On Start up I recieve a rundll failed to load error of c:\windows\system32\w0hq.dll when I open up the internet explorer and click on links I recieve random popups to chinese based web pages, I ran the Kaspersky and it found 6 viruses and 32 infected objects but was unable to get a log file. Below is my HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:40 AM, on 11/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.abetterblade.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,C:\WINDOWS\system32\SVCH0ST.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AdPopup - {11F09AFD-75AD-4E51-AB43-E09E9351CE16} - C:\Program Files\Common Files\CPUSH\cpush.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: ff Class - {B9751A53-4494-4d7c-9732-AE3058D8145F} - C:\WINDOWS\system32\0841.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\RunOnce: [w0hq] %systemroot%\system32\Rundll32.exe %systemroot%\system32\w0hq.dll,DllUnregisterServer
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDEG32] LYLoader.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDWG32] LYLoadbr.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDCG32 ] LYLeador.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDOG32] LYLoador.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDSG32] LYLoadar.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDMG32] LYLoadmr.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDHG32] LYLoadhr.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDQG32] LYLoadqr.exe
O4 - HKUS\S-1-5-18\..\Run: [EFI Job Monitor] C:\WINDOWS\TEMP\JobMonitor\JobMonitor.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [EFI Job Monitor] C:\WINDOWS\TEMP\JobMonitor\JobMonitor.exe (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ¿ìËÑ - {BF5DC4AE-258C-43d5-9D80-1F7ACD734DD8} - C:\WINDOWS\Temp\minigame.exe (file missing)
O9 - Extra 'Tools' menuitem: ¿ìËÙËÑË÷ - {BF5DC4AE-258C-43d5-9D80-1F7ACD734DD8} - C:\WINDOWS\Temp\minigame.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.sidestep.com/get/k00726/sb028.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lagunatools.com
O17 - HKLM\Software\..\Telephony: DomainName = lagunatools.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lagunatools.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lagunatools.com
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: 739366DB - Unknown owner - C:\WINDOWS\system32\CE6E243B.EXE (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: F7B38D6E - Unknown owner - C:\WINDOWS\system32\4A4CB081.EXE (file missing)
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Unknown owner - C:\Program Files\Intel\NCS\Sync\NetSvc.exe (file missing)
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - Unknown owner - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe (file missing)
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Visual Studio Analyzer RPC bridge - Unknown owner - C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\varpc.exe (file missing)
O23 - Service: Windows Accounts Driver (windows_0) - Unknown owner - C:\WINDOWS\system32\kav.exe (file missing)

--
End of file - 10222 bytes

Hello TotalTech and welcome to the Forums :)

Sorry for the delay..

You're infected. These chinese infections can be pretty sticky to remove but let's see...One or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this (http://www.dslreports.com/faq/10451) article too.

At first you need to disable a few realtime protections. These may interfere with our cleaning process.
We'll enable these when you're clean...

Disable Spybot S&D Teatimer.
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu select "Advanced Mode"
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply along with a fresh Hijackthis log

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

My turn to apologize I had some RL issues come up. While I was gone a coleuge decided to "help" and made things worse. Now when I boot the laptop up I get no icons or start bar both in Normal mode and Safe Mode. I do have a moise pointer. I can bring up task manager with ctrl+alt Delete and go to the run cmd from there. I tested this by bringing up msconfig. I now have the machine locked up and away from "helping" hands.

Hi again and sorry for the delay, I was away...

Sounds bad :sick:

Let's see if this works --> How to use the Last Known Good Configuration? (http://support.microsoft.com/kb/307852)

Let me know how it went :bigthumb:

No luck my start menu pops up then disappears again.

I've been able to load Combofix on a usb drive and am running it from the cmd prompt now.



No luck my start menu pops up then disappears again.

here is the combofix log.

