Free Malware Removal Forum

by **SnoopDogg** » March 29th, 2007, 9:35 am

Logfile of HijackThis v1.99.1
Scan saved at 9:36:01 PM, on 3/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\winupd32.exe
C:\HJT\HijackThis.exe

O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: BHOHelper Class - {67A90DD6-128D-43AB-B97C-565D2DD42A28} - C:\PROGRA~1\safe360\atloader.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [360tray.exe] C:\WINDOWS\System32\rundll32.exe C:\PROGRA~1\safe360\adx.dll,Rundll32
O4 - HKLM\..\Run: [Windows Service Agent] winupd32.exe
O4 - HKLM\..\RunServices: [Windows Service Agent] winupd32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [KeySetState] C:\Documents and Settings\StreetBaller89\Local Settings\Temp\wzf69c\KeySet.exe /keyset
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBD34D7A-E679-4044-86F1-E8E5D21D073F}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: avgav.exe (AVG) - Unknown owner - C:\WINDOWS\avgav.exe (file missing)

by **SnoopDogg** » March 29th, 2007, 9:44 am

Kaspersky Log (Online scanner)

Tuesday, March 27, 2007 11:03:08 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 27/03/2007
Kaspersky Anti-Virus database records: 286813

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target Folders
C:\

Scan Statistics
Total number of scanned objects 130744
Number of viruses found 70
Number of infected objects 1361 / 0
Number of suspicious objects 0
Duration of the scan process 01:52:23

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Street Baller\Local Settings\Temporary Internet Files\SC\console.html Infected: Net-Worm.Win32.Allaple.a skipped

C:\Documents and Settings\Street Baller\Application Data\Opera\Opera\profile\cache4\opr001QI.html Infected: Net-Worm.Win32.Allaple.a skipped

C:\Documents and Settings\Street Baller\Application Data\Opera\Opera\profile\cache4\opr001RX.html Infected: Net-Worm.Win32.Allaple.a skipped

C:\Documents and Settings\Street Baller\Application Data\Opera\Opera\profile\cache4\opr001VJ.htm Infected: Net-Worm.Win32.Allaple.a skipped

C:\Documents and Settings\Street Baller.AMD\My Documents\My Received Files\mirc616.rar/mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped

C:\Documents and Settings\Street Baller.AMD\My Documents\My Received Files\mirc616.rar/mirc616.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped

C:\Documents and Settings\Street Baller.AMD\My Documents\My Received Files\mirc616.rar RAR: infected - 2 skipped

C:\Documents and Settings\Nancy Voon\Local Settings\Temporary Internet Files\Content.IE5\O5QZKHQB\addimage[1].htm Infected: Net-Worm.Win32.Allaple.a skipped

C:\Documents and Settings\Nancy Voon\Local Settings\Temporary Internet Files\Content.IE5\O5QZKHQB\ads[1].htm Infected: Net-Worm.Win32.Allaple.a skipped

C:\Documents and Settings\Nancy Voon\Local Settings\Temporary Internet Files\Content.IE5\KLAZ0DER\ads[1].htm Infected: Net-Worm.Win32.Allaple.a skipped

C:\Documents and Settings\Nancy Voon\Local Settings\Temporary Internet Files\Content.IE5\KLAZ0DER\my_gallery[1].htm Infected: Net-Worm.Win32.Allaple.a skipped

C:\Documents and Settings\Nancy Voon\Local Settings\Temporary Internet Files\Content.IE5\S5IJWLMZ\scrapview[1].htm Infected: Net-Worm.Win32.Allaple.a skipped

C:\Documents and Settings\Nancy Voon\Local Settings\Temporary Internet Files\Content.IE5\01EF4HU7\B2109678[1].htm Infected: Net-Worm.Win32.Allaple.a skipped

C:\Documents and Settings\Nancy Voon\My Documents\personal\my past\fei\ecard.htm Infected: Net-Worm.Win32.Allaple.a skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\ddosping.RB0.bac_a01616/ddosping.exe Infected: not-a-virus:NetTool.Win32.DDoSPing.200 skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\ddosping.RB0.bac_a01616 ZIP: infected - 1 skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\ddosping.RB0.bac_a01616 CryptFF.b: infected - 1 skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/ByPassFireWall.zip/Inject.exe Infected: Exploit.Win32.InjectDll skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/ByPassFireWall.zip/Ie.dll Infected: Exploit.Win32.InjectDll skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/ByPassFireWall.zip Infected: Exploit.Win32.InjectDll skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/CandyProxy.zip/CandyProxy.exe Infected: not-a-virus:Server-Proxy.Win32.Candy.121 skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/CandyProxy.zip Infected: not-a-virus:Server-Proxy.Win32.Candy.121 skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/ftpserver.zip/NTSystemFTP.exe Infected: not-a-virus:Server-FTP.Win32.NTServer skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/ftpserver.zip Infected: not-a-virus:Server-FTP.Win32.NTServer skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/gina.zip/InstGina.exe Infected: Trojan-PSW.Win32.GinaPass.c skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/gina.zip/gina.dll Infected: Trojan-PSW.Win32.GinaPass.c skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/gina.zip Infected: Trojan-PSW.Win32.GinaPass.c skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/HTTPD.ZIP/httpd.exe Infected: not-a-virus:Server-Web.Win32.TinyHTTP.11 skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/HTTPD.ZIP Infected: not-a-virus:Server-Web.Win32.TinyHTTP.11 skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/installterm.zip/installterm.exe Infected: Backdoor.Win32.Slackbot.c skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/installterm.zip Infected: Backdoor.Win32.Slackbot.c skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/PassSniffer.zip/PassSniffer.exe Infected: not-a-virus:PSWTool.Win32.PassSniffer skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/PassSniffer.zip Infected: not-a-virus:PSWTool.Win32.PassSniffer skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/Portless10.zip/PortLess.exe Infected: Backdoor.Win32.Portless.10 skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/Portless10.zip Infected: Backdoor.Win32.Portless.10 skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/PortLessNew.zip/portlessinst.exe Infected: Backdoor.Win32.Portless.11 skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/PortLessNew.zip/svchostdll.dll Infected: Backdoor.Win32.Portless.11 skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/PortLessNew.zip Infected: Backdoor.Win32.Portless.11 skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/PROXY.ZIP/Proxy.exe Infected: Trojan-Proxy.Win32.Portram skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/PROXY.ZIP Infected: Trojan-Proxy.Win32.Portram skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/PubKeyLog.zip/EditKeyLog.exe Infected: Virus.Win32.Mooder.f skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/PubKeyLog.zip/KeyLog.exe Infected: Trojan-Spy.Win32.WinEggDrop.11 skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/PubKeyLog.zip Infected: Trojan-Spy.Win32.WinEggDrop.11 skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/SnifferPort.zip/snifferport.exe Infected: not-a-virus:NetTool.Win32.Sniffer.12 skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/SnifferPort.zip Infected: not-a-virus:NetTool.Win32.Sniffer.12 skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/TCMD.ZIP/Tcmd.exe Infected: Backdoor.Win32.TCmd.10 skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/TCMD.ZIP Infected: Backdoor.Win32.TCmd.10 skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/TINYFTPD.ZIP/TinyFTPD.exe Infected: not-a-virus:Server-FTP.Win32.TinyFTP.14 skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/TINYFTPD.ZIP Infected: not-a-virus:Server-FTP.Win32.TinyFTP.14 skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/TinyHTTPProxy.zip/TinyHTTPProxy.exe Infected: not-a-virus:Server-Proxy.Win32.Tiny.10 skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/TinyHTTPProxy.zip Infected: not-a-virus:Server-Proxy.Win32.Tiny.10 skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/WinEggDropGet.zip/wget.exe Infected: not-a-virus:Downloader.Win32.Eggdrop skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/WinEggDropGet.zip Infected: not-a-virus:Downloader.Win32.Eggdrop skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/WinEggDropMatrix.zip/UnPack.rar/EditServer.exe Infected: Backdoor.Win32.EggDrop.15 skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/WinEggDropMatrix.zip/UnPack.rar/injectt.exe Infected: Backdoor.Win32.EggDrop.16 skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/WinEggDropMatrix.zip/UnPack.rar/TBack.DLL Infected: Backdoor.Win32.EggDrop.16 skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/WinEggDropMatrix.zip/UnPack.rar Infected: Backdoor.Win32.EggDrop.16 skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/WinEggDropMatrix.zip/Packed.zip/EditServer.exe Infected: Backdoor.Win32.EggDrop.15 skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/WinEggDropMatrix.zip/Packed.zip/InjectT.exe Infected: Backdoor.Win32.EggDrop.16 skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/WinEggDropMatrix.zip/Packed.zip/TBack.DLL Infected: Backdoor.Win32.EggDrop.u skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/WinEggDropMatrix.zip/Packed.zip Infected: Backdoor.Win32.EggDrop.u skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/WinEggDropMatrix.zip Infected: Backdoor.Win32.EggDrop.u skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616/process.exe Infected: not-a-virus:RiskTool.Win32.PsKill.m skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616 ZIP: infected - 46 skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\WinEggDroptools.zip.bac_a01616 CryptFF.b: infected - 46 skipped

