOWS\System32\drivers\pavboot.sys
[1 C:\WINDOWS\System32\*.tmp files]
[08/15/2008 06:03 AM | 00,120,200 | ---- | C] () - C:\WINDOWS\System32\DLLDEV32i.dll
[08/15/2008 06:05 AM | 00,053,248 | ---- | C] () - C:\WINDOWS\System32\mgxasio2.dll
[08/15/2008 06:05 AM | 00,430,080 | ---- | C] (MAGIX AG) - C:\WINDOWS\System32\MXRestore.exe
[08/28/2008 10:21 AM | ---D | C] - C:\WINDOWS\System32\CatRoot_bak
[09/02/2008 04:57 PM | 00,000,298 | ---- | C] () - C:\WINDOWS\System32\112.CPX.old
[09/02/2008 04:57 PM | 00,000,408 | ---- | C] () - C:\WINDOWS\System32\121.CPX.old
[5 C:\WINDOWS\*.tmp files]
[08/15/2008 06:06 AM | 00,000,028 | ---- | C] () - C:\WINDOWS\Robota.INI
[08/30/2008 11:19 AM | ---D | C] - C:\WINDOWS\ERUNT
[09/06/2008 07:42 PM | 00,000,080 | ---- | C] () - C:\WINDOWS\gmer_uninstall.cmd
[09/06/2008 07:42 PM | 00,000,250 | ---- | C] () - C:\WINDOWS\gmer.ini
[09/06/2008 07:42 PM | 00,811,008 | ---- | C] () - C:\WINDOWS\gmer.exe
[09/06/2008 07:42 PM | 00,884,736 | ---- | C] () - C:\WINDOWS\gmer.dll
[09/12/2008 07:09 PM | ---D | C] - C:\WINDOWS\LastGood
[08/15/2008 06:03 AM | ---D | C] - C:\Documents and Settings\All Users\Datos de programa\MAGIX
[08/20/2008 01:40 PM | ---D | C] - C:\Documents and Settings\All Users\Datos de programa\Spybot - Search & Destroy
[08/23/2008 03:17 AM | ---D | C] - C:\Documents and Settings\All Users\Datos de programa\Kaspersky Lab Setup Files
[08/23/2008 03:23 AM | ---D | C] - C:\Documents and Settings\All Users\Datos de programa\Kaspersky Lab
[08/30/2008 11:37 AM | ---D | C] - C:\Documents and Settings\All Users\Datos de programa\Malwarebytes
[08/15/2008 06:06 AM | ---D | C] - C:\Documents and Settings\Propietario\Datos de programa\MAGIX
[08/30/2008 11:37 AM | ---D | C] - C:\Documents and Settings\Propietario\Datos de programa\Malwarebytes
[08/15/2008 06:04 AM | ---D | C] - C:\Documents and Settings\Propietario\Mis documentos\MAGIX_MusicMaker2008PE_Version_para_descargar
[08/15/2008 06:06 AM | ---D | C] - C:\Documents and Settings\Propietario\Mis documentos\MAGIX Descargas
[08/15/2008 06:06 AM | ---D | C] - C:\Documents and Settings\Propietario\Mis documentos\MAGIX_Screenshare
[08/30/2008 11:46 AM | ---D | C] - C:\Documents and Settings\Propietario\Mis documentos\LOGS
[08/31/2008 10:43 AM | ---D | C] - C:\Documents and Settings\Propietario\Mis documentos\Quarantine
[09/07/2008 06:51 PM | ---D | C] - C:\Documents and Settings\Propietario\Mis documentos\PGMS
[08/30/2008 11:37 AM | 00,000,731 | ---- | C] () - C:\Documents and Settings\All Users\Escritorio\Malwarebytes' Anti-Malware.lnk
[09/02/2008 01:02 AM | 00,001,007 | ---- | C] () - C:\Documents and Settings\All Users\Escritorio\Nero Online Upgrade.lnk
[09/05/2008 11:29 AM | ---D | C] - C:\Documents and Settings\Propietario\Escritorio\ZIPS
[08/15/2008 06:03 AM | ---D | C] - C:\Archivos de programa\MAGIX
[08/20/2008 01:40 PM | ---D | C] - C:\Archivos de programa\Spybot - Search & Destroy
[08/20/2008 01:49 AM | ---D | C] - C:\Archivos de programa\Trend Micro
[08/23/2008 03:23 AM | ---D | C] - C:\Archivos de programa\Kaspersky Lab
[08/23/2008 06:35 PM | ---D | C] - C:\Archivos de programa\BitTorrent Fastest Tool
[08/30/2008 11:37 AM | ---D | C] - C:\Archivos de programa\Malwarebytes' Anti-Malware
[09/02/2008 05:09 PM | ---D | C] - C:\Archivos de programa\EsetOnlineScanner
[09/12/2008 07:09 PM | ---D | C] - C:\Archivos de programa\Panda Security
[Files/Folders - Modified Within 30 days]
[08/30/2008 11:11 AM | ---D | M] - C:\_OTMoveIt
[08/30/2008 11:29 AM | ---D | M] - C:\SDFix
[09/03/2008 03:41 PM | ---D | M] - C:\0f118ff24134c722b11e1296b6b1d026
[09/04/2008 08:20 AM | -HSD | M] - C:\RECYCLER
[09/07/2008 02:43 AM | ---D | M] - C:\Documents and Settings
[09/10/2008 06:25 PM | 00,000,211 | -HS- | M] () - C:\boot.ini
[09/12/2008 06:42 PM | RHSD | M] - C:\autorun.inf
[09/12/2008 07:09 PM | ---D | M] - C:\Archivos de programa
[09/12/2008 07:09 PM | ---D | M] - C:\WINDOWS
[08/23/2008 03:22 AM | 00,213,008 | ---- | M] (Kaspersky Lab) - C:\WINDOWS\System32\drivers\klif.sys
[08/23/2008 03:24 AM | 00,087,855 | ---- | M] () - C:\WINDOWS\System32\drivers\klick.dat
[08/23/2008 03:38 AM | 00,096,976 | ---- | M] () - C:\WINDOWS\System32\drivers\klin.dat
[09/06/2008 07:42 PM | 00,085,969 | ---- | M] (GMER) - C:\WINDOWS\System32\drivers\gmer.sys
[09/12/2008 09:37 AM | 00,002,788 | -HS- | M] () - C:\WINDOWS\System32\drivers\fidbox2.idx
[09/12/2008 09:37 AM | 00,026,616 | -HS- | M] () - C:\WINDOWS\System32\drivers\fidbox.idx
[09/12/2008 09:37 AM | 00,499,744 | -HS- | M] () - C:\WINDOWS\System32\drivers\fidbox2.dat
[09/12/2008 09:37 AM | 03,268,640 | -HS- | M] () - C:\WINDOWS\System32\drivers\fidbox.dat
[1 C:\WINDOWS\System32\*.tmp files]
[08/23/2008 02:40 AM | 00,064,706 | ---- | M] () - C:\WINDOWS\System32\perfc009.dat
[08/23/2008 02:40 AM | 00,084,476 | ---- | M] () - C:\WINDOWS\System32\perfc00A.dat
[08/23/2008 02:40 AM | 00,409,566 | ---- | M] () - C:\WINDOWS\System32\perfh009.dat
[08/23/2008 02:40 AM | 00,473,274 | ---- | M] () - C:\WINDOWS\System32\perfh00A.dat
[08/23/2008 02:40 AM | 01,043,160 | ---- | M] () - C:\WINDOWS\System32\PerfStringBackup.INI
[08/28/2008 11:05 AM | ---D | M] - C:\WINDOWS\System32\CatRoot
[08/28/2008 11:05 AM | ---D | M] - C:\WINDOWS\System32\CatRoot_bak
[08/29/2008 02:10 PM | ---D | M] - C:\WINDOWS\System32\MAGIX
[09/02/2008 04:57 PM | 00,000,298 | ---- | M] () - C:\WINDOWS\System32\112.CPX.old
[09/02/2008 04:57 PM | 00,000,408 | ---- | M] () - C:\WINDOWS\System32\121.CPX.old
[09/08/2008 08:11 PM | ---D | M] - C:\WINDOWS\System32\Restore
[09/12/2008 06:14 PM | ---D | M] - C:\WINDOWS\System32\Lang
[09/12/2008 06:15 PM | 00,002,206 | ---- | M] () - C:\WINDOWS\System32\wpa.dbl
[09/12/2008 06:25 PM | ---D | M] - C:\WINDOWS\System32\CatRoot2
[09/12/2008 06:48 PM | RHSD | M] - C:\WINDOWS\System32\dllcache
[09/12/2008 07:10 PM | ---D | M] - C:\WINDOWS\System32\drivers
[5 C:\WINDOWS\*.tmp files]
[08/15/2008 06:05 AM | 00,006,308 | ---- | M] () - C:\WINDOWS\mgxoschk.ini
[08/17/2008 09:19 PM | 00,001,374 | ---- | M] () - C:\WINDOWS\imsins.BAK
[08/17/2008 09:19 PM | -H-D | M] - C:\WINDOWS\$hf_mig$
[08/18/2008 12:27 PM | 00,000,350 | ---- | M] () - C:\WINDOWS\BeatBox.INI
[08/18/2008 12:27 PM | 00,000,456 | ---- | M] () - C:\WINDOWS\musicmaker.INI
[08/23/2008 03:24 AM | -HSD | M] - C:\WINDOWS\Installer
[08/28/2008 07:54 PM | ---D | M] - C:\WINDOWS\pss
[08/28/2008 10:11 AM | ---D | M] - C:\WINDOWS\Help
[08/28/2008 10:21 AM | ---D | M] - C:\WINDOWS\Debug
[08/29/2008 02:08 PM | 00,000,028 | ---- | M] () - C:\WINDOWS\Robota.INI
[08/30/2008 11:19 AM | ---D | M] - C:\WINDOWS\ERUNT
[09/01/2008 05:57 PM | 00,000,116 | ---- | M] () - C:\WINDOWS\NeroDigital.ini
[09/06/2008 07:42 PM | 00,000,080 | ---- | M] () - C:\WINDOWS\gmer_uninstall.cmd
[09/06/2008 07:42 PM | 00,884,736 | ---- | M] () - C:\WINDOWS\gmer.dll
[09/08/2008 02:25 PM | 00,000,250 | ---- | M] () - C:\WINDOWS\gmer.ini
[09/08/2008 06:14 PM | ---D | M] - C:\WINDOWS\Minidump
[09/10/2008 06:10 PM | 00,054,156 | -H-- | M] () - C:\WINDOWS\QTFont.qfn
[09/10/2008 06:25 PM | 00,000,227 | ---- | M] () - C:\WINDOWS\system.ini
[09/10/2008 06:25 PM | 00,000,799 | ---- | M] () - C:\WINDOWS\win.ini
[09/11/2008 02:49 PM | ---D | M] - C:\WINDOWS\Prefetch
[09/12/2008 06:14 PM | 00,002,048 | --S- | M] () - C:\WINDOWS\bootstat.dat
[09/12/2008 06:48 PM | ---D | M] - C:\WINDOWS\system32
[09/12/2008 06:48 PM | --SD | M] - C:\WINDOWS\Tasks
[09/12/2008 06:54 PM | --SD | M] - C:\WINDOWS\Downloaded Program Files
[09/12/2008 07:09 PM | ---D | M] - C:\WINDOWS\LastGood
[09/12/2008 07:09 PM | -H-D | M] - C:\WINDOWS\inf
[09/12/2008 07:12 PM | ---D | M] - C:\WINDOWS\Temp
[09/09/2008 10:25 AM | 00,000,298 | ---- | M] () - C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[08/15/2008 06:05 AM | ---D | M] - C:\Documents and Settings\All Users\Datos de programa\MAGIX
[08/22/2008 07:40 PM | ---D | M] - C:\Documents and Settings\All Users\Datos de programa\AntiVir PersonalEdition Classic
[08/23/2008 03:17 AM | ---D | M] - C:\Documents and Settings\All Users\Datos de programa\Kaspersky Lab Setup Files
[08/23/2008 03:19 AM | ---D | M] - C:\Documents and Settings\All Users\Datos de programa\Spybot - Search & Destroy
[08/30/2008 11:37 AM | ---D | M] - C:\Documents and Settings\All Users\Datos de programa\Malwarebytes
[09/12/2008 06:15 PM | ---D | M] - C:\Documents and Settings\All Users\Datos de programa\Kaspersky Lab
[08/15/2008 06:06 AM | ---D | M] - C:\Documents and Settings\Propietario\Datos de programa\MAGIX
[08/30/2008 11:37 AM | ---D | M] - C:\Documents and Settings\Propietario\Datos de programa\Malwarebytes
[09/01/2008 03:36 PM | ---D | M] - C:\Documents and Settings\Propietario\Configuración local\Datos de programa\Microsoft
[09/10/2008 06:34 PM | 00,161,280 | ---- | M] () - C:\Documents and Settings\Propietario\Configuración local\Datos de programa\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[09/01/2008 05:57 PM | 00,000,349 | ---- | M] () - C:\Documents and Settings\All Users\Documentos\PCLECHAL.INI
[08/13/2008 09:00 PM | ---D | M] - C:\Documents and Settings\Propietario\Mis documentos\Mª jose
[08/14/2008 06:51 PM | R--D | M] - C:\Documents and Settings\Propietario\Mis documentos\Mis imágenes
[08/15/2008 06:06 AM | ---D | M] - C:\Documents and Settings\Propietario\Mis documentos\MAGIX Descargas
[08/15/2008 06:06 AM | ---D | M] - C:\Documents and Settings\Propietario\Mis documentos\MAGIX_Screenshare
[08/29/2008 02:10 PM | ---D | M] - C:\Documents and Settings\Propietario\Mis documentos\MAGIX_MusicMaker2008PE_Version_para_descargar
[08/31/2008 08:08 PM | ---D | M] - C:\Documents and Settings\Propietario\Mis documentos\My Pictures
[08/31/2008 10:54 AM | ---D | M] - C:\Documents and Settings\Propietario\Mis documentos\Quarantine
[09/02/2008 01:40 AM | ---D | M] - C:\Documents and Settings\Propietario\Mis documentos\VolcatDecrypter
[09/03/2008 12:49 AM | ---D | M] - C:\Documents and Settings\Propietario\Mis documentos\Pirateo
[09/07/2008 03:54 PM | ---D | M] - C:\Documents and Settings\Propietario\Mis documentos\Mis archivos recibidos
[09/10/2008 10:55 AM | ---D | M] - C:\Documents and Settings\Propietario\Mis documentos\Pinnacle Studio
[09/11/2008 09:30 AM | ---D | M] - C:\Documents and Settings\Propietario\Mis documentos\LOGS
[09/12/2008 06:28 PM | ---D | M] - C:\Documents and Settings\Propietario\Mis documentos\PGMS
[09/12/2008 09:36 AM | ---D | M] - C:\Documents and Settings\Propietario\Mis documentos\Laura
[09/12/2008 12:39 AM | 00,000,595 | ---- | M] () - C:\Documents and Settings\Propietario\Mis documentos\Mis carpetas para compartir.lnk
[08/30/2008 11:37 AM | 00,000,731 | ---- | M] () - C:\Documents and Settings\All Users\Escritorio\Malwarebytes' Anti-Malware.lnk
[09/02/2008 01:02 AM | 00,001,007 | ---- | M] () - C:\Documents and Settings\All Users\Escritorio\Nero Online Upgrade.lnk
[09/10/2008 01:31 PM | 00,002,165 | ---- | M] () - C:\Documents and Settings\All Users\Escritorio\iTunes.lnk
[08/19/2008 04:53 PM | 00,002,543 | ---- | M] () - C:\Documents and Settings\Propietario\Escritorio\Microsoft Office Excel 2003 (2).lnk
[08/20/2008 01:43 PM | ---D | M] - C:\Documents and Settings\Propietario\Escritorio\Seguretat
[08/23/2008 07:45 PM | 00,002,271 | ---- | M] () - C:\Documents and Settings\Propietario\Escritorio\Copia de PaperPort.lnk
[09/03/2008 08:56 AM | 00,065,536 | ---- | M] () - C:\Documents and Settings\Propietario\Escritorio\PELICULES .xls
[09/11/2008 09:32 AM | ---D | M] - C:\Documents and Settings\Propietario\Escritorio\ZIPS
[09/12/2008 09:29 AM | 00,002,565 | ---- | M] () - C:\Documents and Settings\Propietario\Escritorio\Microsoft Office Word 2003 (2).lnk
< End of report >