ComboFix 07-12-02.6 - Administrator 2007-12-03 14:47:06.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.291 [GMT -8:00]
Running from: E:\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\_desktop.ini
C:\Documents and Settings\Administrator.LAGUNATOOLS\Favorites\-0007~1.lnk
C:\Documents and Settings\Administrator.LAGUNATOOLS\Favorites\-9895~1.lnk
C:\Documents and Settings\Administrator.LAGUNATOOLS\Favorites\_cctv0~1.lnk
C:\Documents and Settings\Administrator.LAGUNATOOLS\Favorites\9265~1.lnk
C:\Documents and Settings\Administrator.LAGUNATOOLS\Favorites\bfc1~1.lnk
C:\Documents and Settings\Torben.LAGUNATOOLS\Favorites\7BFA~1.URL
C:\Program Files\Common Files\cpush
C:\Program Files\Common Files\cpush\Uninst.exe
C:\WINDOWS\b721.exe
C:\WINDOWS\bb1.bmp
C:\WINDOWS\system32\601.dll
C:\WINDOWS\system32\drivers\mxdispdr.sys
C:\WINDOWS\TEMP.\~my1.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_IDNAUX
-------\LEGACY_MXDISPDR
-------\LEGACY_NPF
-------\LEGACY_WINDOWS_0
-------\mxdispdr
-------\nm
-------\NPF
-------\windows_0




((((((((((((((((((((((((( Files Created from 2007-11-03 to 2007-12-03 )))))))))))))))))))))))))))))))
.

2007-12-03 14:21 . 2007-12-03 14:21 <DIR> d-------- C:\HJTHIS
2007-11-20 08:35 . 2007-11-20 08:35 <DIR> d-------- C:\Program Files\Common Files\SolidWorks Shared
2007-11-20 08:35 . 2007-11-20 08:35 0 --a------ C:\WINDOWS\eDrawingOfficeAutomator.INI
2007-11-20 08:34 . 2007-11-20 08:34 <DIR> d-------- C:\Program Files\Common Files\eDrawings2008
2007-11-19 09:59 . 2007-11-19 09:59 <DIR> d-------- C:\WINDOWS\SYSTEM32\F11E4
2007-11-19 09:59 . 2007-11-19 09:59 19 --a------ C:\WINDOWS\SYSTEM32\setyahoo.ini
2007-11-16 10:44 . 2007-11-16 10:44 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-11-16 10:44 . 2007-11-16 10:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-16 09:57 . 2007-11-16 10:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-13 12:16 . 2007-11-13 12:46 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-13 12:15 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\SYSTEM32\msvcr80.dll
2007-11-13 11:03 . 2007-11-13 11:03 68 --a------ C:\WINDOWS\SYSTEM32\32f8cb
2007-11-13 10:33 . 2007-11-13 10:33 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-13 10:33 . 2007-11-13 10:33 68 --a------ C:\WINDOWS\SYSTEM32\2bce
2007-11-13 10:03 . 2007-11-13 10:03 68 --a------ C:\WINDOWS\SYSTEM32\1ca1
2007-11-13 09:33 . 2007-11-13 09:33 68 --a------ C:\WINDOWS\SYSTEM32\1b9b
2007-11-13 09:28 . 2007-07-09 05:16 582,656 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
2007-11-13 09:13 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll.mui
2007-11-13 09:03 . 2007-11-13 09:03 68 --a------ C:\WINDOWS\SYSTEM32\032f
2007-11-13 09:03 . 2007-11-13 11:05 29 --a------ C:\WINDOWS\SYSTEM32\2961-15-14
2007-11-13 08:46 . 2007-11-13 08:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2007-11-10 14:02 . 2007-11-10 14:02 <DIR> d-------- C:\Documents and Settings\Torben.LAGUNATOOLS\Application Data\Talkback

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-27 23:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-27 20:50 --------- d-----w C:\Documents and Settings\Torben.LAGUNATOOLS\Application Data\AdobeUM
2007-11-21 21:42 --------- d-----w C:\Program Files\SalesLogix
2007-11-19 18:02 --------- d-----w C:\Program Files\Trend Micro
2007-11-13 17:22 --------- d-----w C:\Documents and Settings\Administrator.LAGUNATOOLS\Application Data\U3
2007-11-13 16:01 --------- d-----w C:\Program Files\MSN Messenger
2007-11-13 15:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-13 15:56 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-22 17:48 579,808 ----a-w C:\WINDOWS\system32\drivers\FStopW.sys
2004-10-27 23:02 17,144 ----a-w C:\Documents and Settings\IT\Application Data\GDIPFONTCACHEV1.DAT
2004-10-26 23:46 13,312 ----a-w C:\Documents and Settings\Torben.LAGUNATOOLS\garbage-maybe.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-28_10.43.07.52 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-09 00:59:01 136,704 ----a-w C:\WINDOWS\catchme.exe
+ 2007-11-27 11:58:11 140,288 ----a-w C:\WINDOWS\catchme.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9751A53-4494-4d7c-9732-AE3058D8145F}]
C:\WINDOWS\system32\0841.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-31 08:33]
"ATI"="C:\WINDOWS\temp\ATi2evxx.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"F-PROT Antivirus Tray application"="C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe" [2007-10-24 14:28]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-03 23:56]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" []
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-16 16:17]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 14:24 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2003-08-20 18:24]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 10:28]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"w0hq"="C:\WINDOWS\system32\Rundll32.exe" [2004-08-03 23:56]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"EFI Job Monitor"="C:\WINDOWS\TEMP\JobMonitor\JobMonitor.exe" []