C:\Documents and Settings\Nancy Voon\.housecall6.6\Quarantine\mailbomb.RB0.bac_a01616/mailbomb.exe/Ã“ÃŠÂ¼Ã¾Ã•Â¨ÂµÂ¯Â·Â¢Ã

by **SnoopDogg** » March 29th, 2007, 9:48 am

SRY it's too long, more than 1k files were infected.. so forget abt kaspersky

by **random/random** » April 3rd, 2007, 8:03 am

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

by **SnoopDogg** » April 3rd, 2007, 10:13 am

Thanks for replying. Here are the logs:

SDFix: Version 1.76

Run by StreetBaller89 - 04/03/2007 Tue - 21:56:08.64

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
AVG
Control Task Manager

ImagePath:
"C:\WINDOWS\avgav.exe"
"C:\WINDOWS\system32\cvsys.exe"

AVG Deleted
Control Task Manager Deleted

Killing PID 148 'smss.exe'
Killing PID 216 'winlogon.exe'

Restoring Windows Registry Entries
Restoring Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system32\cvsys.exe - Deleted
C:\WINDOWS\system32\rpcc.dll - Deleted

ADS Check:

C:\WINDOWS\system32
No streams found.

Final Check:

Remaining Services:
------------------

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

C:\Program Files\BitComet\Downloads\TNT321@Vol.1\_desktop.ini
C:\Program Files\BitComet\Downloads\TNT321@Vol.2\Desktop_.ini
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\Program Files\Netscape\Communicator\Program\netscape.exe\_desktop.ini
C:\Program Files\Netscape\Communicator\Program\netscape.exe\Desktop_.ini
C:\Program Files\Netscape\Communicator\Program\netscape.exe\Plugins\_desktop.ini
C:\Program Files\Netscape\Communicator\Program\netscape.exe\Plugins\Desktop_.ini
C:\Program Files\Netscape\Communicator\Program\netscape.exe\java\_desktop.ini
C:\Program Files\Netscape\Communicator\Program\netscape.exe\java\Desktop_.ini
C:\Program Files\Netscape\Communicator\Program\netscape.exe\java\classes\_desktop.ini
C:\Program Files\Netscape\Communicator\Program\netscape.exe\java\classes\Desktop_.ini
C:\WINDOWS\system32\telecomes.exe
C:\WINDOWS\system32\xvlaomn.exe
C:\Documents and Settings\Street Baller.AMD\My Documents\~WRL0007.tmp
C:\Documents and Settings\Street Baller.AMD\My Documents\~WRL0098.tmp
C:\Documents and Settings\Street Baller.AMD\My Documents\~WRL0137.tmp
C:\Documents and Settings\Street Baller.AMD\My Documents\~WRL0168.tmp
C:\Documents and Settings\Street Baller.AMD\My Documents\~WRL0410.tmp
C:\Documents and Settings\Street Baller.AMD\My Documents\~WRL0519.tmp
C:\Documents and Settings\Street Baller.AMD\My Documents\~WRL0818.tmp
C:\Documents and Settings\Street Baller.AMD\My Documents\~WRL0910.tmp
C:\Documents and Settings\Street Baller.AMD\My Documents\~WRL0929.tmp
C:\Documents and Settings\Street Baller.AMD\My Documents\~WRL0965.tmp
C:\Documents and Settings\Street Baller.AMD\My Documents\~WRL1122.tmp
C:\Documents and Settings\Street Baller.AMD\My Documents\~WRL1162.tmp
C:\Documents and Settings\Street Baller.AMD\My Documents\~WRL1251.tmp
C:\Documents and Settings\Street Baller.AMD\My Documents\~WRL1252.tmp
C:\Documents and Settings\Street Baller.AMD\My Documents\~WRL1461.tmp
C:\Documents and Settings\Street Baller.AMD\My Documents\~WRL1466.tmp
C:\Documents and Settings\Street Baller.AMD\My Documents\~WRL1545.tmp
C:\Documents and Settings\Street Baller.AMD\My Documents\~WRL1750.tmp
C:\Documents and Settings\Street Baller.AMD\My Documents\~WRL1755.tmp
C:\Documents and Settings\Street Baller.AMD\My Documents\~WRL1852.tmp
C:\Documents and Settings\Street Baller.AMD\My Documents\~WRL1866.tmp
C:\Documents and Settings\Street Baller.AMD\My Documents\~WRL2154.tmp
C:\Documents and Settings\Street Baller.AMD\My Documents\~WRL2426.tmp
C:\Documents and Settings\Street Baller.AMD\My Documents\~WRL2681.tmp
C:\Documents and Settings\Street Baller.AMD\My Documents\~WRL2736.tmp
C:\Documents and Settings\Street Baller.AMD\My Documents\~WRL2784.tmp
C:\Documents and Settings\Street Baller.AMD\My Documents\~WRL3698.tmp
C:\Documents and Settings\Street Baller.AMD\My Documents\~WRL3744.tmp
C:\Documents and Settings\Street Baller.AMD\My Documents\~WRL3763.tmp
C:\Documents and Settings\Street Baller.AMD\My Documents\~WRL3802.tmp
C:\Documents and Settings\Street Baller.AMD\My Documents\~WRL4033.tmp
C:\Documents and Settings\Street Baller.AMD\My Documents\~WRL4089.tmp
C:\Documents and Settings\Nancy Voon\My Documents\personal\qing\2006\my class\class bbq gathering\SIV1.tmp
C:\Documents and Settings\Nancy Voon\My Documents\personal\qing\2006\my class\class bbq gathering\SIV9.tmp
C:\Documents and Settings\Nancy Voon\My Documents\personal\qing\2006\2nd cs presentation n klcc\SIV2C.tmp
C:\Documents and Settings\Nancy Voon\My Documents\personal\qing\2006\2nd cs presentation n klcc\SIV2D.tmp
C:\Documents and Settings\Nancy Voon\Desktop\~WRL3449.tmp
C:\Documents and Settings\Nancy Voon\Desktop\~WRL0732.tmp
C:\Documents and Settings\Nancy Voon\Desktop\~WRL2475.tmp
C:\Documents and Settings\Nancy Voon\Desktop\~WRL0376.tmp
C:\Documents and Settings\Nancy Voon\Desktop\~WRL2921.tmp
C:\Documents and Settings\Nancy Voon\Desktop\~WRL3031.tmp
C:\Documents and Settings\Nancy Voon\Desktop\~WRL2514.tmp
C:\Documents and Settings\Nancy Voon\Desktop\~WRL3033.tmp
C:\Documents and Settings\Nancy Voon\Desktop\~WRL1075.tmp