Thomas

That OTMoveIt script I provided has some built-in glitches, and we really don't want anything overlooked right now. Unless you can get Kaspersky there disabled though it is pretty useless for either security or solutions at this point, and you will truly need to consider uninstalling it so repairs can be completed. I sense that either version of the two online scans it continues to block would have aided things by now.


Repeat the steps I just posted but with these few changes.

Use this for the OTMoveIt script:

C:\WINDOWS\Tasks\Sa.dat
C:\WINDOWS\system32\37407285651.CPX
C:\WINDOWS\system32\12520850.cpx
C:\WINDOWS\system32\3740728561.CPX
C:\WINDOWS\system32\37407285612.CPX
C:\WINDOWS\system32\40837407285621.CPX
C:\WINDOWS\system32\12520437.cpx
C:\WINDOWS\system32\37407285631.CPX
C:\WINDOWS\System32\112.CPX.old
C:\WINDOWS\System32\121.CPX.old
C:\RECYCLER
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints 2"

---

When you are ready to run the new OTViewIT scan let's get the latest version of that. Delete the existing OTViewIt.exe and download a new copy from here. Then run a scan with that and post those logs instead.

---

Also let's check for those files after, since no online scan log is assisting right now.

Go to Start > Run and type:

cmd.exe

and ok. Copy and paste the below string after the prompt, then press Enter:

dir /s /a "c:\*.cpx*" > c:\find2.txt && notepad c:\find2.txt

Your drive will be scanned and when finished, Notepad will pop up with some information. Copy and paste it in this thread.

Once that Notepad textbox opens, also click at the prompt in the still open command console window and type exit to close that.[/QUOTE]

1 - So Merge your regedit you made.

2 - Run Flash Disinfector again.

3 - The new OTViewIt scan.

4 - And the Run - find file for those ".cpx" files again please.

frolma

Hi,I've already uninstalled kaspersky.Did you mean I've to be without antivirus for the time being?

C:\WINDOWS\Tasks\Sa.dat moved successfully.
File/Folder C:\WINDOWS\system32\37407285651.CPX not found.
C:\WINDOWS\system32\12520850.cpx moved successfully.
C:\WINDOWS\system32\3740728561.CPX moved successfully.
C:\WINDOWS\system32\37407285612.CPX moved successfully.
File/Folder C:\WINDOWS\system32\40837407285621.CPX not found.
C:\WINDOWS\system32\12520437.cpx moved successfully.
File/Folder C:\WINDOWS\system32\37407285631.CPX not found.
C:\WINDOWS\System32\112.CPX.old moved successfully.
C:\WINDOWS\System32\121.CPX.old moved successfully.
C:\RECYCLER\S-1-5-21-343818398-884357618-839522115-500 moved successfully.
C:\RECYCLER\S-1-5-21-343818398-884357618-839522115-1003 moved successfully.
C:\RECYCLER moved successfully.
File/Folder "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints 2" not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09132008_162839



OTViewIt Extras logfile created on: 13/09/2008 16:36:13 - Run 4
OTViewIt by OldTimer - Version 1.0.3.1 Folder = C:\Documents and Settings\Propietario\Mis documentos\PGMS
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000C0A | Country: España | Language: ESN | Date Format: dd/MM/yyyy