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{62A612A4-4334-4424-4234-42261A31A238}"= C:\WINDOWS\system32\bbqpri.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\System32\LgNotify.dll 2003-06-20 05:03 110592 C:\WINDOWS\SYSTEM32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Extension-List\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\3]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\4]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\5]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\6]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\7]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\3]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\4]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\5]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\6]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\7]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-1005]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-1005\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-1005\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-1005\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-1005\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-1005\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-1005\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-1005\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-1005\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-500]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-500\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-500\Extension-List\{00000000-0000-0000-0000-000000000000}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-500\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-500\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-500\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-500\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-500\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-500\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\GPLink-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\GPO-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Extension-List\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Extension-List\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPLink-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPLink-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPLink-List\3]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPLink-List\4]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPLink-List\5]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPO-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPO-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPO-List\3]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPO-List\4]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPO-List\5]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Scripts]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Scripts\Logoff]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Scripts\Logon]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Scripts\Logon\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Scripts\Logon\0\0]
"Script"=mapH.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203\GPLink-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203\GPLink-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203\GPO-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203\GPO-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\GPLink-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\GPLink-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\GPLink-List\3]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\GPLink-List\4]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\GPO-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\GPO-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\GPO-List\3]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\Scripts]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\Scripts\Logoff]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\Scripts\Logon]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\Scripts\Logon\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\Scripts\Logon\0\0]
"Script"=mapH.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\GPLink-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\GPLink-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\GPLink-List\3]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\GPO-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\GPO-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\GPO-List\3]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\Extension-List\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\Extension-List\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\GPLink-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\GPLink-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\GPLink-List\3]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\GPLink-List\4]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\GPO-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\GPO-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\GPO-List\3]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\GPO-List\4]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\Scripts]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1009]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1009\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1009\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1009\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1009\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1009\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1009\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1009\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1009\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1022]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1022\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1022\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1022\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1022\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-

1-5-21-843651394-707275292-1862565094-1022\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1022\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1022\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1022\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\Loopback-GPO-List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FPAVServer]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 2.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Device Detector 2.lnk
backup=C:\WINDOWS\pss\Device Detector 2.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2k0lcm1sg7r6]
C:\DOCUME~1\TORBEN~1.LAG\LOCALS~1\Temp\explorei.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2003-07-29 11:30 335872 --a------ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bascstray]
BascsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmdbcs]
C:\WINDOWS\cmdbcs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CookiePatrol]
2003-05-29 20:47 69632 --a------ C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-03 23:56 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2002-12-17 18:16 360448 --a------ C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
2002-07-17 08:18 28672 --a------ C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\PROGRA~1\COMMON~1\onlinegame\fs2online.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mhsa]
C:\DOCUME~1\ADMINI~1.LAG\LOCALS~1\Temp\mhso.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mnupyjkn]
C:\WINDOWS\mnupyjkn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 12.0]
2007-07-31 17:36 2037088 --a------ C:\Program Files\Norton Ghost\Agent\VProTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nqwindl]
C:\WINDOWS\nqwinll.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwnslop]
C:\WINDOWS\nwnslop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nzttlln]
C:\WINDOWS\nzttdll.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeScanNT Monitor]
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe -HideWindow