C:\Documents and Settings\Nancy Voon\Desktop\~WRL0778.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS7E84C53F-DBF7-4A0B-8CB2-C9AB821E3A0B.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS20EE7C95-9406-441B-A124-73B44BA9B9D6.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS9172DC8C-66DE-4DE0-BAED-3B85FA8CC4BE.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS38F2BBC4-497A-43A5-92A0-B9E2256DB2AB.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS68B02ABA-4E44-4558-B6D5-37DB35299648.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCSA517936D-B03A-44C8-A14C-3BB0B3CCB3D0.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCSAA0BF2EC-33FF-463D-A22E-43D9A497D8C9.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCSFFB6F426-FE10-4425-A4D0-94C39D0976F4.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS86B3E5F9-8291-4227-A57A-B1DA8EC19BCE.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCSA9B3910F-BB7C-498D-87A3-C6D0E29F96CA.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS03755062-4BD4-42C8-B8C4-89BD1AE37F0E.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS06C8DDBE-89E2-440A-9111-460712ACD5F7.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS667402D0-3310-4DC4-8A42-F53D69D0BD8C.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS87319731-D3A8-46F9-9EAB-9BECC7623B7D.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS809FFC54-9E6C-4ADC-AC27-FDFF20EB36E7.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS0C11C790-336E-4045-8993-0C5CAA59AFA6.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS6B721A86-D679-46BB-93C3-FDFF44AA0055.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS1ADCBAA4-51AF-421A-B254-F6B5D3C9550C.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS62B4E817-5321-4DC0-A61D-CF38527209B5.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS79B3B84B-D8EE-4618-B362-B5348596F643.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS49318F4A-596C-4BEA-A078-70DB2922EE6C.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS55EFE7E9-D729-4C5B-ABC2-AC4FFFD6F584.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS04C6B3CB-E429-4CFF-A8E2-E3DFDF2AA28C.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS811CD61A-F105-4E79-9FF8-48EEC083F90B.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS85944534-F85F-45BC-8D18-207A79F0A18E.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS9A94899C-C208-46BF-B222-1EB317E7CF3F.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS0844C1B2-D0B3-4F5B-BDD6-1055A5AC09F3.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS41231B96-F230-43A5-ACC5-F3937483EFE5.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS7C697626-9643-4A22-B830-1738D9FE032E.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS61969E6B-5820-45FA-A0E6-5E601CD5DB89.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCSBF76A573-0978-4D15-8EA9-D35195AA2863.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS2140DC09-F79B-40A6-B4C8-00F85DF97599.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCSBC02B2B5-8492-4DEC-BE9D-F91229867C83.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS4123D9F1-71F1-43E7-867F-2ECDD83297BE.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS8179C0B9-C32E-4929-BA16-C0E6A3E43E2F.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS22B1452F-EB53-400E-87FE-F6017DFEBC5D.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCSA41C3591-99ED-4BB1-946C-CAC26EC5B982.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS618D0A8C-EDA1-43E2-8113-4D064B1D4C7F.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS47DAF46D-A58B-4922-9371-E92DBD6E996C.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS891B131F-9784-437A-B31C-97F405EB8F5E.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS834CF54A-9FA0-4CED-8077-BD248F7BC3C8.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS03197FA1-6BA1-4DCD-B715-C85359A15B77.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS747D91F4-D3BB-49B2-A212-19355E59FE93.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS1BF9BD1B-E9B7-4885-91B6-610F49549EED.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS24A2B8ED-F94D-4B65-AC1F-A8E22A0352BA.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS12D9653A-B6EE-43BF-8757-18F685A9684E.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS5CECA981-EEB0-430A-82AD-BD738946943E.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS849C8A3D-A5DA-4E35-A07C-1C4A52982C84.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS0435BF00-77FA-4356-8E25-8F3DC8C3AE6C.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS4B03118A-8134-48C6-BE3E-92CB352FD1C4.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS7DC365DB-6DAD-4378-963B-88B4A8311D25.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS4824CF61-CC94-42BB-AFB0-96AE48CA0E60.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS86442441-0F92-48EB-B91F-89EA87841AA7.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS9490A9E7-20D1-4249-90E2-3512A1BE728A.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCSDDF63902-6AB6-44FD-B653-73AFF12357D0.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS16837ED3-C9AF-44FB-9CBB-D7A33314C17A.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCSE427E833-03F4-49FE-A023-5FE2AA607047.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS3FCE81E9-3631-484F-85F0-980121E619C9.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS88BCB0A5-D363-477E-A275-EE4C9813F6C6.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS9A85CE99-4314-439A-B520-215AEEB13789.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS860CB125-7ED6-4924-B4C4-80F00E397E4A.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS99FE96F5-3800-4617-A81F-DCB43F6F0A76.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS7F39C78F-DB7A-4F87-9CE5-D0DE547D41DA.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS8951ECF6-2851-4DF7-A65F-70777374A560.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS6C10D647-A257-4C77-80D7-23E9BF96F481.