1014,42 Mb Total Physical Memory | 563,23 Mb Available Physical Memory | 55,52% Memory free
2,39 Gb Paging File | 1,99 Gb Available in Paging File | 83,42% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Archivos de programa
Drive C: | 74,53 Gb Total Space | 39,60 Gb Free Space | 53,13% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.scr [@ = scrfile] -- "%1" /s
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[03/02/2006 02:00 PM | 00,142,848 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[10/10/2006 02:44 PM | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
File not found -- C:\Archivos de programa\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)
[01/19/2007 12:55 PM | 05,674,352 | ---- | M] (Microsoft Corporation) -- C:\Archivos de programa\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1
[01/04/2007 04:10 PM | 00,297,752 | ---- | M] (Microsoft Corporation) -- C:\Archivos de programa\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[03/29/2007 01:00 AM | 00,053,248 | ---- | M] () -- C:\Archivos de programa\Telefonica\AsistCfg71\awcbrwsr.exe:*:Disabled:Aplicación MFC awcbrwsr
[03/02/2006 02:00 PM | 00,142,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019
[10/10/2006 02:44 PM | 00,557,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Network Diagnostic\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000
[06/13/2007 03:22 PM | 01,035,776 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE:*:Disabled:enable
[06/23/2008 11:20 AM | 00,625,664 | ---- | M] (Microsoft Corporation) -- C:\Archivos de programa\Internet Explorer\iexplore.exe:*:Disabled:Internet Explorer
[06/28/2007 09:14 AM | 15,330,616 | ---- | M] (Apple Inc.) -- C:\Archivos de programa\iTunes\iTunes.exe:*:Disabled:iTunes
[07/15/2003 06:45 AM | 00,196,152 | ---- | M] (Microsoft Corporation) -- C:\Archivos de programa\Microsoft Office\OFFICE11\OUTLOOK.EXE:*:Disabled:OUTLOOK.EXE
[11/21/2006 06:05 AM | 00,024,576 | ---- | M] ( ) -- C:\Archivos de programa\Pinnacle\Studio 11\programs\PMSRegisterFile.exe:*:Disabled:PMSRegisterFile
[04/06/2007 02:17 PM | 00,073,728 | ---- | M] (Pinnacle Systems) -- C:\Archivos de programa\Pinnacle\Studio 11\programs\RM.exe:*:Disabled:Render Manager
[04/06/2007 02:40 PM | 05,505,024 | ---- | M] (Pinnacle Systems) -- C:\Archivos de programa\Pinnacle\Studio 11\programs\Studio.exe:*:Disabled:Studio
[04/06/2007 02:16 PM | 00,081,920 | ---- | M] (Pinnacle Systems) -- C:\Archivos de programa\Pinnacle\Studio 11\programs\umi.exe:*:Disabled:umi
File not found -- C:\Archivos de programa\MSN Messenger\msncall.exe:*:Disabled:Windows Live Messenger 8.0 (Phone)
[01/19/2007 12:55 PM | 05,674,352 | ---- | M] (Microsoft Corporation) -- C:\Archivos de programa\MSN Messenger\msnmsgr.exe:*:Disabled:Windows Live Messenger 8.1
[01/04/2007 04:10 PM | 00,297,752 | ---- | M] (Microsoft Corporation) -- C:\Archivos de programa\MSN Messenger\livecall.exe:*:Disabled:Windows Live Messenger 8.1 (Phone)
[10/13/2004 06:24 PM | 01,694,208 | ---- | M] (Microsoft Corporation) -- C:\Archivos de programa\Messenger\msmsgs.exe:*:Disabled:Windows Messenger
========== Protocol Handlers ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]
msdaipp: [HKLM - No CLSID value]
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{08094E03-AFE4-4853-9D31-6D0743DF5328}" = QuickTime
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
"{110B1ADF-2EAE-4E8F-B501-D2A1E6D8ED9D}" = Studio 11
"{14D84464-5919-4BA7-B51F-B2EFAE95DCC8}" = Learn to Play Magic Demo
"{1692CC0E-8798-493A-9580-23555E21C14B}" = Windows Live Messenger
"{169A15A0-6131-4274-8A8B-7E50702A1F52}" = Cliente de Windows Rights Management con Service Pack 2
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1A7F8DF6-5A3E-4CDF-BC82-BE26B407E21B}" = Los Sims Superstar
"{1E04F83B-2AB9-4301-9EF7-E86307F79C72}" = Google Earth
"{22B3CC30-77B8-419C-AA4B-F571FDF5D66D}" = Windows Live Sign-in Assistant
"{236BB7C4-4419-42FD-0C0A-1E257A25E34D}" = Adobe Photoshop CS2
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{28DA872A-0848-48CF-B749-19A198157A2A}" = mDriver
"{2F952048-3220-4AC7-A206-D01EFC774BB2}" = Studio 11
"{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9
"{350C9C0A-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{37477865-A3F1-4772-AD43-AAFC6BCFF99F}" = MSXML 4.0 SP2 (KB927978)
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
"{405C32CF-9C6F-49B3-9436-3F5FDBE7B3CE}" = Microsoft .NET Framework 2.0 Language Pack - ESN
"{406A5ABF-CA65-4E11-95C7-52228FE48F58}" = TIxx21
"{52504CE6-E909-4113-B232-4AFEC6543A61}" = Broadcom 440x 10/100 Integrated Controller
"{5783F2D7-5001-040A-0002-0060B0CE6BBA}" = AutoCAD 2007 - Español
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{689FCC19-5582-4D88-BDC6-490EB7DAFB82}" = Asistente Técnico de Telefónica
"{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}" = mCore
"{6FFFE74E-3FBD-4E2E-97F9-5E9A2A077626}" = mIWCA
"{74EC78BC-B379-4E29-9006-8F161DCAABA6}" = Apple Software Update
"{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}" = Avanquest update
"{7B3F0113-E63C-4D6D-AF19-111A3165CCA2}" = Text-To-Speech-Runtime
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7CD7A451-7224-49C8-95EF-9A1859C66607}" = mZConfig
"{7D9B77E1-0078-0001-4447-ADD4C0A93D1D}" = Sansa Media Converter
"{83169D43-4660-4347-BC95-E9D6E6BE65CE}" = Microsoft .NET Framework 1.1 Spanish Language Pack
"{85B90D8C-70F3-4E84-BD31-5E9489C0F9FB}" = iTunes
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8C6BB412-D3A8-4AAE-A01B-35B681789D68}" = mHelp
"{8FC46258-0843-4D79-B7F0-F2B82FE6173B}" = Apple Mobile Device Support
"{90110C0A-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{907B4640-266B-4A21-92FB-CD1A86CD0F63}" = RollerCoaster Tycoon 3
"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML
"{A17EABB6-D0C6-44E5-820C-72DC7F495064}" = PaperPort
"{AC76BA86-7AD7-1034-7B44-A70800000002}" = Adobe Reader 7.0.8 - Español
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B502B428-3386-40A9-98DB-079AAB72E64F}" = mEoU.msi
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BAD8CA9C-77C0-4663-B00B-A8D3B13C341B}" = Motorola Phone Tools
"{BB9AC6BF-71B6-42A4-9689-C17D9F44E79A}" = Brother MFL-Pro Suite
"{C04E32E0-0416-434D-AFB9-6969D703A9EF}" = MSXML 4.0 SP2 (KB936181)
"{C7340571-7773-4A8C-9EBC-4E4243B38C76}" = Microsoft XML Parser
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{EA926717-CE5A-4CB4-AB21-9E6E9565A458}" = RCT3 Soaked
"{EC905264-BCFE-423B-9C42-C3A106266790}" = SP2 con compatibilidad hacia atrás con cliente de Windows Rights Management
"{EF781A5C-58F5-4BFD-87F9-E4F14D382F25}" = Pinnacle Instant DVD Recorder
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F6090A17-0967-4A8A-B3C3-422A1B514D49}" = mDrWiFi
"{F9AEEC34-CF00-4CBD-9E36-DF9DC4002685}" = Yahoo! Desktop Login
"{FC053571-8507-44E4-8B6D-AACEAB8CA57C}" = Sansa Media Converter
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"ActiveScan 2.0" = Panda ActiveScan 2.0
"Ad-Aware SE Personal" = Ad-Aware SE Personal
"Autodesk DWF Viewer" = Autodesk DWF Viewer
"CAL" = Canon Camera Access Library
"CameraWindowDVC5" = Canon Camera Window DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Camera Window DC_DV 6 for ZoomBrowser EX
"CameraWindowMC" = Canon Camera Window MC 6 for ZoomBrowser EX
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CANON iMAGE GATEWAY Task" = CANON iMAGE GATEWAY Task for ZoomBrowser EX
"Canon Internet Library for ZoomBrowser EX" = Canon Internet Library for ZoomBrowser EX
"CSCLIB" = Canon Camera Support Core Library
"Cucusoft AVI to DVD/VCD/SVCD/MPEG Converter Pro_is1" = Cucusoft AVI to DVD/VCD/SVCD/MPEG Converter Pro 4.29
"DivX Content Uploader" = DivX Content Uploader
"DP-Book_is1" = DP-Book 2.1.2.6
"EOS Utility" = Canon Utilities EOS Utility
"EsetOnlineScanner" = ESET Online Scanner
"Firebird SQL Server ES" = Firebird SQL Server - MAGIX Edition
"Guitar Pro 5_is1" = Guitar Pro 5.2
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{406A5ABF-CA65-4E11-95C7-52228FE48F58}" = Texas Instruments PCIxx21/x515 drivers.
"InstallShield_{52504CE6-E909-4113-B232-4AFEC6543A61}" = Broadcom 440x 10/100 Integrated Controller
"KB873339" = Revisión de Windows XP - KB873339
"KB885835" = Revisión de Windows XP - KB885835
"KB885836" = Revisión de Windows XP - KB885836
"KB886185" = Revisión de Windows XP - KB886185
"KB887472" = Revisión de Windows XP - KB887472
"KB888111WXPSP2" = High Definition Audio Driver Package - KB888111
"KB888302" = Revisión de Windows XP - KB888302
"KB890859" = Revisión de Windows XP - KB890859
"KB891781" = Revisión de Windows XP - KB891781
"KB893803v2" = Windows Installer 3.1 (KB893803)
"KB909520" = Paquete de proveedor base de servicios de cifrado para tarjetas inteligentes de Microsoft
"KB911564" = Actualización de seguridad para el Reproductor de Windows Media (KB911564)
"KB917734_WMP9" = Actualización de seguridad para el Reproductor de Windows Media 9 (KB917734)
"KB925398_WMP64" = Actualización de seguridad para el Reproductor de Windows Media 6.4 (KB925398)
"KB928090-IE7" = Actualización de seguridad para Windows Internet Explorer 7 (KB928090)
"KB929399" = Hotfix for Windows Media Format 11 SDK (KB929399)
"KB929969" = Actualización de seguridad para Windows Internet Explorer 7 (KB929969)
"KB931768-IE7" = Actualización de seguridad para Windows Internet Explorer 7 (KB931768)
"KB933566-IE7" = Actualización de seguridad para Windows Internet Explorer 7 (KB933566)
"KB936782_WMP11" = Actualización de seguridad para el Reproductor de Windows Media 11 (KB936782)
"KB937143-IE7" = Actualización de seguridad para Windows Internet Explorer 7 (KB937143)
"KB938127-IE7" = Actualización de seguridad para Windows Internet Explorer 7 (KB938127)
"KB939653-IE7" = Actualización de seguridad para Windows Internet Explorer 7 (KB939653)
"KB939683" = Revisión para el Reproductor de Windows Media 11 (KB939683)
"KB942615-IE7" = Actualización de seguridad para Windows Internet Explorer 7 (KB942615)
"KB944533-IE7" = Actualización de seguridad para Windows Internet Explorer 7 (KB944533)
"KB947864-IE7" = Revisión para Windows Internet Explorer 7 (KB947864)
"KB953838-IE7" = Actualización de seguridad para Windows Internet Explorer 7 (KB953838)
"KitAim20CT5071RoHS" = Router monopuerto
"LoqTTS-Carmen_is1" = Loquendo TTS: Carmen (Spanish)
"M928366" = Microsoft .NET Framework 1.1 Hotfix (KB928366)
"Macromedia Dreamweaver 3 Es" = Macromedia Dreamweaver 3 Es
"MAGIX music maker 2006 e-version ES" = MAGIX music maker 2006 e-version (ES)
"MAGIX Screenshare ES" = MAGIX Screenshare 4.3.6.1987 (ES)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 2.0 Language Pack - ESN" = Paquete de idioma de Microsoft .NET Framework 2.0 - ESN
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"Nero - Burning Rom!UninstallKey" = Nero OEM
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PhotoStitch" = Canon Utilities PhotoStitch
"Pla de Renovació d'Electrodomèstics a Catalunya (O)_is1" = Pla de Renovació d'Electrodomèstics a Catalunya (O)
"Power Manager_is1" = Power Manager 1.9.6
"ProInst" = Intel(R) PROSet/Wireless Software
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RemoteCaptureTask" = Canon RemoteCapture Task for ZoomBrowser EX
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"SMSERIAL" = Motorola SM56 Data Fax Modem
"ST5UNST #1" = Martin ProSceniumDMX
"SUPER ©" = SUPER © Version 2007.bld.23 (July 4, 2007)
"The KMPlayer" = The KMPlayer (remove only)
"WGA" = Windows Genuine Advantage Validation Tool (KB892130)
"WgaNotify" = Windows Genuine Advantage Notifications (KB905474)
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Reproductor de Windows Media 11
"WinRAR archiver" = Compresor WinRAR
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Xvid_is1" = Xvid 1.1.3 final uninstall
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
========== Last 10 Event Log Errors ==========
[ Application Events ]
Error - 06/09/2008 21:12:19 | Computer Name = ORGANIZA-6EEEB6 | Source = Application Hang | ID = 1002
Description = Aplicación que no responde: wmplayer.exe, versión 11.0.5721.5145,
módulo que no responde hungapp, versión 0.0.0.0, dirección que no responde 0x00000000.
Error - 06/09/2008 21:30:47 | Computer Name = ORGANIZA-6EEEB6 | Source = Application Error | ID = 1000
Description = Aplicación con errores: wmplayer.exe, versión: 11.0.5721.5145, módulo
con error: unknown, versión 0.0.0.0, dirección de error 0x11223344.
Error - 06/09/2008 21:31:38 | Computer Name = ORGANIZA-6EEEB6 | Source = Application Hang | ID = 1002
Description = Aplicación que no responde: wmplayer.exe, versión 11.0.5721.5145,
módulo que no responde hungapp, versión 0.0.0.0, dirección que no responde 0x00000000.
Error - 06/09/2008 21:41:02 | Computer Name = ORGANIZA-6EEEB6 | Source = Application Error | ID = 1000
Description = Aplicación con errores: wmplayer.exe, versión: 11.0.5721.5145, módulo
con error: unknown, versión 0.0.0.0, dirección de error 0x11223344.
Error - 06/09/2008 21:41:31 | Computer Name = ORGANIZA-6EEEB6 | Source = Application Hang | ID = 1002
Description = Aplicación que no responde: wmplayer.exe, versión 11.0.5721.5145,
módulo que no responde hungapp, versión 0.0.0.0, dirección que no responde 0x00000000.
Error - 07/09/2008 16:31:33 | Computer Name = ORGANIZA-6EEEB6 | Source = Application Hang | ID = 1002
Description = Aplicación que no responde: AcroRd32.exe, versión 7.0.8.218, módulo
que no responde hungapp, versión 0.0.0.0, dirección que no responde 0x00000000.
Error - 08/09/2008 19:04:41 | Computer Name = ORGANIZA-6EEEB6 | Source = Application Error | ID = 1000
Description = Aplicación con errores: iexplore.exe, versión: 7.0.6000.16705, módulo
con error: flash9d.ocx, versión 9.0.47.0, dirección de error 0x00099a25.
Error - 09/09/2008 15:01:50 | Computer Name = ORGANIZA-6EEEB6 | Source = Application Hang | ID = 1002
Description = Aplicación que no responde: Ad-Aware.exe, versión 6.2.0.236, módulo
que no responde hungapp, versión 0.0.0.0, dirección que no responde 0x00000000.
Error - 09/09/2008 15:59:50 | Computer Name = ORGANIZA-6EEEB6 | Source = Application Error | ID = 1000
Description = Aplicación con errores: iexplore.exe, versión: 7.0.6000.16705, módulo
con error: unknown, versión 0.0.0.0, dirección de error 0x00000000.
Error - 10/09/2008 17:02:16 | Computer Name = ORGANIZA-6EEEB6 | Source = Application Error | ID = 1000
Description = Aplicación con errores: iexplore.exe, versión: 7.0.6000.16705, módulo
con error: unknown, versión 0.0.0.0, dirección de error 0x00000000.
[ Application Events ]
Error - 06/09/2008 21:12:19 | Computer Name = ORGANIZA-6EEEB6 | Source = Application Hang | ID = 1002
Description = Aplicación que no responde: wmplayer.exe, versión 11.0.5721.5145,
módulo que no responde hungapp, versión 0.0.0.0, dirección que no responde 0x00000000.
Error - 06/09/2008 21:30:47 | Computer Name = ORGANIZA-6EEEB6 | Source = Application Error | ID = 1000
Description = Aplicación con errores: wmplayer.exe, versión: 11.0.5721.5145, módulo
con error: unknown, versión 0.0.0.0, dirección de error 0x11223344.
Error - 06/09/2008 21:31:38 | Computer Name = ORGANIZA-6EEEB6 | Source = Application Hang | ID = 1002
Description = Aplicación que no responde: wmplayer.exe, versión 11.0.5721.5145,
módulo que no responde hungapp, versión 0.0.0.0, dirección que no responde 0x00000000.
Error - 06/09/2008 21:41:02 | Computer Name = ORGANIZA-6EEEB6 | Source = Application Error | ID = 1000
Description = Aplicación con errores: wmplayer.exe, versión: 11.0.5721.5145, módulo
con error: unknown, versión 0.0.0.0, dirección de error 0x11223344.
Error - 06/09/2008 21:41:31 | Computer Name = ORGANIZA-6EEEB6 | Source = Application Hang | ID = 1002
Description = Aplicación que no responde: wmplayer.exe, versión 11.0.5721.5145,
módulo que no responde hungapp, versión 0.0.0.0, dirección que no responde 0x00000000.
Error - 07/09/2008 16:31:33 | Computer Name = ORGANIZA-6EEEB6 | Source = Application Hang | ID = 1002
Description = Aplicación que no responde: AcroRd32.exe, versión 7.0.8.218, módulo
que no responde hungapp, versión 0.0.0.0, dirección que no responde 0x00000000.
Error - 08/09/2008 19:04:41 | Computer Name = ORGANIZA-6EEEB6 | Source = Application Error | ID = 1000
Description = Aplicación con errores: iexplore.exe, versión: 7.0.6000.16705, módulo
con error: flash9d.ocx, versión 9.0.47.0, dirección de error 0x00099a25.
Error - 09/09/2008 15:01:50 | Computer Name = ORGANIZA-6EEEB6 | Source = Application Hang | ID = 1002
Description = Aplicación que no responde: Ad-Aware.exe, versión 6.2.0.236, módulo
que no responde hungapp, versión 0.0.0.0, dirección que no responde 0x00000000.
Error - 09/09/2008 15:59:50 | Computer Name = ORGANIZA-6EEEB6 | Source = Application Error | ID = 1000
Description = Aplicación con errores: iexplore.exe, versión: 7.0.6000.16705, módulo
con error: unknown, versión 0.0.0.0, dirección de error 0x00000000.
Error - 10/09/2008 17:02:16 | Computer Name = ORGANIZA-6EEEB6 | Source = Application Error | ID = 1000
Description = Aplicación con errores: iexplore.exe, versión: 7.0.6000.16705, módulo
con error: unknown, versión 0.0.0.0, dirección de error 0x00000000.
[ System Events ]
Error - 10/09/2008 7:47:29 | Computer Name = ORGANIZA-6EEEB6 | Source = Service Control Manager | ID = 7001
Description = El servicio Servicios IPSEC depende del servicio Controlador IPSEC,
el cual no pudo iniciarse debido al siguiente error: %%31
Error - 10/09/2008 7:47:29 | Computer Name = ORGANIZA-6EEEB6 | Source = Service Control Manager | ID = 7026
Description = El controlador de inicialización siguiente no se cargó correctamente:
AFD Fips intelppm IPSec kl1 klbg KLIF MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
Error - 10/09/2008 7:49:05 | Computer Name = ORGANIZA-6EEEB6 | Source = DCOM | ID = 10005
Description = DCOM ha obtenido un error "%1084" al intentar iniciar el servicio
EventSystem con argumentos "" para ejecutar el servidor: {1BE1F766-5536-11D1-B726-00C04FB926AF}
Error - 10/09/2008 7:49:07 | Computer Name = ORGANIZA-6EEEB6 | Source = DCOM | ID = 10005
Description = DCOM ha obtenido un error "%1084" al intentar iniciar el servicio
netman con argumentos "" para ejecutar el servidor: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
Error - 10/09/2008 13:36:37 | Computer Name = ORGANIZA-6EEEB6 | Source = Service Control Manager | ID = 7034
Description = El servicio Servicio del iPod se terminó de manera inesperada. Esto
ha sucedido 1 veces.
Error - 10/09/2008 13:36:53 | Computer Name = ORGANIZA-6EEEB6 | Source = Service Control Manager | ID = 7031
Description = El servicio Apple Mobile Device terminó inesperadamente. Lo ha hecho
1 veces. Se realizará la siguiente acción correctora en 60000 milisegundos: Reiniciar
el servicio.
Error - 10/09/2008 13:46:27 | Computer Name = ORGANIZA-6EEEB6 | Source = Service Control Manager | ID = 7031
Description = El servicio Apple Mobile Device terminó inesperadamente. Lo ha hecho
2 veces. Se realizará la siguiente acción correctora en 60000 milisegundos: Reiniciar
el servicio.
Error - 10/09/2008 14:05:26 | Computer Name = ORGANIZA-6EEEB6 | Source = Service Control Manager | ID = 7031
Description = El servicio Apple Mobile Device terminó inesperadamente. Lo ha hecho
1 veces. Se realizará la siguiente acción correctora en 60000 milisegundos: Reiniciar
el servicio.
Error - 10/09/2008 14:07:50 | Computer Name = ORGANIZA-6EEEB6 | Source = Service Control Manager | ID = 7031
Description = El servicio Apple Mobile Device terminó inesperadamente. Lo ha hecho
2 veces. Se realizará la siguiente acción correctora en 60000 milisegundos: Reiniciar
el servicio.
Error - 12/09/2008 16:52:18 | Computer Name = ORGANIZA-6EEEB6 | Source = System Error | ID = 1003
Description = Código de error 100000d4, parámetro 1 a8d58938, parámetro 2 000000ff,
parámetro 3 00000001, parámetro 4 80541a55.