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PestPatrol Control Center]
2003-03-26 16:41 53248 --a------ C:\PROGRA~1\PESTPA~1\PPControl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPMemCheck]
2003-04-19 04:53 148480 --a------ C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qjsa]
C:\DOCUME~1\ADMINI~1.LAG\LOCALS~1\Temp\qjso.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
C:\PROGRA~1\COMMON~1\onlinegame\fs2online.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2007-08-31 16:46 1460560 --a------ C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\testrun]
C:\WINDOWS\testexe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tlsa]
C:\DOCUME~1\ADMINI~1.LAG\LOCALS~1\Temp\tlso.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TradeManager]
C:\PROGRA~1\Alibaba\TRADEM~1\TradeManager -hideframe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\upxdnd]
C:\WINDOWS\upxdnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wdsa]
C:\DOCUME~1\ADMINI~1.LAG\LOCALS~1\Temp\wdso.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wgsa]
C:\DOCUME~1\ADMINI~1.LAG\LOCALS~1\Temp\wgso.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wincdb]
C:\WINDOWS\wincdb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wlsa]
C:\DOCUME~1\ADMINI~1.LAG\LOCALS~1\Temp\wlso.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wosa]
C:\DOCUME~1\TORBEN~1.LAG\LOCALS~1\Temp\woso.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zcrbzk2s]
C:\DOCUME~1\TORBEN~1.LAG\LOCALS~1\Temp\iexpl0re.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Visual Studio Analyzer RPC bridge"=3 (0x3)
"tmlisten"=2 (0x2)
"SolidWorks Licensing Service"=3 (0x3)
"ose"=3 (0x3)
"ntrtscan"=2 (0x2)
"NetSvc"=3 (0x3)
"LiveUpdate"=3 (0x3)
"IDriverT"=3 (0x3)
"gusvc"=2 (0x2)
"GoogleDesktopManager"=3 (0x3)
"F7B38D6E"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"WinDefend"=2 (0x2)
"739366DB"=2 (0x2)
"Norton Ghost"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"BAsfIpM"=2 (0x2)

R0 bpdudhg5;bpdudhg;C:\WINDOWS\system32\DRIVERS\bpdudhg5.sys
R0 FPAV_RTP;FPAV_RTP;C:\WINDOWS\system32\drivers\FStopW.sys
R1 RCFOX;SonicWALL IPsec Driver;\??\C:\WINDOWS\System32\Drivers\RCFOX.sys
R2 BASFND;BASFND;\??\C:\WINDOWS\system32\Drivers\BASFND.sys
R2 FPAVServer;F-PROT Antivirus for Windows system;"C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe"
R2 v2imount;Symantec V2i Mount Driver;C:\WINDOWS\system32\DRIVERS\v2imount.sys
R3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys
R3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys
S2 gaiz95nu;gaiz95nu;\??\C:\WINDOWS\system32\drivers\gaiz95nu.sys
S2 t1p1r0l;t1p1r0l;\??\C:\WINDOWS\system32\drivers\t1p1r0l.sys
S3 WimFltr;WimFltr;C:\WINDOWS\system32\DRIVERS\wimfltr.sys
S4 739366DB;739366DB;C:\WINDOWS\system32\CE6E243B.EXE -d
S4 F7B38D6E;F7B38D6E;C:\WINDOWS\system32\4A4CB081.EXE -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{217e2492-9209-11dc-81d6-006073e0d381}]
\Shell\AutoRun\command - E:\DCoTMenu.exe
\Shell\menu\command - E:\DCoTMenu.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{95192103-834D-71CF-64CD-51E15112AF20}]
C:\WINDOWS\system32\nwizhx2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BA312103-F04D-31cf-64CD-21EF5011CF20}]
C:\WINDOWS\system32\nwizqjsj.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-11-29 02:02:07 C:\WINDOWS\Tasks\Daily.job"
- C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPWin.exe
"2007-11-28 17:54:13 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-11-28 16:28:07 C:\WINDOWS\Tasks\Weekly.job"
- C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPWin.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-03 14:53:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-03 14:54:38 - machine was rebooted
.
--- E O F ---