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCSAB4A3A5B-1078-4AAB-BFAD-1C586D0BF095.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS60BFF947-B892-4AA2-BAB7-31A1207C7842.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCSB52718ED-B51C-4060-A8F0-89EDEE5461A8.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS2F50BC28-CC67-4A0D-844F-D4D683639869.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS009D06A8-C103-4796-A4BD-CE8D2DAD2F78.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS76F99261-B8C5-4545-9A2F-A0CCA41F5590.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS81FB82F9-B76C-484E-9D2E-E171C7297562.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS207C2C61-4F9F-4EBB-AD85-42B13BDAC008.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS67C0A265-EA02-42CD-9450-148D38D82A33.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS52C3718B-293D-42F8-9273-A533A9CC2DC2.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS25B7F85C-6EF8-40E4-A851-F781C1DBEFE4.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCSE4783A38-11EA-4940-B383-42F088B77EC8.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCSD2BDC67B-7DB8-4878-850B-9A667957EF87.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS668941CD-E359-4425-B4F9-39031C415B62.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS383B66DB-74AB-4BF3-9597-30C247664056.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS4D0CE691-A62A-4699-B805-7FD0E0CBE9D9.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCSD9DB42E4-952F-4B49-8687-F1718B470E53.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCSA04401E6-F1EB-4280-A658-599E8F572D8D.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS91DBAD45-71CA-494B-B207-E3904867FDC9.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS7F07B646-3860-482E-A600-5351AC585915.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS2BAB8D00-33AF-437F-AC78-C1FEB279BF97.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS5EBF0B9C-7C49-406D-A58E-E2CFCAA11B9E.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS8E8CD3F6-02E3-4989-85AC-4789295B1499.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCSD5A16B97-FEFD-464C-BE45-81E9F08A242E.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS0655904B-6D51-44A0-BD4D-26F40839C119.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS6681F6C4-6DB8-4EBB-BA5A-DE40ABB3EE43.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS6666F75F-0002-4179-B44A-C8C012DDD5D3.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCSA0C7323F-7579-423D-A37E-1B8CEE869FED.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCSD6FBD482-DD85-4115-A78F-F8F744F969CC.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS1D2E7B7E-61F8-450E-AA11-62A289CEF2A3.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCSD7D2E175-F320-4A56-BEAE-33B80EF4A6A7.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCSB79FA981-F48E-4E5F-BAB6-4DC8EFA4710F.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS26E1C520-4D6B-4F31-A8FF-DDC03782D578.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS7AE8534B-9466-4307-825B-83675BB1AF3D.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCSAACAD6AF-631B-4BD6-9DDD-806846FA27F5.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCSC90EDB14-A7A4-4672-B198-2D7FDB0401B6.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCSD99A6B1F-1BA6-4CDA-8AF4-9BA2411D8840.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCSCACD36DA-7A2E-43EB-ABAB-32F69A951130.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS211FBA10-8A89-44A5-8300-17C907FB6945.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCSE55FE699-836F-4171-9A94-40DBB7C3CAEB.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS6627C8E2-F5C2-45ED-9635-C128EB794477.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCS78277C6A-FFA2-4A3B-B5B1-2928F3FBCCF1.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCSDBB423AD-997A-4300-8C6C-FB65B8D874F7.tmp
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\Webroot\Spy Sweeper\Temp\SSCSBCE5CFD3-43FB-4DDF-9BB0-2062C70FA316.tmp
C:\Documents and Settings\Thomas\Application Data\Microsoft\Word\~WRL2905.tmp
C:\Documents and Settings\Swee Ching\Desktop\qing\2006\2nd cs presentation n klcc\SIV2C.tmp
C:\Documents and Settings\Swee Ching\Desktop\qing\2006\2nd cs presentation n klcc\SIV2D.tmp
C:\Documents and Settings\Swee Ching\Desktop\qing\2006\my class\class bbq gathering\SIV1.tmp
C:\Documents and Settings\Swee Ching\Desktop\qing\2006\my class\class bbq gathering\SIV9.tmp
C:\Documents and Settings\ThomasVoon.AMD\My Documents\~WRL0003.tmp
C:\Documents and Settings\ThomasVoon.AMD\My Documents\Insurance\~WRL0001.tmp
C:\Documents and Settings\ThomasVoon.AMD\Desktop\New Folder (5)\Selling Idea\~WRL1721.tmp
C:\WINDOWS\LastGood.Tmp\INF\oem0.inf
C:\WINDOWS\LastGood.Tmp\INF\oem0.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem1.inf
C:\WINDOWS\LastGood.Tmp\INF\oem1.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem2.inf
C:\WINDOWS\LastGood.Tmp\INF\oem2.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem3.inf
C:\WINDOWS\LastGood.Tmp\INF\oem3.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem4.inf
C:\WINDOWS\LastGood.Tmp\INF\oem4.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem5.inf
C:\WINDOWS\LastGood.Tmp\INF\oem5.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem6.inf
C:\WINDOWS\LastGood.Tmp\INF\oem6.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem7.inf
C:\WINDOWS\LastGood.Tmp\INF\oem7.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem8.inf
C:\WINDOWS\LastGood.Tmp\INF\oem8.PNF