< End of report >

frolma

El volumen de la unidad C no tiene etiqueta.
El n£mero de serie del volumen es: F084-9B57
Directorio de c:\WINDOWS\system32
18/04/2007 19:54 113.152 11.CPX
12/09/2008 23:09 285 112.CPX
12/09/2008 23:09 414 121.CPX
02/03/2006 14:00 2.151 12520437.cpx
02/03/2006 14:00 2.233 12520850.cpx
20/04/2007 21:54 414 37407285621.CPX
6 archivos 118.649 bytes
Directorio de c:\WINDOWS\system32\dllcache
02/03/2006 14:00 2.151 12520437.cpx
02/03/2006 14:00 2.233 12520850.cpx
2 archivos 4.384 bytes
Directorio de c:\_OTMoveIt\MovedFiles\08302008_192308\WINDOWS\System32
28/08/2008 19:14 290 112.CPX.old
28/08/2008 19:14 422 121.CPX.old
2 archivos 712 bytes
Directorio de c:\_OTMoveIt\MovedFiles\09122008_184804\WINDOWS\system32
02/03/2006 14:00 2.151 12520437.cpx
02/03/2006 14:00 2.233 12520850.cpx
17/04/2007 19:54 113.152 3740728561.CPX
19/04/2007 20:54 285 37407285612.CPX
19/04/2007 21:54 1.957 37407285631.CPX
17/04/2007 19:54 11.312 37407285651.CPX
6 archivos 131.090 bytes
Directorio de c:\_OTMoveIt\MovedFiles\09132008_162839\WINDOWS\system32
02/09/2008 16:57 298 112.CPX.old
02/09/2008 16:57 408 121.CPX.old
02/03/2006 14:00 2.151 12520437.cpx
02/03/2006 14:00 2.233 12520850.cpx
17/04/2007 18:54 113.152 3740728561.CPX
18/04/2007 18:54 285 37407285612.CPX
6 archivos 118.527 bytes
Total de archivos en la lista:
22 archivos 373.362 bytes
0 dirs 42.515.501.056 bytes libres


After merge regedit and run flash disinfector


OTViewIt logfile created on: 13/09/2008 16:52:35 - Run 5
OTViewIt by OldTimer - Version 1.0.3.1 Folder = C:\Documents and Settings\Propietario\Mis documentos\PGMS
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000C0A | Country: España | Language: ESN | Date Format: dd/MM/yyyy

1014,42 Mb Total Physical Memory | 540,89 Mb Available Physical Memory | 53,32% Memory free
2,39 Gb Paging File | 2,00 Gb Available in Paging File | 83,90% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Archivos de programa
Drive C: | 74,53 Gb Total Space | 39,60 Gb Free Space | 53,13% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: ORGANIZA-6EEEB6
Current User Name: Propietario
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
========== Processes - Non-Microsoft Only ==========
[04/12/2002 01:00 AM | 00,057,344 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brsvc01a.exe
[12/13/2001 01:01 AM | 00,045,056 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brss01a.exe
[06/03/2005 02:26 AM | 00,245,760 | ---- | M] (Intel) -- C:\Archivos de programa\Intel\Wireless\Bin\1XConfig.exe
[07/05/2005 10:47 PM | 00,544,768 | R--- | M] (Motorola Inc.) -- C:\WINDOWS\sm56hlpr.exe
[08/08/2005 11:13 AM | 00,163,840 | ---- | M] () -- C:\Archivos de programa\Power Manager\PM.exe
[03/18/2005 11:52 AM | 00,057,393 | ---- | M] (ScanSoft, Inc.) -- C:\Archivos de programa\ScanSoft\PaperPort\pptd40nt.exe
[05/17/2005 06:42 PM | 00,933,888 | ---- | M] (Brother Industries, Ltd.) -- C:\Archivos de programa\Brother\ControlCenter2\brctrcen.exe
[09/13/2008 04:24 PM | 00,379,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Propietario\Mis documentos\PGMS\OTViewIt.exe
========== Win32 Services - Non-Microsoft Only ==========
[01/23/2007 10:00 PM | 00,077,944 | ---- | M] (Autodesk) -- C:\Archivos de programa\Archivos comunes\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service [On_Demand | Stopped])
[04/12/2002 01:00 AM | 00,057,344 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brsvc01a.exe -- (Brother XP spl Service [Auto | Running])
[03/02/2006 02:00 PM | 00,225,792 | ---- | M] (Microsoft Corp., VERITAS Software) -- C:\WINDOWS\system32\dmadmin.exe -- (dmadmin [On_Demand | Stopped])
[11/17/2005 03:18 PM | 01,527,900 | ---- | M] (MAGIX®) -- C:\Archivos de programa\MAGIX\Common\Database\bin\fbserver.exe -- (FirebirdServerMAGIXInstance [On_Demand | Stopped])
========== Driver Services - Non-Microsoft Only ==========
[10/15/2004 01:50 PM | 00,015,295 | ---- | M] (Brother Industries Ltd.) -- C:\WINDOWS\system32\drivers\BrScnUsb.sys -- (BrScnUsb [On_Demand | Stopped])
File not found -- C:\DOCUME~1\PROPIE~1\CONFIG~1\Temp\catchme.sys -- (catchme [On_Demand | Stopped])
[01/14/2005 11:22 AM | 00,005,504 | R--- | M] (EnE Technology Inc.) -- C:\WINDOWS\system32\drivers\EKBfltr.sys -- (EKBfltr [On_Demand | Running])
[09/06/2008 07:42 PM | 00,085,969 | ---- | M] (GMER) -- C:\WINDOWS\system32\drivers\gmer.sys -- (gmer [On_Demand | Stopped])
[09/20/2005 05:27 PM | 00,010,368 | ---- | M] (InterVideo, Inc.) -- C:\WINDOWS\system32\drivers\iviaspi.sys -- (Iviaspi [On_Demand | Running])
[09/02/2008 12:16 AM | 00,038,528 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy [On_Demand | Stopped])
[06/19/2008 05:24 PM | 00,028,544 | ---- | M] (Panda Security, S.L.) -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot [Boot | Running])
[05/30/2008 06:30 PM | 00,047,360 | ---- | M] (VSO Software) -- C:\WINDOWS\system32\drivers\pcouffin.sys -- (pcouffin [On_Demand | Stopped])
[07/05/2005 10:54 PM | 00,840,100 | R--- | M] (Motorola Inc.) -- C:\WINDOWS\system32\drivers\smserial.sys -- (smserial [On_Demand | Running])
[06/03/2005 11:50 PM | 00,162,176 | ---- | M] (Texas Instruments) -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21 [On_Demand | Running])
File not found -- C:\WINDOWS\system32\drivers\klif.sys -- (TSP [On_Demand | Stopped])
[03/02/2002 12:21 AM | 00,004,944 | ---- | M] () -- C:\Archivos de programa\Power Manager\WinIo.sys -- (WINIO [On_Demand | Running])