1-5-21-843651394-707275292-1862565094-1022\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1022\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1022\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1022\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\Loopback-GPO-List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FPAVServer]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 2.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Device Detector 2.lnk
backup=C:\WINDOWS\pss\Device Detector 2.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2k0lcm1sg7r6]
C:\DOCUME~1\TORBEN~1.LAG\LOCALS~1\Temp\explorei.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2003-07-29 11:30 335872 --a------ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bascstray]
BascsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmdbcs]
C:\WINDOWS\cmdbcs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CookiePatrol]
2003-05-29 20:47 69632 --a------ C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-03 23:56 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2002-12-17 18:16 360448 --a------ C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
2002-07-17 08:18 28672 --a------ C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\PROGRA~1\COMMON~1\onlinegame\fs2online.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mhsa]
C:\DOCUME~1\ADMINI~1.LAG\LOCALS~1\Temp\mhso.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mnupyjkn]
C:\WINDOWS\mnupyjkn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 12.0]
2007-07-31 17:36 2037088 --a------ C:\Program Files\Norton Ghost\Agent\VProTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nqwindl]
C:\WINDOWS\nqwinll.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwnslop]
C:\WINDOWS\nwnslop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nzttlln]
C:\WINDOWS\nzttdll.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeScanNT Monitor]
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe -HideWindow

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PestPatrol Control Center]
2003-03-26 16:41 53248 --a------ C:\PROGRA~1\PESTPA~1\PPControl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPMemCheck]
2003-04-19 04:53 148480 --a------ C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qjsa]
C:\DOCUME~1\ADMINI~1.LAG\LOCALS~1\Temp\qjso.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
C:\PROGRA~1\COMMON~1\onlinegame\fs2online.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2007-08-31 16:46 1460560 --a------ C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\testrun]
C:\WINDOWS\testexe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tlsa]
C:\DOCUME~1\ADMINI~1.LAG\LOCALS~1\Temp\tlso.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TradeManager]
C:\PROGRA~1\Alibaba\TRADEM~1\TradeManager -hideframe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\upxdnd]
C:\WINDOWS\upxdnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wdsa]
C:\DOCUME~1\ADMINI~1.LAG\LOCALS~1\Temp\wdso.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wgsa]
C:\DOCUME~1\ADMINI~1.LAG\LOCALS~1\Temp\wgso.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wincdb]
C:\WINDOWS\wincdb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wlsa]
C:\DOCUME~1\ADMINI~1.LAG\LOCALS~1\Temp\wlso.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wosa]
C:\DOCUME~1\TORBEN~1.LAG\LOCALS~1\Temp\woso.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zcrbzk2s]
C:\DOCUME~1\TORBEN~1.LAG\LOCALS~1\Temp\iexpl0re.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Visual Studio Analyzer RPC bridge"=3 (0x3)
"tmlisten"=2 (0x2)
"SolidWorks Licensing Service"=3 (0x3)
"ose"=3 (0x3)
"ntrtscan"=2 (0x2)
"NetSvc"=3 (0x3)
"LiveUpdate"=3 (0x3)
"IDriverT"=3 (0x3)
"gusvc"=2 (0x2)
"GoogleDesktopManager"=3 (0x3)
"F7B38D6E"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"WinDefend"=2 (0x2)
"739366DB"=2 (0x2)
"Norton Ghost"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"BAsfIpM"=2 (0x2)

R0 bpdudhg5;bpdudhg;C:\WINDOWS\system32\DRIVERS\bpdudhg5.sys
R0 FPAV_RTP;FPAV_RTP;C:\WINDOWS\system32\drivers\FStopW.sys
R1 RCFOX;SonicWALL IPsec Driver;\??\C:\WINDOWS\System32\Drivers\RCFOX.sys
R2 BASFND;BASFND;\??\C:\WINDOWS\system32\Drivers\BASFND.sys
R2 FPAVServer;F-PROT Antivirus for Windows system;"C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe"
R2 v2imount;Symantec V2i Mount Driver;C:\WINDOWS\system32\DRIVERS\v2imount.sys
R3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys
R3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys
S2 gaiz95nu;gaiz95nu;\??\C:\WINDOWS\system32\drivers\gaiz95nu.sys
S2 t1p1r0l;t1p1r0l;\??\C:\WINDOWS\system32\drivers\t1p1r0l.sys
S3 WimFltr;WimFltr;C:\WINDOWS\system32\DRIVERS\wimfltr.sys
S4 739366DB;739366DB;C:\WINDOWS\system32\CE6E243B.EXE -d
S4 F7B38D6E;F7B38D6E;C:\WINDOWS\system32\4A4CB081.EXE -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{217e2492-9209-11dc-81d6-006073e0d381}]
\Shell\AutoRun\command - E:\DCoTMenu.exe
\Shell\menu\command - E:\DCoTMenu.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{95192103-834D-71CF-64CD-51E15112AF20}]
C:\WINDOWS\system32\nwizhx2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BA312103-F04D-31cf-64CD-21EF5011CF20}]
C:\WINDOWS\system32\nwizqjsj.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-11-29 02:02:07 C:\WINDOWS\Tasks\Daily.job"
- C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPWin.exe
"2007-11-28 17:54:13 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-11-28 16:28:07 C:\WINDOWS\Tasks\Weekly.job"
- C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPWin.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-03 14:53:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-03 14:54:38 - machine was rebooted
.
--- E O F ---