Finished

Logfile of HijackThis v1.99.1
Scan saved at 10:12:15 PM, on 4/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [KeySetState] C:\Documents and Settings\StreetBaller89\Local Settings\Temp\wzf69c\KeySet.exe /keyset
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBD34D7A-E679-4044-86F1-E8E5D21D073F}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

by **random/random** » April 3rd, 2007, 10:22 am

Go to Start > My Computer
Go to Tools > Folder Options
Click on the View tab
Untick the following:
- Hide extensions for known file types
- Hide protected operating system files (Recommended)
You will get a message warning you about showing protected operating system files, click Yes
Make sure this option is selected:
- Show hidden files and folders
Click Apply and then click OK

Then please upload this file:

C:\Documents and Settings\StreetBaller89\Local Settings\Temp\wzf69c\KeySet.exe

To either jotti or virustotal

Repeat for these files

C:\WINDOWS\system32\telecomes.exe
C:\WINDOWS\system32\xvlaomn.exe

Post back with the jotti/virustotal results and a new HijackThis log

by **SnoopDogg** » April 3rd, 2007, 10:51 am

Keyset.exe
Scan taken on 03 Apr 2007 14:35:28 (GMT)
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Telecomes.exe
can taken on 03 Apr 2007 14:43:05 (GMT)
AntiVir
Found HEUR/Crypted
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found a variant of Win32/Rbot
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found Trojan-Dropper.Delf.33 (probable variant)

xvlaomn.exe
Scan taken on 03 Apr 2007 14:45:34 (GMT)
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found GenPack:Generic.Sdbot.E2C8AF06
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Backdoor.Win32.Rbot.gen
Fortinet
Found nothing
Kaspersky Anti-Virus
Found Backdoor.Win32.Rbot.gen
NOD32
Found a variant of Win32/Rbot
Norman Virus Control
Found W32/Spybot.BJMM
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Logfile of HijackThis v1.99.1
Scan saved at 10:52:16 PM, on 4/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Explorer] C:\WINDOWS\System32\explorer.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [KeySetState] C:\Documents and Settings\StreetBaller89\Local Settings\Temp\wzf69c\KeySet.exe /keyset
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBD34D7A-E679-4044-86F1-E8E5D21D073F}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

by **random/random** » April 3rd, 2007, 11:18 am

Our experts would like some samples of the files you are infected with

Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip

Unzip it to the desktop and run it.

Paste the following list of bad files into the Suspicious File Packer window:

Code: Select all

C:\WINDOWS\system32\telecomes.exe
C:\WINDOWS\system32\xvlaomn.exe

Allow SFP to pack the files. This will generate a CAB archive on your desktop.

Please click here

You will be taken to a new post page (at a different forum)
In the subject box put Suspicious files for analysis

Please put your name and email in the relevant boxes. In the message portion, please paste this:

Code: Select all

Infected Files for analysis
Suspect: Rbot
logfile: http://forum.malwareremoval.com/viewtopic.php?p=168080#168080

Then, by the attach bar at the bottom, hit 'browse' Find this file, and hit ok:
C:\Documents and Settings\User\Desktop\requested-files[date].cab

Then click submit to upload that file. That way our experts can analyse the file

Please post a link to the topic at the other forum as a response to this topic

Download WinPFind by OldTimer here
Double click on winpfind.exe to extract it
Click extract
Wait for the message "All files have been extracted" and then click OK
This will create the folder winPFind on your desktop
Inside that folder is a file called WinPFind.exe
Double click on that file to launch WinPFind
This will launch a configuration screen
- Under Driver Services change the selection to Non-Microsoft
- Under File Created Within change the selection to 60 days
- Leave the other settings as they are
Click Run Scan
During the scan WinPFind may appear to be not responding, this is normal
Wait for the scan to finish, this may take several minutes
A notepad window will open with WinPFind's log.
Copy and paste the contents of that window here, along with a link to the topic at the spykiller and a new HijackThis log
Note: You may need several posts to post the entire log, or it might get cut off

by **SnoopDogg** » April 3rd, 2007, 10:10 pm

WinPFind logfile created on: 4/4/2007 9:58:26 AM
WinPFind by OldTimer - v2.0.2 Folder = C:\Documents and Settings\StreetBaller89\Desktop\WinPFind\

换换换换换换换换换换 Windows OS and Versions 换换换换换换换换换换

Product Name: Microsoft Windows XP Service Pack 2 | Version: 5.1.2600
Internet Explorer Version: 6.0.2800.1106

换换换换换换换换换换 Memory/Drive Info 换换换换换换换换换换换换换

490996 Kb Total Physical Memory | 222832 Kb Available Physical Memory | 45.38% Memory free
1153496 Kb Paging File | 938004 Kb Available in Paging File | 81.32% Paging File free
Paging file location: C:\pagefile.sys 720 1440

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 28704168 Kb Total Space | 1522720 Kb Free Space | 5.30% Space Free
Drive D: | 23587904 Kb Total Space | 302512 Kb Free Space | 1.28% Space Free
Drive E: | 17437536 Kb Total Space | 157456 Kb Free Space | 0.90% Space Free
Drive F: | 10231384 Kb Total Space | 469584 Kb Free Space | 4.59% Space Free

换换换换换换换换换换 Running Processes (Non-Microsoft) 换换换换

C:\Documents and Settings\StreetBaller89\Desktop\WinPFind\WinPFind.exe (OldTimer Tools)
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe (Avira GmbH)
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe (AVIRA GmbH)
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe (Avira GmbH)
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe (Sun Microsystems, Inc.)
C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
C:\WINDOWS\system32\explorer.exe ()
C:\WINDOWS\system32\spoolvc.exe ()

换换换换换换换换换换 Win32 Services (Non-Microsoft) 换换换换换?

(AntiVirScheduler) AntiVir PersonalEdition Classic Scheduler [Win32_Own | Auto | Running]
= C:\Program Files\AntiVir PersonalEdition Classic\sched.exe (Avira GmbH)

(AntiVirService) AntiVir PersonalEdition Classic Guard [Win32_Own | Auto | Running]
= C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe (AVIRA GmbH)

(Client Debug Manager) Client Debug Manager [Win32_Own | Auto | Running]
= C:\WINDOWS\system32\spoolvc.exe ()

(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped]
= C:\WINDOWS\system32\dmadmin.exe (Microsoft Corp., Veritas Software)

(NVSvc) NVIDIA Driver Helper Service [Win32_Own | Disabled | Stopped]
= C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)

换换换换换换换换换换 Driver Services (Non-Microsoft) 换换换换换

(Abiosdsk) Abiosdsk [Kernel | Disabled | Stopped]
= (File not found)

(abp480n5) abp480n5 [Kernel | Disabled | Stopped]
= (File not found)

(adpu160m) adpu160m [Kernel | Disabled | Stopped]
= (File not found)

(Aha154x) Aha154x [Kernel | Disabled | Stopped]
= (File not found)