========== Run Keys ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Alcmtr" = ALCMTR.EXE (Realtek Semiconductor Corp.)
"ControlCenter2.0" = C:\Archivos de programa\Brother\ControlCenter2\brctrcen.exe /autorun (Brother Industries, Ltd.)
"EOUApp" = C:\Archivos de programa\Intel\Wireless\Bin\EOUWiz.exe (Intel Corporation)
"High Definition Audio Property Page Shortcut" = HDAShCut.exe (Windows (R) Server 2003 DDK provider)
"HotKeysCmds" = C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
"IgfxTray" = C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
"IndexSearch" = C:\Archivos de programa\ScanSoft\PaperPort\IndexSearch.exe (ScanSoft, Inc.)
"IntelWireless" = C:\Archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless (Intel Corporation)
"IntelZeroConfig" = C:\Archivos de programa\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
"NeroFilterCheck" = C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
"PaperPort PTD" = C:\Archivos de programa\ScanSoft\PaperPort\pptd40nt.exe (ScanSoft, Inc.)
"Persistence" = C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
"PowerDVD" = C:\Archivos de programa\CyberLink\PowerDVD\PowerDVD.exe /autostart (CyberLink Corp.)
"PowerManager" = C:\Archivos de programa\Power Manager\PM.exe ()
"QuickTime Task" = "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime (Apple Inc.)
"RTHDCPL" = RTHDCPL.EXE (Realtek Semiconductor Corp.)
"SetDefPrt" = C:\Archivos de programa\Brother\Brmfl05a\BrStDvPt.exe (Brother Industories, Ltd.)
"SMSERIAL" = sm56hlpr.exe (Motorola Inc.)
"SSBkgdUpdate" = "C:\Archivos de programa\Archivos comunes\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot (Scansoft, Inc.)
"SunJavaUpdateSched" = "C:\Archivos de programa\Java\jre1.5.0_09\bin\jusched.exe" (Sun Microsystems, Inc.)
"Telefonica" = "C:\Archivos de programa\Telefonica\bin\sprtcmd.exe" /P Telefonica (SupportSoft, Inc.)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchList" = C:\Archivos de programa\Pinnacle\Studio 11\LaunchList2.exe (Pinnacle Systems)
"NBJ" = "C:\Archivos de programa\Ahead\Nero BackItUp\NBJ.exe" (Ahead Software AG)
========== Startup Folders ==========
[03/05/2006 03:43 PM | 00,011,000 | ---- | M] (Autodesk, Inc) -- C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Acelerador de inicio de AutoCAD.lnk = C:\Archivos de programa\Archivos comunes\Autodesk Shared\acstart17.exe
[09/23/2005 11:05 PM | 00,029,696 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
[04/23/2005 08:12 PM | 00,802,816 | ---- | M] (Brother Industries, Ltd.) -- C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Monitor de estado.lnk = C:\Archivos de programa\Brother\Brmfcmon\BrMfcWnd.exe
========== Internet Explorer ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL" = http://go.microsoft.com/fwlink/?LinkId=54896
"Local Page" = %SystemRoot%\system32\blank.htm
"Search Bar" = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
"Search Page" = http://go.microsoft.com/fwlink/?LinkId=54896
"Start Page" = http://go.microsoft.com/fwlink/?LinkId=69157
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch" = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"SearchAssistant" = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page" = C:\WINDOWS\system32\blank.htm
"Search Page" = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page" = http://www.google.es/
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
========== BHO's ==========
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (HKLM) -- C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll (Sun Microsystems, Inc.)
{7E853D72-626A-48EC-A868-BA8D5E23E045} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
========== Toolbars ==========
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
========== Winlogon Notify Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
igfxcui: "DllName" = igfxdev.dll -- C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
IntelWireless: "DllName" = C:\Archivos de programa\Intel\Wireless\Bin\LgNotify.dll -- C:\Archivos de programa\Intel\Wireless\Bin\LgNotify.dll (Intel Corporation)
========== Safeboot Options ==========
"AlternateShell" = cmd.exe
========== CDRom AutoRun Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1
========== Autorun Files on Drives ==========
AUTOEXEC.BAT [SET PATH=C:\Archivos de programa\Pinnacle\Shared Files;C:\Archivos de programa\Pinnacle\Shared Files\Filter | ]
[03/23/2008 11:37 PM | 00,000,109 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]
autorun.inf []
[09/12/2008 06:42 PM | RHSD | M] -- C:\autorun.inf -- [ NTFS ]

========== MountPoints2 ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1b3388ea-eecb-11dc-b2d4-00166f4e7cbd}\Shell\AutoRun\command]
"" = dh66ln.cmd

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1b3388ea-eecb-11dc-b2d4-00166f4e7cbd}\Shell\explore\Command]
"" = dh66ln.cmd

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1b3388ea-eecb-11dc-b2d4-00166f4e7cbd}\Shell\open\Command]
"" = dh66ln.cmd
========== DNS Name Servers ==========
{472F2256-6B58-4784-9CD8-32BD2E21A4F7} (Servers: | Description: Intel(R) PRO/Wireless 2200BG Network Connection)
{59B3C720-E9B0-45FE-B97C-2BD8CCDC2EB2} (Servers: 80.58.61.254,80.58.61.250 | Description: Broadcom 440x 10/100 Integrated Controller)
{A5175BD6-662B-46EA-A446-EECCE2055DAC} (Servers: 80.58.61.254,80.58.61.250 | Description: Adaptador de red 1394)
========== Hosts File ==========
HOSTS File = (792 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== Files/Folders - Created Within 30 days ==========
[08/30/2008 11:11 AM | ---D | C] -- C:\_OTMoveIt
[08/30/2008 11:18 AM | ---D | C] -- C:\SDFix
[09/03/2008 03:41 PM | ---D | C] -- C:\0f118ff24134c722b11e1296b6b1d026
[09/08/2008 06:27 PM | 00,162,616 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\RegDelNull.exe
[09/12/2008 06:42 PM | RHSD | C] -- C:\autorun.inf
[09/13/2008 04:11 PM | -HSD | C] -- C:\Config.Msi
[08/30/2008 11:37 AM | 00,017,200 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[08/30/2008 11:37 AM | 00,038,528 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[09/06/2008 07:42 PM | 00,085,969 | ---- | C] (GMER) -- C:\WINDOWS\System32\drivers\gmer.sys
[09/12/2008 07:10 PM | 00,028,544 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
[1 C:\WINDOWS\System32\*.tmp files]
[08/15/2008 06:03 AM | 00,120,200 | ---- | C] () -- C:\WINDOWS\System32\DLLDEV32i.dll
[08/15/2008 06:05 AM | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\mgxasio2.dll
[08/15/2008 06:05 AM | 00,430,080 | ---- | C] (MAGIX AG) -- C:\WINDOWS\System32\MXRestore.exe
[08/28/2008 10:21 AM | ---D | C] -- C:\WINDOWS\System32\CatRoot_bak
[09/12/2008 11:09 PM | 00,000,285 | ---- | C] () -- C:\WINDOWS\System32\112.CPX
[09/12/2008 11:09 PM | 00,000,414 | ---- | C] () -- C:\WINDOWS\System32\121.CPX
[09/13/2008 04:50 PM | 00,000,285 | ---- | C] () -- C:\WINDOWS\System32\37407285612.CPX
[5 C:\WINDOWS\*.tmp files]
[08/15/2008 06:06 AM | 00,000,028 | ---- | C] () -- C:\WINDOWS\Robota.INI
[08/30/2008 11:19 AM | ---D | C] -- C:\WINDOWS\ERUNT
[09/06/2008 07:42 PM | 00,000,080 | ---- | C] () -- C:\WINDOWS\gmer_uninstall.cmd
[09/06/2008 07:42 PM | 00,000,250 | ---- | C] () -- C:\WINDOWS\gmer.ini
[09/06/2008 07:42 PM | 00,811,008 | ---- | C] () -- C:\WINDOWS\gmer.exe
[09/06/2008 07:42 PM | 00,884,736 | ---- | C] () -- C:\WINDOWS\gmer.dll
[08/15/2008 06:03 AM | ---D | C] -- C:\Documents and Settings\All Users\Datos de programa\MAGIX
[08/20/2008 01:40 PM | ---D | C] -- C:\Documents and Settings\All Users\Datos de programa\Spybot - Search & Destroy
[08/23/2008 03:17 AM | ---D | C] -- C:\Documents and Settings\All Users\Datos de programa\Kaspersky Lab Setup Files
[08/30/2008 11:37 AM | ---D | C] -- C:\Documents and Settings\All Users\Datos de programa\Malwarebytes
[08/15/2008 06:06 AM | ---D | C] -- C:\Documents and Settings\Propietario\Datos de programa\MAGIX
[08/30/2008 11:37 AM | ---D | C] -- C:\Documents and Settings\Propietario\Datos de programa\Malwarebytes
[08/15/2008 06:04 AM | ---D | C] -- C:\Documents and Settings\Propietario\Mis documentos\MAGIX_MusicMaker2008PE_Version_para_descargar
[08/15/2008 06:06 AM | ---D | C] -- C:\Documents and Settings\Propietario\Mis documentos\MAGIX Descargas
[08/15/2008 06:06 AM | ---D | C] -- C:\Documents and Settings\Propietario\Mis documentos\MAGIX_Screenshare
[08/30/2008 11:46 AM | ---D | C] -- C:\Documents and Settings\Propietario\Mis documentos\LOGS
[08/31/2008 10:43 AM | ---D | C] -- C:\Documents and Settings\Propietario\Mis documentos\Quarantine
[09/07/2008 06:51 PM | ---D | C] -- C:\Documents and Settings\Propietario\Mis documentos\PGMS
[08/30/2008 11:37 AM | 00,000,731 | ---- | C] () -- C:\Documents and Settings\All Users\Escritorio\Malwarebytes' Anti-Malware.lnk
[09/02/2008 01:02 AM | 00,001,007 | ---- | C] () -- C:\Documents and Settings\All Users\Escritorio\Nero Online Upgrade.lnk
[09/05/2008 11:29 AM | ---D | C] -- C:\Documents and Settings\Propietario\Escritorio\ZIPS
[08/15/2008 06:03 AM | ---D | C] -- C:\Archivos de programa\MAGIX
[08/20/2008 01:40 PM | ---D | C] -- C:\Archivos de programa\Spybot - Search & Destroy
[08/20/2008 01:49 AM | ---D | C] -- C:\Archivos de programa\Trend Micro
[08/23/2008 06:35 PM | ---D | C] -- C:\Archivos de programa\BitTorrent Fastest Tool
[08/30/2008 11:37 AM | ---D | C] -- C:\Archivos de programa\Malwarebytes' Anti-Malware
[09/02/2008 05:09 PM | ---D | C] -- C:\Archivos de programa\EsetOnlineScanner
[09/12/2008 07:09 PM | ---D | C] -- C:\Archivos de programa\Panda Security
========== Files - Modified Within 30 days ==========
[09/10/2008 06:25 PM | 00,000,211 | -HS- | M] () -- C:\boot.ini
[09/02/2008 12:16 AM | 00,017,200 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[09/02/2008 12:16 AM | 00,038,528 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[09/06/2008 07:42 PM | 00,085,969 | ---- | M] (GMER) -- C:\WINDOWS\System32\drivers\gmer.sys
[1 C:\WINDOWS\System32\*.tmp files]
[08/23/2008 02:40 AM | 00,064,706 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[08/23/2008 02:40 AM | 00,084,476 | ---- | M] () -- C:\WINDOWS\System32\perfc00A.dat
[08/23/2008 02:40 AM | 00,409,566 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[08/23/2008 02:40 AM | 00,473,274 | ---- | M] () -- C:\WINDOWS\System32\perfh00A.dat
[08/23/2008 02:40 AM | 01,043,160 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[09/12/2008 11:09 PM | 00,000,285 | ---- | M] () -- C:\WINDOWS\System32\112.CPX
[09/12/2008 11:09 PM | 00,000,414 | ---- | M] () -- C:\WINDOWS\System32\121.CPX
[09/13/2008 04:14 PM | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[09/13/2008 04:50 PM | 00,000,285 | ---- | M] () -- C:\WINDOWS\System32\37407285612.CPX
[5 C:\WINDOWS\*.tmp files]
[08/15/2008 06:05 AM | 00,006,308 | ---- | M] () -- C:\WINDOWS\mgxoschk.ini
[08/17/2008 09:19 PM | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[08/18/2008 12:27 PM | 00,000,350 | ---- | M] () -- C:\WINDOWS\BeatBox.INI
[08/18/2008 12:27 PM | 00,000,456 | ---- | M] () -- C:\WINDOWS\musicmaker.INI
[08/29/2008 02:08 PM | 00,000,028 | ---- | M] () -- C:\WINDOWS\Robota.INI
[09/06/2008 07:42 PM | 00,000,080 | ---- | M] () -- C:\WINDOWS\gmer_uninstall.cmd
[09/06/2008 07:42 PM | 00,884,736 | ---- | M] () -- C:\WINDOWS\gmer.dll
[09/08/2008 02:25 PM | 00,000,250 | ---- | M] () -- C:\WINDOWS\gmer.ini
[09/10/2008 06:25 PM | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[09/10/2008 06:25 PM | 00,000,799 | ---- | M] () -- C:\WINDOWS\win.ini
[09/13/2008 04:14 PM | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[09/13/2008 12:55 PM | 00,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[09/09/2008 10:25 AM | 00,000,298 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[09/10/2008 06:34 PM | 00,161,280 | ---- | M] () -- C:\Documents and Settings\Propietario\Configuración local\Datos de programa\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[09/13/2008 12:55 PM | 00,000,349 | ---- | M] () -- C:\Documents and Settings\All Users\Documentos\PCLECHAL.INI
[09/13/2008 12:53 PM | 00,000,595 | ---- | M] () -- C:\Documents and Settings\Propietario\Mis documentos\Mis carpetas para compartir.lnk
[08/30/2008 11:37 AM | 00,000,731 | ---- | M] () -- C:\Documents and Settings\All Users\Escritorio\Malwarebytes' Anti-Malware.lnk
[09/02/2008 01:02 AM | 00,001,007 | ---- | M] () -- C:\Documents and Settings\All Users\Escritorio\Nero Online Upgrade.lnk
[09/10/2008 01:31 PM | 00,002,165 | ---- | M] () -- C:\Documents and Settings\All Users\Escritorio\iTunes.lnk
[08/19/2008 04:53 PM | 00,002,543 | ---- | M] () -- C:\Documents and Settings\Propietario\Escritorio\Microsoft Office Excel 2003 (2).lnk
[08/23/2008 07:45 PM | 00,002,271 | ---- | M] () -- C:\Documents and Settings\Propietario\Escritorio\Copia de PaperPort.lnk
[09/03/2008 08:56 AM | 00,065,536 | ---- | M] () -- C:\Documents and Settings\Propietario\Escritorio\PELICULES .xls
[09/12/2008 09:29 AM | 00,002,565 | ---- | M] () -- C:\Documents and Settings\Propietario\Escritorio\Microsoft Office Word 2003 (2).lnk
< End of report >