oops sorry for the repost there when I was posting my firewall had timed out.

Ok. You have a lot of infections there.

Now that you've ran combofix, does the computer start in normal mode or safe mode?

it will start in either mode but I have no desktop icons no start menu and no explorer. To get you the combo fix and HJT I have them on a usb thumb drive and ran them from there through the dos prompt.

Hi again :)

Sorry for the delay...

Ok looks bad. You have loads of these chinese pests there. One or more of the identified infections is a backdoor trojan :sick:

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)

I can help you in the cleaning if you don't want to reformat but there is a possibility that we can't get you 100% clean.

Also as the pc doesn't start, it is possible that we would have to do a repair installation and the see if the pc starts. If that works, then we'd have to try cleaning.

There is this one thing we can do and see if it helps:

You'll have to download the following scanner to the USB and run it via dos prompt.

Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.

When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log

Please let us know what you have decided to do in your next post:bigthumb:

bpdudhg5.sys;c:\windows\system32\drivers;Adware.QQHelp;Incurable.Moved.;
bb1.bmp.vir;C:\qoobox\Quarantine\C\WINDOWS;Adware.Sogou.origin;Incurable.Moved.;
601.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32;Adware.Sogou.origin;Incurable.Moved.;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:10, on 2007-12-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.abetterblade.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: ff Class - {B9751A53-4494-4d7c-9732-AE3058D8145F} - C:\WINDOWS\system32\0841.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ATI] C:\WINDOWS\temp\ATi2evxx.exe
O4 - HKUS\S-1-5-18\..\Run: [EFI Job Monitor] C:\WINDOWS\TEMP\JobMonitor\JobMonitor.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [EFI Job Monitor] C:\WINDOWS\TEMP\JobMonitor\JobMonitor.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.sidestep.com/get/k00726/sb028.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lagunatools.com
O17 - HKLM\Software\..\Telephony: DomainName = lagunatools.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lagunatools.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lagunatools.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = lagunatools.com
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - Unknown owner - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe (file missing)

--
End of file - 5612 bytes

the HJT log was done with the pc running in normal mode but I still have no desktop or explorer. Like before I ran the utilities through cmd prompt.

If possible I'd like to salvage this computer since the user has programs on it that are only on this computer. If it is beyond saving I guess he will learn from this painful lesson of his lost data. Thank you for all of your efforts in assisting me on this.

Hi :)

Ok. Now I need you to save the following text file (instructions below) to your memory stick


Open notepad and copy/paste the text in the quotebox below into it:



File::
C:\WINDOWS\SYSTEM32\32f8cb
C:\WINDOWS\SYSTEM32\2bce
C:\WINDOWS\SYSTEM32\1ca1
C:\WINDOWS\SYSTEM32\1b9b
C:\WINDOWS\SYSTEM32\032f
C:\WINDOWS\system32\0841.dll
C:\WINDOWS\system32\bbqpri.dll
C:\WINDOWS\cmdbcs.exe
C:\WINDOWS\mnupyjkn.exe
C:\WINDOWS\nqwinll.exe
C:\WINDOWS\nwnslop.exe
C:\WINDOWS\nzttdll.exe
C:\WINDOWS\testexe.exe
C:\WINDOWS\upxdnd.exe
C:\WINDOWS\wincdb.exe
C:\WINDOWS\system32\drivers\gaiz95nu.sys
C:\WINDOWS\system32\drivers\t1p1r0l.sys
C:\WINDOWS\system32\CE6E243B.EXE
C:\WINDOWS\system32\4A4CB081.EXE
C:\WINDOWS\system32\nwizqjsj.exe
C:\WINDOWS\system32\nwizhx2.exe