(aic78u2) aic78u2 [Kernel | Disabled | Stopped]
= (File not found)

(aic78xx) aic78xx [Kernel | Disabled | Stopped]
= (File not found)

(AliIde) AliIde [Kernel | Disabled | Stopped]
= (File not found)

(amsint) amsint [Kernel | Disabled | Stopped]
= (File not found)

(asc) asc [Kernel | Disabled | Stopped]
= (File not found)

(asc3350p) asc3350p [Kernel | Disabled | Stopped]
= (File not found)

(asc3550) asc3550 [Kernel | Disabled | Stopped]
= (File not found)

(Atdisk) Atdisk [Kernel | Disabled | Stopped]
= (File not found)

(avgntdd) avgntdd [File_System | System | Running]
= C:\WINDOWS\system32\drivers\avgntdd.sys (AVIRA GmbH)

(avgntmgr) avgntmgr [File_System | Boot | Running]
= C:\WINDOWS\system32\drivers\avgntmgr.sys (AVIRA GmbH)

(cd20xrnt) cd20xrnt [Kernel | Disabled | Stopped]
= (File not found)

(Changer) Changer [Kernel | System | Stopped]
= (File not found)

(CmdIde) CmdIde [Kernel | Disabled | Stopped]
= (File not found)

(Cpqarray) Cpqarray [Kernel | Disabled | Stopped]
= (File not found)

(dac960nt) dac960nt [Kernel | Disabled | Stopped]
= (File not found)

(dmboot) dmboot [Kernel | Disabled | Stopped]
= C:\WINDOWS\system32\drivers\dmboot.sys (Microsoft Corp., Veritas Software)

(dmio) Logical Disk Manager Driver [Kernel | Boot | Running]
= C:\WINDOWS\system32\drivers\dmio.sys (Microsoft Corp., Veritas Software)

(dmload) dmload [Kernel | Boot | Running]
= C:\WINDOWS\system32\drivers\dmload.sys (Microsoft Corp., Veritas Software.)

(dpti2o) dpti2o [Kernel | Disabled | Stopped]
= (File not found)

(hamachi) Hamachi Network Interface [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\hamachi.sys (LogMeIn, Inc.)

(hpn) hpn [Kernel | Disabled | Stopped]
= (File not found)

(i2omgmt) i2omgmt [Kernel | System | Stopped]
= (File not found)

(i2omp) i2omp [Kernel | Disabled | Stopped]
= (File not found)

(ini910u) ini910u [Kernel | Disabled | Stopped]
= (File not found)

(IntelIde) IntelIde [Kernel | Disabled | Stopped]
= (File not found)

(lbrtfdc) lbrtfdc [Kernel | System | Stopped]
= (File not found)

(mraid35x) mraid35x [Kernel | Disabled | Stopped]
= (File not found)

(nv) nv [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)

(nvax) Service for NVIDIA(R) nForce(TM) Audio Enumerator [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\nvax.sys (NVIDIA Corporation)

(NVENET) NVIDIA nForce MCP Networking Controller Driver [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\NVENET.sys (NVIDIA Corporation)

(nvnforce) Service for NVIDIA(R) nForce(TM) Audio [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\nvapu.sys (NVIDIA Corporation)

(nv_agp) NVIDIA nForce AGP Bus Filter [Kernel | Boot | Running]
= C:\WINDOWS\system32\drivers\nv_agp.SYS (NVIDIA Corporation)

(PCIDump) PCIDump [Kernel | System | Stopped]
= (File not found)

(PDCOMP) PDCOMP [Kernel | On_Demand | Stopped]
= (File not found)

(PDFRAME) PDFRAME [Kernel | On_Demand | Stopped]
= (File not found)

(PDRELI) PDRELI [Kernel | On_Demand | Stopped]
= (File not found)

(PDRFRAME) PDRFRAME [Kernel | On_Demand | Stopped]
= (File not found)

(perc2) perc2 [Kernel | Disabled | Stopped]
= (File not found)

(perc2hib) perc2hib [Kernel | Disabled | Stopped]
= (File not found)

(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\ptilink.sys (Parallel Technologies, Inc.)

(PxHelp20) PxHelp20 [Kernel | Boot | Running]
= C:\WINDOWS\system32\drivers\PxHelp20.sys (Sonic Solutions)

(ql1080) ql1080 [Kernel | Disabled | Stopped]
= (File not found)

(Ql10wnt) Ql10wnt [Kernel | Disabled | Stopped]
= (File not found)

(ql12160) ql12160 [Kernel | Disabled | Stopped]
= (File not found)

(ql1240) ql1240 [Kernel | Disabled | Stopped]
= (File not found)

(ql1280) ql1280 [Kernel | Disabled | Stopped]
= (File not found)

(Secdrv) Secdrv [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\secdrv.sys ()

(Simbad) Simbad [Kernel | Disabled | Stopped]
= (File not found)

(Sparrow) Sparrow [Kernel | Disabled | Stopped]
= (File not found)

(symc810) symc810 [Kernel | Disabled | Stopped]
= (File not found)

(symc8xx) symc8xx [Kernel | Disabled | Stopped]
= (File not found)

(sym_hi) sym_hi [Kernel | Disabled | Stopped]
= (File not found)

(sym_u3) sym_u3 [Kernel | Disabled | Stopped]
= (File not found)

(szkg) szkg [Kernel | Boot | Stopped]
= C:\WINDOWS\system32\DRIVERS\szkg.sys (File not found)

(tmcomm) tmcomm [Kernel | Auto | Running]
= C:\WINDOWS\system32\drivers\tmcomm.sys (Trend Micro Inc.)

(TosIde) TosIde [Kernel | Disabled | Stopped]
= (File not found)

(ultra) ultra [Kernel | Disabled | Stopped]
= (File not found)

(ViaIde) ViaIde [Kernel | Disabled | Stopped]
= (File not found)

(WDICA) WDICA [Kernel | On_Demand | Stopped]
= (File not found)

by **SnoopDogg** » April 3rd, 2007, 10:11 pm

换换换换换换换换换换 Registry Items (Non-Microsoft) 换换换换换?