frolma

El volumen de la unidad C no tiene etiqueta.
El n£mero de serie del volumen es: F084-9B57
Directorio de c:\WINDOWS\system32
18/04/2007 19:54 113.152 11.CPX
12/09/2008 23:09 285 112.CPX
12/09/2008 23:09 414 121.CPX
02/03/2006 14:00 2.151 12520437.cpx
02/03/2006 14:00 2.233 12520850.cpx
18/04/2007 19:54 285 37407285612.CPX
6 archivos 118.520 bytes
Directorio de c:\WINDOWS\system32\dllcache
02/03/2006 14:00 2.151 12520437.cpx
02/03/2006 14:00 2.233 12520850.cpx
2 archivos 4.384 bytes
Directorio de c:\_OTMoveIt\MovedFiles\08302008_192308\WINDOWS\System32
28/08/2008 19:14 290 112.CPX.old
28/08/2008 19:14 422 121.CPX.old
2 archivos 712 bytes
Directorio de c:\_OTMoveIt\MovedFiles\09122008_184804\WINDOWS\system32
02/03/2006 14:00 2.151 12520437.cpx
02/03/2006 14:00 2.233 12520850.cpx
19/04/2007 20:54 285 37407285612.CPX
17/04/2007 19:54 11.312 37407285651.CPX
4 archivos 15.981 bytes
Directorio de c:\_OTMoveIt\MovedFiles\09132008_162839\WINDOWS\system32
02/09/2008 16:57 298 112.CPX.old
02/09/2008 16:57 408 121.CPX.old
02/03/2006 14:00 2.151 12520437.cpx
02/03/2006 14:00 2.233 12520850.cpx
18/04/2007 18:54 285 37407285612.CPX
5 archivos 5.375 bytes
Total de archivos en la lista:
19 archivos 144.972 bytes
0 dirs 42.515.595.264 bytes libres

Thomas

Darn - the script got a space added again. I am not doing something right here copying/pasting back and forth in this thread somehow. Each small space has allowed the autoload registry entry to return some settings there. I see the Panda driver with recent use - no luck huh?


I'm sorry frolma, but another run of the same procedures please.


First Go here and download the free version of SUPERAntiSpyware and install it.

After installation accept any prompts to allow SUPERAntiSpyware to install the latest infection definition files. Next follow the prompts to complete the installation. For now, uncheck the option to have SUPERAntiSpyware "Automatically check for program and definition updates". Providing an email address and allowing the software to send diagnostic reports to it's research center are up to you. Do NOT allow SUPERAntiSpyware to Protect your Home Page settings.

Once the installation is complete open SUPERAntiSpyware and press the Preferences button. Under the General and Startup tab, uncheck the following (leaving all other settings as is).

Start-up Options:
*Start SUPERAntiSpyware when Windows starts

Automatic Updates:
*Check for program updates when the application starts.
Start-up Scanning:
*Check for updates before scanning on startup.

Then select Close. Don't scan just yet though.

---

Use this for the OTMoveIt script:

C:\dh66ln.cmd
c:\WINDOWS\system32\11.CPX
c:\WINDOWS\system32\112.CPX
c:\WINDOWS\system32\121.CPX
c:\WINDOWS\system32\12520437.cpx
c:\WINDOWS\system32\12520850.cpx
c:\WINDOWS\system32\37407285621.CPX
c:\WINDOWS\system32\dllcache\12520437.cpx
c:\WINDOWS\system32\dllcache\12520850.cpx
C:\0f118ff24134c722b11e1296b6b1d026
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2"

---

Go to Start > Run and type:

cmd.exe

and ok. Copy and paste the below string after the prompt, then press Enter:

dir /s /a "c:\*.cpx*" > c:\find2.txt && notepad c:\find2.txt

Your drive will be scanned and when finished, Notepad will pop up with some information. Copy and paste it in this thread.

Once that Notepad textbox opens, also click at the prompt in the still open command console window and type exit to close that.[/QUOTE]

1 - So Merge your regedit you made.

2 - Run Flash Disinfector again.

3 - The new OTViewIt scan.

4 - And the Run - find file for those ".cpx" files again please.


And we need something else there assisting this situation. Once you have completed those steps. Open SUPERAntiSpyware and click the Scan your Computer button. You may need to start SUPERAntiSpyware, then right click the Taskbar icon (the little bug shaped icon) and select "Scan for Spyware, Adware, Malware..." to access the scan panel. Making sure that Fixed Drive (NTFS) is checked (typically the C Drive), check "Perform Complete Scan", then click Next. SUPERAntiSpyware will now complete a system scan.


SUPERAntiSpyware will now scan your computer and when its finished it will list all the infections it has found. Make sure that they all have a check next to them and click next. If prompted allow the reboot (or manually reboot at this time), and after the reboot open SUPERAntiSpyware again (double click the bug-shaped Taskbar icon).

Click Preferences, then under the Statistics/Logs tab, click to select the most recent Scan Log, then click View Log. Save the log to your desktop, and copy/paste the text from the log back here.

Post back the new OTViewIt, the OTMoveIt results, the file find you run again and this SUPERAntiSpyware log please.

frolma

Hi.....yes, I haven't luck nor kaspersky neither panda......patience.


File/Folder C:\dh66ln.cmd not found.
c:\WINDOWS\system32\11.CPX moved successfully.
c:\WINDOWS\system32\112.CPX moved successfully.
c:\WINDOWS\system32\121.CPX moved successfully.
c:\WINDOWS\system32\12520437.cpx moved successfully.
c:\WINDOWS\system32\12520850.cpx moved successfully.
c:\WINDOWS\system32\37407285621.CPX moved successfully.
c:\WINDOWS\system32\dllcache\12520437.cpx moved successfully.
c:\WINDOWS\system32\dllcache\12520850.cpx moved successfully.
C:\0f118ff24134c722b11e1296b6b1d026 moved successfully.
File/Folder "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2" not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09142008_221251




El volumen de la unidad C no tiene etiqueta.
El n£mero de serie del volumen es: F084-9B57
Directorio de c:\WINDOWS\system32
19/04/2007 21:54 113.152 3740728561.CPX
19/04/2007 20:54 286 37407285612.CPX
20/04/2007 21:54 2.045 37407285631.CPX
18/04/2007 20:54 11.385 37407285651.CPX
4 archivos 126.868 bytes
Directorio de c:\_OTMoveIt\MovedFiles\08302008_192308\WINDOWS\System32
28/08/2008 19:14 290 112.CPX.old
28/08/2008 19:14 422 121.CPX.old
2 archivos 712 bytes
Directorio de c:\_OTMoveIt\MovedFiles\09122008_184804\WINDOWS\system32
02/03/2006 14:00 2.151 12520437.cpx
02/03/2006 14:00 2.233 12520850.cpx
17/04/2007 19:54 113.152 3740728561.CPX
19/04/2007 20:54 285 37407285612.CPX
19/04/2007 21:54 1.957 37407285631.CPX
17/04/2007 19:54 11.312 37407285651.CPX
6 archivos 131.090 bytes
Directorio de c:\_OTMoveIt\MovedFiles\09132008_162839\WINDOWS\system32
02/09/2008 16:57 298 112.CPX.old
02/09/2008 16:57 408 121.CPX.old
02/03/2006 14:00 2.151 12520437.cpx
02/03/2006 14:00 2.233 12520850.cpx
17/04/2007 18:54 113.152 3740728561.CPX
18/04/2007 18:54 285 37407285612.CPX
6 archivos 118.527 bytes
Directorio de c:\_OTMoveIt\MovedFiles\09142008_221251\WINDOWS\system32
18/04/2007 19:54 113.152 11.CPX
12/09/2008 23:09 285 112.CPX
12/09/2008 23:09 414 121.CPX
02/03/2006 14:00 2.151 12520437.cpx
02/03/2006 14:00 2.233 12520850.cpx
19/04/2007 20:54 411 37407285621.CPX
6 archivos 118.646 bytes
Directorio de c:\_OTMoveIt\MovedFiles\09142008_221251\WINDOWS\system32\dllcache
02/03/2006 14:00 2.151 12520437.cpx
02/03/2006 14:00 2.233 12520850.cpx
2 archivos 4.384 bytes
Total de archivos en la lista:
26 archivos 500.227 bytes
0 dirs 42.431.123.456 bytes libres


After to run regedit and Flash Disinfector

OTViewIt logfile created on: 14/09/2008 22:28:52 - Run 7
OTViewIt by OldTimer - Version 1.0.3.1 Folder = C:\Documents and Settings\Propietario\Mis documentos\PGMS
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000C0A | Country: España | Language: ESN | Date Format: dd/MM/yyyy