Folder::
C:\WINDOWS\SYSTEM32\F11E4

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9751A53-4494-4d7c-9732-AE3058D8145F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"w0hq"=-

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{62A612A4-4334-4424-4234-42261A31A238}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2k0lcm1sg7r6]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmdbcs]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mhsa]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mnupyjkn]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nqwindl]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwnslop]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nzttlln]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qjsa]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\testrun]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tlsa]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\upxdnd]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wdsa]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wgsa]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wincdb]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wlsa]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wosa]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zcrbzk2s]

[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{95192103-834D-71CF-64CD-51E15112AF20}]

[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BA312103-F04D-31cf-64CD-21EF5011CF20}]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"F7B38D6E"=-
"739366DB"=-

Driver::
bpdudhg5
gaiz95nu
t1p1r0l
739366DB
F7B38D6E



Save this as "CFScript"

Now you'll need to move this CFScript to the ComboFix (like in the picture below)

http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

Alternatively you can copy the file CFScript to your clipboard (CTRL+C) and then select ComboFix.exe and paste the CFScript (CTRL+V) to ComboFix.exe

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

ComboFix 07-12-02.6 - Administrator 2007-12-07 13:46:06.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.217 [GMT -8:00]
Running from: E:\ComboFix.exe
Command switches used :: E:\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\cmdbcs.exe
C:\WINDOWS\mnupyjkn.exe
C:\WINDOWS\nqwinll.exe
C:\WINDOWS\nwnslop.exe
C:\WINDOWS\nzttdll.exe
C:\WINDOWS\SYSTEM32\032f
C:\WINDOWS\system32\0841.dll
C:\WINDOWS\SYSTEM32\1b9b
C:\WINDOWS\SYSTEM32\1ca1
C:\WINDOWS\SYSTEM32\2bce
C:\WINDOWS\SYSTEM32\32f8cb
C:\WINDOWS\system32\4A4CB081.EXE
C:\WINDOWS\system32\bbqpri.dll
C:\WINDOWS\system32\CE6E243B.EXE
C:\WINDOWS\system32\drivers\gaiz95nu.sys
C:\WINDOWS\system32\drivers\t1p1r0l.sys
C:\WINDOWS\system32\nwizhx2.exe
C:\WINDOWS\system32\nwizqjsj.exe
C:\WINDOWS\testexe.exe
C:\WINDOWS\upxdnd.exe
C:\WINDOWS\wincdb.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\032f
C:\WINDOWS\SYSTEM32\1b9b
C:\WINDOWS\SYSTEM32\1ca1
C:\WINDOWS\SYSTEM32\2bce
C:\WINDOWS\SYSTEM32\32f8cb
C:\WINDOWS\SYSTEM32\F11E4

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_739366DB
-------\LEGACY_BPDUDHG5
-------\LEGACY_F7B38D6E
-------\LEGACY_GAIZ95NU
-------\LEGACY_T1P1R0L
-------\739366DB
-------\F7B38D6E
-------\gaiz95nu
-------\t1p1r0l


((((((((((((((((((((((((( Files Created from 2007-11-07 to 2007-12-07 )))))))))))))))))))))))))))))))
.

2007-12-06 09:28 . 2007-12-06 09:32 <DIR> d-------- C:\Documents and Settings\Administrator.LAGUNATOOLS\DoctorWeb
2007-12-03 14:21 . 2007-12-03 14:21 <DIR> d-------- C:\HJTHIS
2007-11-20 08:35 . 2007-11-20 08:35 <DIR> d-------- C:\Program Files\Common Files\SolidWorks Shared
2007-11-20 08:35 . 2007-11-20 08:35 0 --a------ C:\WINDOWS\eDrawingOfficeAutomator.INI
2007-11-20 08:34 . 2007-11-20 08:34 <DIR> d-------- C:\Program Files\Common Files\eDrawings2008
2007-11-19 09:59 . 2007-11-19 09:59 19 --a------ C:\WINDOWS\SYSTEM32\setyahoo.ini
2007-11-16 10:44 . 2007-11-16 10:44 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-11-16 10:44 . 2007-11-16 10:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-16 09:57 . 2007-11-16 10:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-13 12:16 . 2007-11-13 12:46 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-13 12:15 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\SYSTEM32\msvcr80.dll
2007-11-13 10:33 . 2007-11-13 10:33 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-13 09:28 . 2007-07-09 05:16 582,656 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
2007-11-13 09:13 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll.mui
2007-11-13 09:03 . 2007-11-13 11:05 29 --a------ C:\WINDOWS\SYSTEM32\2961-15-14
2007-11-13 08:46 . 2007-11-13 08:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2007-11-10 14:02 . 2007-11-10 14:02 <DIR> d-------- C:\Documents and Settings\Torben.LAGUNATOOLS\Application Data\Talkback