>>>>> Run Keys and Auto-Start Folders <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
avgnt = C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe (Avira GmbH)
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe (Sun Microsystems, Inc.)
TkBellExe = C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
Windows Explorer = C:\WINDOWS\system32\explorer.exe ()

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
KeySetState = C:\Documents and Settings\StreetBaller89\Local Settings\Temp\wzf69c\KeySet.exe (File not found)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]*

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
Installed = 1

< Common Startup Folder = C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup >
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
= C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\desktop.ini ()

< User Startup Folder = C:\Documents and Settings\StreetBaller89\Start Menu\Programs\Startup >
C:\Documents and Settings\StreetBaller89\Start Menu\Programs\Startup\desktop.ini ()

>>>>> MsConfig Disabled Items <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]*

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
NVSvc = 2
Control Task Manager = 2
AVG = 2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path = C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk (File not found)
backup = C:\WINDOWS\pss\Adobe Gamma Loader.lnk (File not found)
location = Common Startup
command = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
item = Adobe Gamma Loader

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\360tray.exe]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = adx
hkey = HKLM
command = C:\Program Files\safe360\adx.dll (奇虎网)
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Advanced DHTML Enable]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = C:\WINDOWS\system32\ilfhc.exe ()
hkey = HKLM
command = C:\WINDOWS\system32\ilfhc.exe ()
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Client Server Runtime Process]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = C:\WINDOWS\system32\csrs.exe ()
hkey = HKLM
command = C:\WINDOWS\system32\csrs.exe ()
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Cryptographic Service]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = wnwavm
hkey = HKLM
command = C:\WINDOWS\System32\wnwavm.exe (File not found)
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KeySetState]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = KeySet
hkey = HKCU
command = C:\Documents and Settings\Swee Pei\Local Settings\Temp\wz1b45\KeySet.exe (File not found)
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Microsoft Lsass Center]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = C:\WINDOWS\system32\telecomes.exe ()
hkey = HKLM
command = C:\WINDOWS\system32\telecomes.exe ()
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NvCplDaemon]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation)
hkey = HKLM
command = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation)
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\updateMgr]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = AdobeUpdateManager
hkey = HKCU
command = C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe (Adobe Systems Incorporated)
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Windows Service Agent]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = winupd32
hkey = HKCU
command = winupd32.exe
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
system.ini = 0
win.ini = 0
bootini = 0
services = 2
startup = 2

by **SnoopDogg** » April 3rd, 2007, 10:12 pm

>>>>> Disabled Startup Folder Items <<<<<

>>>>> File Associations <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\]
.bat [@ = batfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.cmd [@ = cmdfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.com [@ = comfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.cpl [@ = cplfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.exe [@ = exefile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.hta [@ = htafile] -> PersistentHandler = Reg Data - Key not found
.html [@ = FirefoxHTML] -> PersistentHandler = {eec97550-47a9-11cf-b952-00aa0051fe20}
.inf [@ = inffile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.ini [@ = inifile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.url [@ = InternetShortcut] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.js [@ = JSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.jse [@ = JSEFile] -> PersistentHandler = Reg Data - Key not found
.pif [@ = piffile] -> PersistentHandler = Reg Data - Key not found
.reg [@ = regfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.scr [@ = scrfile] -> PersistentHandler = Reg Data - Key not found
.txt [@ = txtfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.vbe [@ = VBEFile] -> PersistentHandler = Reg Data - Key not found
.vbs [@ = VBSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.wsf [@ = WSFFile] -> PersistentHandler = Reg Data - Key not found
.wsh [@ = WSHFile] -> PersistentHandler = Reg Data - Key not found

>>>>> Registry Shell Spawning <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -> "%1" %* (File not found)
batfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

cmdfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -> "%1" %* (File not found)
cmdfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

comfile [open] -> "%1" %* (File not found)

cplfile [cplopen] -> rundll32.exe shell32.dll,Control_RunDLL %1,%* (Microsoft Corporation)

exefile [open] -> "%1" %* (File not found)

htafile [open] -> C:\WINDOWS\system32\mshta.exe "%1" %* (Microsoft Corporation)

htmlfile [edit] -> "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -> "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -> "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -> "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)

http [open] -> C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1" -requestPending (Mozilla Corporation)

https [open] -> C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1" -requestPending (Mozilla Corporation)

inffile [install] -> %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
inffile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

inifile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

InternetShortcut [open] -> rundll32.exe shdocvw.dll,OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -> rundll32.exe %SystemRoot%\System32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)

jsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

jsefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

piffile [open] -> "%1" %* (File not found)

regfile [edit] -> %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
regfile [open] -> regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -> Reg Data - Key not found
regfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

scrfile [config] -> "%1" (File not found)
scrfile [install] -> rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -> "%1" /S (File not found)

txtfile [edit] -> Reg Data - Key not found
txtfile [open] -> %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -> %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)

vbefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbefile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

vbsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbsfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

wsffile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
wsffile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
wsffile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

wshfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)

Unknown [openas] -> %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 (Microsoft Corporation)

Directory [find] -> %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -> %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -> %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -> %SystemRoot%\Explorer.exe (Microsoft Corporation)

Applications\iexplore.exe [open] -> "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -> "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

by **SnoopDogg** » April 3rd, 2007, 10:13 pm

>>>>> ActiveX StubPath settings <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{73FA19D0-2D75-11D2-995D-00C04F98BBC9}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
StubPath = %SystemRoot%\system32\ie4uinit.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

by **SnoopDogg** » April 3rd, 2007, 10:14 pm

>>>>> WOW Settings <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW]
cmdline = %SystemRoot%\system32\ntvdm.exe
wowcmdline = %SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386

>>>>> Session Manager Settings <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
BootExecute =
ExcludeFromKnownDlls =

>>>>> Items Started Through Miscellaneous Registry Keys <<<<<

>>>>> Security Providers <<<<<

>>>>> Winlogon Keys <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet]
Control_RunDLL (File not found)
>>>>> Policy Keys <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]*

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = 1
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 1073741857
{0DF44EAA-FF21-4412-828E-260A8728E7F1} = 32

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
dontdisplaylastusername = 0
legalnoticecaption =
legalnoticetext =
shutdownwithoutlogon = 1
undockwithoutlogon = 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]*

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
NoDriveTypeAutoRun = 145

>>>>> Desktop Components <<<<<

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
FriendlyName = My Current Home Page
Source = About:Home
SubscribedURL = About:Home

>>>>> HOSTS File <<<<<

HOSTS file found at: C:\WINDOWS\System32\drivers\etc\Hosts (Size: 685 bytes | Modified Date: 4/3/2007 9:56:20 PM)
127.0.0.1 localhost

by **SnoopDogg** » April 3rd, 2007, 10:15 pm

>>>>> Internet Explorer Settings <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
Default_Page_URL = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
Default_Search_URL = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
Local Page = %SystemRoot%\system32\blank.htm
Search Page = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
Local Page = C:\WINDOWS\System32\blank.htm
Search Page = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
Start Page = http://www.yahoo.com/