1014,42 Mb Total Physical Memory | 569,13 Mb Available Physical Memory | 56,10% Memory free
2,39 Gb Paging File | 1,96 Gb Available in Paging File | 82,31% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Archivos de programa
Drive C: | 74,53 Gb Total Space | 39,52 Gb Free Space | 53,02% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: ORGANIZA-6EEEB6
Current User Name: Propietario
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
========== Processes - Non-Microsoft Only ==========
[04/12/2002 01:00 AM | 00,057,344 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brsvc01a.exe
[12/13/2001 01:01 AM | 00,045,056 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brss01a.exe
[06/03/2005 02:26 AM | 00,245,760 | ---- | M] (Intel) -- C:\Archivos de programa\Intel\Wireless\Bin\1XConfig.exe
[07/05/2005 10:47 PM | 00,544,768 | R--- | M] (Motorola Inc.) -- C:\WINDOWS\sm56hlpr.exe
[08/08/2005 11:13 AM | 00,163,840 | ---- | M] () -- C:\Archivos de programa\Power Manager\PM.exe
[03/18/2005 11:52 AM | 00,057,393 | ---- | M] (ScanSoft, Inc.) -- C:\Archivos de programa\ScanSoft\PaperPort\pptd40nt.exe
[05/17/2005 06:42 PM | 00,933,888 | ---- | M] (Brother Industries, Ltd.) -- C:\Archivos de programa\Brother\ControlCenter2\brctrcen.exe
[09/03/2008 02:07 PM | 01,576,176 | ---- | M] (SUPERAntiSpyware.com) -- C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
[09/13/2008 04:24 PM | 00,379,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Propietario\Mis documentos\PGMS\OTViewIt.exe
========== Win32 Services - Non-Microsoft Only ==========
[01/23/2007 10:00 PM | 00,077,944 | ---- | M] (Autodesk) -- C:\Archivos de programa\Archivos comunes\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service [On_Demand | Stopped])
[04/12/2002 01:00 AM | 00,057,344 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brsvc01a.exe -- (Brother XP spl Service [Auto | Running])
[03/02/2006 02:00 PM | 00,225,792 | ---- | M] (Microsoft Corp., VERITAS Software) -- C:\WINDOWS\system32\dmadmin.exe -- (dmadmin [On_Demand | Stopped])
[11/17/2005 03:18 PM | 01,527,900 | ---- | M] (MAGIX®) -- C:\Archivos de programa\MAGIX\Common\Database\bin\fbserver.exe -- (FirebirdServerMAGIXInstance [On_Demand | Stopped])
========== Driver Services - Non-Microsoft Only ==========
[10/15/2004 01:50 PM | 00,015,295 | ---- | M] (Brother Industries Ltd.) -- C:\WINDOWS\system32\drivers\BrScnUsb.sys -- (BrScnUsb [On_Demand | Stopped])
File not found -- C:\DOCUME~1\PROPIE~1\CONFIG~1\Temp\catchme.sys -- (catchme [On_Demand | Stopped])
[01/14/2005 11:22 AM | 00,005,504 | R--- | M] (EnE Technology Inc.) -- C:\WINDOWS\system32\drivers\EKBfltr.sys -- (EKBfltr [On_Demand | Running])
[09/06/2008 07:42 PM | 00,085,969 | ---- | M] (GMER) -- C:\WINDOWS\system32\drivers\gmer.sys -- (gmer [On_Demand | Stopped])
[09/20/2005 05:27 PM | 00,010,368 | ---- | M] (InterVideo, Inc.) -- C:\WINDOWS\system32\drivers\iviaspi.sys -- (Iviaspi [On_Demand | Running])
[09/02/2008 12:16 AM | 00,038,528 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy [On_Demand | Stopped])
[06/19/2008 05:24 PM | 00,028,544 | ---- | M] (Panda Security, S.L.) -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot [Boot | Running])
[05/30/2008 06:30 PM | 00,047,360 | ---- | M] (VSO Software) -- C:\WINDOWS\system32\drivers\pcouffin.sys -- (pcouffin [On_Demand | Stopped])
[07/05/2005 10:54 PM | 00,840,100 | R--- | M] (Motorola Inc.) -- C:\WINDOWS\system32\drivers\smserial.sys -- (smserial [On_Demand | Running])
[06/03/2005 11:50 PM | 00,162,176 | ---- | M] (Texas Instruments) -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21 [On_Demand | Running])
File not found -- C:\WINDOWS\system32\drivers\klif.sys -- (TSP [On_Demand | Stopped])
[03/02/2002 12:21 AM | 00,004,944 | ---- | M] () -- C:\Archivos de programa\Power Manager\WinIo.sys -- (WINIO [On_Demand | Running])
[09/03/2008 02:07 PM | 00,008,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Archivos de programa\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV [System | Running])
[09/03/2008 02:07 PM | 00,055,024 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Archivos de programa\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL [System | Running])
[09/03/2008 02:07 PM | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Archivos de programa\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Running])

========== Run Keys ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Alcmtr" = ALCMTR.EXE (Realtek Semiconductor Corp.)
"ControlCenter2.0" = C:\Archivos de programa\Brother\ControlCenter2\brctrcen.exe /autorun (Brother Industries, Ltd.)
"EOUApp" = C:\Archivos de programa\Intel\Wireless\Bin\EOUWiz.exe (Intel Corporation)
"High Definition Audio Property Page Shortcut" = HDAShCut.exe (Windows (R) Server 2003 DDK provider)
"HotKeysCmds" = C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
"IgfxTray" = C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
"IndexSearch" = C:\Archivos de programa\ScanSoft\PaperPort\IndexSearch.exe (ScanSoft, Inc.)
"IntelWireless" = C:\Archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless (Intel Corporation)
"IntelZeroConfig" = C:\Archivos de programa\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
"NeroFilterCheck" = C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
"PaperPort PTD" = C:\Archivos de programa\ScanSoft\PaperPort\pptd40nt.exe (ScanSoft, Inc.)
"Persistence" = C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
"PowerDVD" = C:\Archivos de programa\CyberLink\PowerDVD\PowerDVD.exe /autostart (CyberLink Corp.)
"PowerManager" = C:\Archivos de programa\Power Manager\PM.exe ()
"QuickTime Task" = "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime (Apple Inc.)
"RTHDCPL" = RTHDCPL.EXE (Realtek Semiconductor Corp.)
"SetDefPrt" = C:\Archivos de programa\Brother\Brmfl05a\BrStDvPt.exe (Brother Industories, Ltd.)
"SMSERIAL" = sm56hlpr.exe (Motorola Inc.)
"SSBkgdUpdate" = "C:\Archivos de programa\Archivos comunes\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot (Scansoft, Inc.)
"SunJavaUpdateSched" = "C:\Archivos de programa\Java\jre1.5.0_09\bin\jusched.exe" (Sun Microsystems, Inc.)
"Telefonica" = "C:\Archivos de programa\Telefonica\bin\sprtcmd.exe" /P Telefonica (SupportSoft, Inc.)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchList" = C:\Archivos de programa\Pinnacle\Studio 11\LaunchList2.exe (Pinnacle Systems)
"NBJ" = "C:\Archivos de programa\Ahead\Nero BackItUp\NBJ.exe" (Ahead Software AG)
========== Startup Folders ==========
[03/05/2006 03:43 PM | 00,011,000 | ---- | M] (Autodesk, Inc) -- C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Acelerador de inicio de AutoCAD.lnk = C:\Archivos de programa\Archivos comunes\Autodesk Shared\acstart17.exe
[09/23/2005 11:05 PM | 00,029,696 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
[04/23/2005 08:12 PM | 00,802,816 | ---- | M] (Brother Industries, Ltd.) -- C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Monitor de estado.lnk = C:\Archivos de programa\Brother\Brmfcmon\BrMfcWnd.exe
========== Internet Explorer ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL" = http://go.microsoft.com/fwlink/?LinkId=54896
"Local Page" = %SystemRoot%\system32\blank.htm
"Search Bar" = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
"Search Page" = http://go.microsoft.com/fwlink/?LinkId=54896
"Start Page" = http://go.microsoft.com/fwlink/?LinkId=69157
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch" = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"SearchAssistant" = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page" = C:\WINDOWS\system32\blank.htm
"Search Page" = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page" = http://www.google.es/
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
========== BHO's ==========
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (HKLM) -- C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll (Sun Microsystems, Inc.)
{7E853D72-626A-48EC-A868-BA8D5E23E045} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
========== Toolbars ==========
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
========== Shell Execute Hooks ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" (HKLM) -- C:\Archivos de programa\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
========== Winlogon Notify Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
!SASWinLogon: "DllName" = C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll -- C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
igfxcui: "DllName" = igfxdev.dll -- C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
IntelWireless: "DllName" = C:\Archivos de programa\Intel\Wireless\Bin\LgNotify.dll -- C:\Archivos de programa\Intel\Wireless\Bin\LgNotify.dll (Intel Corporation)
========== Safeboot Options ==========
"AlternateShell" = cmd.exe
========== CDRom AutoRun Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1
========== Autorun Files on Drives ==========
AUTOEXEC.BAT [SET PATH=C:\Archivos de programa\Pinnacle\Shared Files;C:\Archivos de programa\Pinnacle\Shared Files\Filter | ]
[03/23/2008 11:37 PM | 00,000,109 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]
autorun.inf []
[09/12/2008 06:42 PM | RHSD | M] -- C:\autorun.inf -- [ NTFS ]

========== MountPoints2 ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1b3388ea-eecb-11dc-b2d4-00166f4e7cbd}\Shell\AutoRun\command]
"" = dh66ln.cmd

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1b3388ea-eecb-11dc-b2d4-00166f4e7cbd}\Shell\explore\Command]
"" = dh66ln.cmd

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1b3388ea-eecb-11dc-b2d4-00166f4e7cbd}\Shell\open\Command]
"" = dh66ln.cmd
========== DNS Name Servers ==========
{472F2256-6B58-4784-9CD8-32BD2E21A4F7} (Servers: | Description: Intel(R) PRO/Wireless 2200BG Network Connection)
{59B3C720-E9B0-45FE-B97C-2BD8CCDC2EB2} (Servers: 80.58.61.254,80.58.61.250 | Description: Broadcom 440x 10/100 Integrated Controller)
{A5175BD6-662B-46EA-A446-EECCE2055DAC} (Servers: 80.58.61.254,80.58.61.250 | Description: Adaptador de red 1394)
========== Hosts File ==========
HOSTS File = (792 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== Files/Folders - Created Within 30 days ==========
[08/30/2008 11:11 AM | ---D | C] -- C:\_OTMoveIt
[08/30/2008 11:18 AM | ---D | C] -- C:\SDFix
[09/08/2008 06:27 PM | 00,162,616 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\RegDelNull.exe
[09/12/2008 06:42 PM | RHSD | C] -- C:\autorun.inf
[09/13/2008 04:55 PM | -HSD | C] -- C:\RECYCLER
[08/30/2008 11:37 AM | 00,017,200 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[08/30/2008 11:37 AM | 00,038,528 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[09/06/2008 07:42 PM | 00,085,969 | ---- | C] (GMER) -- C:\WINDOWS\System32\drivers\gmer.sys
[09/12/2008 07:10 PM | 00,028,544 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
[1 C:\WINDOWS\System32\*.tmp files]
[08/28/2008 10:21 AM | ---D | C] -- C:\WINDOWS\System32\CatRoot_bak
[5 C:\WINDOWS\*.tmp files]
[08/30/2008 11:19 AM | ---D | C] -- C:\WINDOWS\ERUNT
[09/06/2008 07:42 PM | 00,000,080 | ---- | C] () -- C:\WINDOWS\gmer_uninstall.cmd
[09/06/2008 07:42 PM | 00,000,250 | ---- | C] () -- C:\WINDOWS\gmer.ini
[09/06/2008 07:42 PM | 00,811,008 | ---- | C] () -- C:\WINDOWS\gmer.exe
[09/06/2008 07:42 PM | 00,884,736 | ---- | C] () -- C:\WINDOWS\gmer.dll
[09/13/2008 10:13 PM | 00,000,006 | -H-- | C] () -- C:\WINDOWS\tasks\SA.DAT
[08/20/2008 01:40 PM | ---D | C] -- C:\Documents and Settings\All Users\Datos de programa\Spybot - Search & Destroy
[08/23/2008 03:17 AM | ---D | C] -- C:\Documents and Settings\All Users\Datos de programa\Kaspersky Lab Setup Files
[08/30/2008 11:37 AM | ---D | C] -- C:\Documents and Settings\All Users\Datos de programa\Malwarebytes
[09/14/2008 09:01 PM | ---D | C] -- C:\Documents and Settings\All Users\Datos de programa\SUPERAntiSpyware.com
[08/30/2008 11:37 AM | ---D | C] -- C:\Documents and Settings\Propietario\Datos de programa\Malwarebytes
[09/14/2008 09:01 PM | ---D | C] -- C:\Documents and Settings\Propietario\Datos de programa\SUPERAntiSpyware.com
[08/30/2008 11:46 AM | ---D | C] -- C:\Documents and Settings\Propietario\Mis documentos\LOGS
[08/31/2008 10:43 AM | ---D | C] -- C:\Documents and Settings\Propietario\Mis documentos\Quarantine
[09/07/2008 06:51 PM | ---D | C] -- C:\Documents and Settings\Propietario\Mis documentos\PGMS
[08/30/2008 11:37 AM | 00,000,731 | ---- | C] () -- C:\Documents and Settings\All Users\Escritorio\Malwarebytes' Anti-Malware.lnk
[09/02/2008 01:02 AM | 00,001,007 | ---- | C] () -- C:\Documents and Settings\All Users\Escritorio\Nero Online Upgrade.lnk
[09/14/2008 09:01 PM | 00,000,829 | ---- | C] () -- C:\Documents and Settings\All Users\Escritorio\SUPERAntiSpyware Free Edition.lnk
[09/05/2008 11:29 AM | ---D | C] -- C:\Documents and Settings\Propietario\Escritorio\ZIPS
[08/20/2008 01:40 PM | ---D | C] -- C:\Archivos de programa\Spybot - Search & Destroy
[08/20/2008 01:49 AM | ---D | C] -- C:\Archivos de programa\Trend Micro
[08/23/2008 06:35 PM | ---D | C] -- C:\Archivos de programa\BitTorrent Fastest Tool
[08/30/2008 11:37 AM | ---D | C] -- C:\Archivos de programa\Malwarebytes' Anti-Malware
[09/02/2008 05:09 PM | ---D | C] -- C:\Archivos de programa\EsetOnlineScanner
[09/12/2008 07:09 PM | ---D | C] -- C:\Archivos de programa\Panda Security
[09/14/2008 09:01 PM | ---D | C] -- C:\Archivos de programa\SUPERAntiSpyware
========== Files - Modified Within 30 days ==========
[09/10/2008 06:25 PM | 00,000,211 | -HS- | M] () -- C:\boot.ini
[09/02/2008 12:16 AM | 00,017,200 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[09/02/2008 12:16 AM | 00,038,528 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[09/06/2008 07:42 PM | 00,085,969 | ---- | M] (GMER) -- C:\WINDOWS\System32\drivers\gmer.sys
[1 C:\WINDOWS\System32\*.tmp files]
[08/23/2008 02:40 AM | 00,064,706 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[08/23/2008 02:40 AM | 00,084,476 | ---- | M] () -- C:\WINDOWS\System32\perfc00A.dat
[08/23/2008 02:40 AM | 00,409,566 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[08/23/2008 02:40 AM | 00,473,274 | ---- | M] () -- C:\WINDOWS\System32\perfh00A.dat
[08/23/2008 02:40 AM | 01,043,160 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[09/14/2008 08:51 PM | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[5 C:\WINDOWS\*.tmp files]
[08/18/2008 12:27 PM | 00,000,350 | ---- | M] () -- C:\WINDOWS\BeatBox.INI
[08/18/2008 12:27 PM | 00,000,456 | ---- | M] () -- C:\WINDOWS\musicmaker.INI
[08/29/2008 02:08 PM | 00,000,028 | ---- | M] () -- C:\WINDOWS\Robota.INI
[09/06/2008 07:42 PM | 00,000,080 | ---- | M] () -- C:\WINDOWS\gmer_uninstall.cmd
[09/06/2008 07:42 PM | 00,884,736 | ---- | M] () -- C:\WINDOWS\gmer.dll
[09/08/2008 02:25 PM | 00,000,250 | ---- | M] () -- C:\WINDOWS\gmer.ini
[09/10/2008 06:25 PM | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[09/10/2008 06:25 PM | 00,000,799 | ---- | M] () -- C:\WINDOWS\win.ini
[09/13/2008 06:32 PM | 00,000,474 | ---- | M] () -- C:\WINDOWS\BRWMARK.INI
[09/13/2008 12:55 PM | 00,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[09/14/2008 01:32 AM | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[09/14/2008 07:47 PM | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[09/09/2008 10:25 AM | 00,000,298 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[09/14/2008 07:47 PM | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[09/13/2008 11:00 PM | 00,161,280 | ---- | M] () -- C:\Documents and Settings\Propietario\Configuración local\Datos de programa\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[09/13/2008 12:55 PM | 00,000,349 | ---- | M] () -- C:\Documents and Settings\All Users\Documentos\PCLECHAL.INI
[09/14/2008 04:06 PM | 00,000,595 | ---- | M] () -- C:\Documents and Settings\Propietario\Mis documentos\Mis carpetas para compartir.lnk
[08/30/2008 11:37 AM | 00,000,731 | ---- | M] () -- C:\Documents and Settings\All Users\Escritorio\Malwarebytes' Anti-Malware.lnk
[09/02/2008 01:02 AM | 00,001,007 | ---- | M] () -- C:\Documents and Settings\All Users\Escritorio\Nero Online Upgrade.lnk
[09/14/2008 03:03 PM | 00,002,165 | ---- | M] () -- C:\Documents and Settings\All Users\Escritorio\iTunes.lnk
[09/14/2008 09:01 PM | 00,000,829 | ---- | M] () -- C:\Documents and Settings\All Users\Escritorio\SUPERAntiSpyware Free Edition.lnk
[08/19/2008 04:53 PM | 00,002,543 | ---- | M] () -- C:\Documents and Settings\Propietario\Escritorio\Microsoft Office Excel 2003 (2).lnk
[08/23/2008 07:45 PM | 00,002,271 | ---- | M] () -- C:\Documents and Settings\Propietario\Escritorio\Copia de PaperPort.lnk
[09/12/2008 09:29 AM | 00,002,565 | ---- | M] () -- C:\Documents and Settings\Propietario\Escritorio\Microsoft Office Word 2003 (2).lnk
[09/13/2008 06:27 PM | 00,065,536 | ---- | M] () -- C:\Documents and Settings\Propietario\Escritorio\PELICULES .xls
< End of report >

frolma

El volumen de la unidad C no tiene etiqueta.
El n£mero de serie del volumen es: F084-9B57
Directorio de c:\WINDOWS\system32
19/04/2007 21:54 113.152 3740728561.CPX
19/04/2007 20:54 286 37407285612.CPX
20/04/2007 21:54 2.045 37407285631.CPX
18/04/2007 20:54 11.385 37407285651.CPX
4 archivos 126.868 bytes
Directorio de c:\_OTMoveIt\MovedFiles\08302008_192308\WINDOWS\System32
28/08/2008 19:14 290 112.CPX.old
28/08/2008 19:14 422 121.CPX.old
2 archivos 712 bytes
Directorio de c:\_OTMoveIt\MovedFiles\09122008_184804\WINDOWS\system32
02/03/2006 14:00 2.151 12520437.cpx
02/03/2006 14:00 2.233 12520850.cpx
17/04/2007 19:54 113.152 3740728561.CPX
19/04/2007 20:54 285 37407285612.CPX
19/04/2007 21:54 1.957 37407285631.CPX
17/04/2007 19:54 11.312 37407285651.CPX
6 archivos 131.090 bytes
Directorio de c:\_OTMoveIt\MovedFiles\09132008_162839\WINDOWS\system32
02/09/2008 16:57 298 112.CPX.old
02/09/2008 16:57 408 121.CPX.old
02/03/2006 14:00 2.151 12520437.cpx
02/03/2006 14:00 2.233 12520850.cpx
17/04/2007 18:54 113.152 3740728561.CPX
18/04/2007 18:54 285 37407285612.CPX
6 archivos 118.527 bytes
Directorio de c:\_OTMoveIt\MovedFiles\09142008_221251\WINDOWS\system32
18/04/2007 19:54 113.152 11.CPX
12/09/2008 23:09 285 112.CPX
12/09/2008 23:09 414 121.CPX
02/03/2006 14:00 2.151 12520437.cpx
02/03/2006 14:00 2.233 12520850.cpx
19/04/2007 20:54 411 37407285621.CPX
6 archivos 118.646 bytes
Directorio de c:\_OTMoveIt\MovedFiles\09142008_221251\WINDOWS\system32\dllcache
02/03/2006 14:00 2.151 12520437.cpx
02/03/2006 14:00 2.233 12520850.cpx
2 archivos 4.384 bytes
Total de archivos en la lista:
26 archivos 500.227 bytes
0 dirs 42.430.676.992 bytes libres




SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 09/14/2008 at 11:28 PM
Application Version : 4.21.1004
Core Rules Database Version : 3566
Trace Rules Database Version: 1554
Scan type : Complete Scan
Total Scan Time : 00:43:03
Memory items scanned : 403
Memory threats detected : 0
Registry items scanned : 6623
Registry threats detected : 0
File items scanned : 17778
File threats detected : 31
Adware.Tracking Cookie
C:\Documents and Settings\Propietario\Cookies\propietario@ads.us.e-planning[1].txt
C:\Documents and Settings\Propietario\Cookies\propietario@apmebf[2].txt
C:\Documents and Settings\Propietario\Cookies\propietario@advertising[2].txt
C:\Documents and Settings\Propietario\Cookies\propietario@adtech[1].txt
C:\Documents and Settings\Propietario\Cookies\propietario@weborama[2].txt
C:\Documents and Settings\Propietario\Cookies\propietario@imrworldwide[2].txt
C:\Documents and Settings\Propietario\Cookies\propietario@tradedoubler[2].txt
C:\Documents and Settings\Propietario\Cookies\propietario@fastclick[1].txt
C:\Documents and Settings\Propietario\Cookies\propietario@atdmt[2].txt
C:\Documents and Settings\Propietario\Cookies\propietario@statse.webtrendslive[1].txt
C:\Documents and Settings\Propietario\Cookies\propietario@doubleclick[1].txt
C:\Documents and Settings\Propietario\Cookies\propietario@overture[1].txt
C:\Documents and Settings\Propietario\Cookies\propietario@specificclick[2].txt
C:\Documents and Settings\Propietario\Cookies\propietario@ads.addynamix[1].txt
C:\Documents and Settings\Propietario\Cookies\propietario@loadxl.exelator[2].txt
C:\Documents and Settings\Propietario\Cookies\propietario@bs.serving-sys[1].txt
C:\Documents and Settings\Propietario\Cookies\propietario@2o7[1].txt
C:\Documents and Settings\Propietario\Cookies\propietario@ad.yieldmanager[1].txt
C:\Documents and Settings\Propietario\Cookies\propietario@tribalfusion[1].txt
C:\Documents and Settings\Propietario\Cookies\propietario@serving-sys[1].txt
C:\Documents and Settings\Propietario\Cookies\propietario@topticketline.solution.weborama[1].txt
C:\Documents and Settings\Propietario\Cookies\propietario@kontera[1].txt
C:\Documents and Settings\Propietario\Cookies\propietario@www.googleadservices[2].txt
C:\Documents and Settings\Propietario\Cookies\propietario@mediaplex[2].txt
C:\Documents and Settings\Propietario\Cookies\propietario@simyo.solution.weborama[2].txt
Adware.WhenU
C:\Documents and Settings\Propietario\Menú Inicio\Programas\WhenU\Customer Support.lnk
C:\Documents and Settings\Propietario\Menú Inicio\Programas\WhenU\Learn More About WhenU Save.url
C:\Documents and Settings\Propietario\Menú Inicio\Programas\WhenU\Learn More About WhenU SaveNow.url
C:\Documents and Settings\Propietario\Menú Inicio\Programas\WhenU\Uninstall Instructions.lnk
C:\Documents and Settings\Propietario\Menú Inicio\Programas\WhenU\WhenU.com Website.url
C:\Documents and Settings\Propietario\Menú Inicio\Programas\WhenU