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
ProxyEnable = 0

>>>>> Browser Helper Objects <<<<<

>>>>> Bars, Toolbars and Extensions <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{E0E899AB-F487-11D5-8D29-0050BA6940E3} - FlashGet Bar ( HKLM = C:\Program Files\FLASHGET\fgiebar.dll (Amaze Soft) )

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} = 8192 - Reg Data - Value does not exist ( HKLM = Reg Data - Key not found (File not found) )
{92780B25-18CC-41C8-B9BE-3C9C571A8263} = 8193 - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
{D6E814A0-E0C5-11d4-8D29-0050BA6940E3} = 8194 - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
NextId = 8195

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}]
MenuText = Sun Java Console
ClsidExtension = {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBC} - Java Plug-in 1.5.0_03 ( HKLM C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll (Sun Microsystems, Inc.) )

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}]
ButtonText = Research

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{D6E814A0-E0C5-11d4-8D29-0050BA6940E3}]
ButtonText = FlashGet
MenuText = &FlashGet
Exec = C:\Program Files\FLASHGET\flashget.exe (FlashGet.com)

>>>>> Approved Shell Extensions <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{0DF44EAA-FF21-4412-828E-260A8728E7F1} = Taskbar and Start Menu ( HKLM = Reg Data - Key not found (File not found) )
{1CDB2949-8F65-4355-8456-263E7C208A5D} = Desktop Explorer ( HKLM = C:\WINDOWS\system32\nvshell.dll (NVIDIA Corporation) )
{1E9B04FB-F9E5-4718-997B-B8DA88302A47} = Desktop Explorer Menu ( HKLM = C:\WINDOWS\system32\nvshell.dll (NVIDIA Corporation) )
{42071714-76d4-11d1-8b24-00a0c9068ff3} = Display Panning CPL Extension ( HKLM = deskpan.dll (File not found) )
{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = Shell Extension for Malware scanning ( HKLM = C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll (H+BEDV Datentechnik GmbH) )
{764BF0E1-F219-11ce-972D-00AA00A14F56} = Shell extensions for file compression ( CLSID not found! )
{7A9D77BD-5403-11d2-8785-2E0420524153} = User Accounts ( HKLM = Reg Data - Key not found (File not found) )
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} = Encryption Context Menu ( CLSID not found! )
{88895560-9AA2-1069-930E-00AA0030EBC8} = HyperTerminal Icon Ext ( HKLM = C:\WINDOWS\system32\hticons.dll (Hilgraeve, Inc.) )
{D9872D13-7651-4471-9EEE-F0A00218BEBB} = Multiscan ( CLSID not found! )
{E0D79304-84BE-11CE-9641-444553540000} = WinZip ( HKLM = C:\Program Files\WinZip\WZSHLSTB.DLL (WinZip Computing, Inc.) )
{E0D79305-84BE-11CE-9641-444553540000} = WinZip ( HKLM = C:\Program Files\WinZip\WZSHLSTB.DLL (WinZip Computing, Inc.) )
{E0D79306-84BE-11CE-9641-444553540000} = WinZip ( HKLM = C:\Program Files\WinZip\WZSHLSTB.DLL (WinZip Computing, Inc.) )
{E0D79307-84BE-11CE-9641-444553540000} = WinZip ( HKLM = C:\Program Files\WinZip\WZSHLSTB.DLL (WinZip Computing, Inc.) )
{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} = RealOne Player Context Menu Class ( HKLM = C:\Program Files\Real\RealPlayer\rpshell.dll (RealNetworks, Inc.) )

>>>>> Context Menu Handlers / Column Handlers <<<<<

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\Shell Extension for Malware scanning]
@ = {45AC2688-0253-4ED8-97DE-B5370FA7D48A} ( HKLM = C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll (H+BEDV Datentechnik GmbH) )

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\WinZip]
@ = {E0D79304-84BE-11CE-9641-444553540000} ( HKLM = C:\Program Files\WinZip\WZSHLSTB.DLL (WinZip Computing, Inc.) )

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\WinZip]
@ = {E0D79304-84BE-11CE-9641-444553540000} ( HKLM = C:\Program Files\WinZip\WZSHLSTB.DLL (WinZip Computing, Inc.) )

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\Shell Extension for Malware scanning]
@ = {45AC2688-0253-4ED8-97DE-B5370FA7D48A} ( HKLM = C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll (H+BEDV Datentechnik GmbH) )

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\WinZip]
@ = {E0D79304-84BE-11CE-9641-444553540000} ( HKLM = C:\Program Files\WinZip\WZSHLSTB.DLL (WinZip Computing, Inc.) )

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}]
- PDF Shell Extension ( HKLM = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\pdfshell.dll (Adobe Systems, Inc.) )

by **SnoopDogg** » April 3rd, 2007, 10:16 pm

>>>>> User Agent Post Platform <<<<<

>>>>> TCP/IP Configuration <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{394AE395-6284-44FE-B150-7A4CEB22072C}]
DefaultGateway =
DhcpServer = 255.255.255.255
Domain =
EnableDHCP = 1
IPAddress = 0.0.0.0;
IPAutoconfigurationAddress = 0.0.0.0
NameServer =
SubnetMask = 0.0.0.0;

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4DFDC4FE-A6F3-45B8-A2CF-0BF1941A8C3C}] ( NVIDIA nForce MCP Networking Controller )
DefaultGateway =
DhcpDefaultGateway = 192.168.1.1;
DhcpIPAddress = 192.168.1.3
DhcpNameServer = 192.168.1.1
DhcpServer = 192.168.1.1
DhcpSubnetMask = 255.255.255.0
Domain =
EnableDHCP = 1
IPAddress = 0.0.0.0;
IPAutoconfigurationAddress = 0.0.0.0
NameServer =
SubnetMask = 0.0.0.0;

>>>>> WinSock2 Parameters <<<<<

>>>>> Protocol Handlers <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\vnd.ms.radio]
CLSID = {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - ( HKLM C:\WINDOWS\system32\msdxm.ocx () )

>>>>> Protocol Filters <<<<<

>>>>> Downloaded Program Files <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\DownloadInformation]
CODEBASE = http://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
INF = C:\WINDOWS\Downloaded Program Files\jinstall-1_5_0_03.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{C3F79A2B-B9B4-4A66-B012-3EE46475B072}\DownloadInformation]
CODEBASE = http://messenger.zone.msn.com/binary/Me ... b56907.cab

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}\DownloadInformation]
CODEBASE = http://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
INF =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}\DownloadInformation]
CODEBASE = http://fpdownload.macromedia.com/pub/sh ... wflash.cab
INF = C:\WINDOWS\Downloaded Program Files\swflash.inf

Free Malware Removal Forum

Help

Help

Who is online