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-27 23:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-27 20:50 --------- d-----w C:\Documents and Settings\Torben.LAGUNATOOLS\Application Data\AdobeUM
2007-11-21 21:42 --------- d-----w C:\Program Files\SalesLogix
2007-11-19 18:02 --------- d-----w C:\Program Files\Trend Micro
2007-11-13 17:22 --------- d-----w C:\Documents and Settings\Administrator.LAGUNATOOLS\Application Data\U3
2007-11-13 16:01 --------- d-----w C:\Program Files\MSN Messenger
2007-11-13 15:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-13 15:56 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-22 17:48 579,808 ----a-w C:\WINDOWS\system32\drivers\FStopW.sys
2004-10-27 23:02 17,144 ----a-w C:\Documents and Settings\IT\Application Data\GDIPFONTCACHEV1.DAT
2004-10-26 23:46 13,312 ----a-w C:\Documents and Settings\Torben.LAGUNATOOLS\garbage-maybe.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-28_10.43.07.52 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-09 00:59:01 136,704 ----a-w C:\WINDOWS\catchme.exe
+ 2007-11-27 11:58:11 140,288 ----a-w C:\WINDOWS\catchme.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-31 08:33]
"ATI"="C:\WINDOWS\temp\ATi2evxx.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"F-PROT Antivirus Tray application"="C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe" [2007-10-24 14:28]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-03 23:56]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" []
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-16 16:17]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 14:24 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2003-08-20 18:24]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 10:28]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"EFI Job Monitor"="C:\WINDOWS\TEMP\JobMonitor\JobMonitor.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\System32\LgNotify.dll 2003-06-20 05:03 110592 C:\WINDOWS\SYSTEM32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Extension-List\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\3]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\4]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\5]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\6]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\7]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\3]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\4]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\5]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\6]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\7]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-1005]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-1005\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-1005\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-1005\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-1005\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-1005\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-1005\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-1005\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-1005\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-500]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-500\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-500\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-500\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-500\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-500\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-500\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-500\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-500\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\GPLink-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\GPO-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Extension-List\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Extension-List\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPLink-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPLink-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPLink-List\3]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPLink-List\4]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPLink-List\5]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPO-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPO-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPO-List\3]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPO-List\4]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPO-List\5]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Scripts]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Scripts\Logoff]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Scripts\Logon]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Scripts\Logon\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Scripts\Logon\0\0]
"Script"=mapH.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203\Extension-List]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203\GPLink-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203\GPLink-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203\GPO-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203\GPO-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\GPLink-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\GPLink-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\GPLink-List\3]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\GPLink-List\4]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\GPO-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\GPO-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\GPO-List\3]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\Scripts]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\Scripts\Logoff]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\Scripts\Logon]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\Scripts\Logon\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\Scripts\Logon\0\0]
"Script"=mapH.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\GPLink-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\GPLink-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\GPLink-List\3]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\GPO-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\GPO-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\GPO-List\3]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\Extension-List\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\Extension-List\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\GPLink-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\GPLink-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\GPLink-List\3]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\GPLink-List\4]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\GPO-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\GPO-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\GPO-List\3]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\GPO-List\4]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\Scripts]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1009]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1009\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1009\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1009\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1009\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1009\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1009\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1009\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1009\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1022]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1022\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1022\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1022\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1022\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1022\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1022\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1022\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1022\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\Loopback-GPO-List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FPAVServer]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 2.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Device Detector 2.lnk
backup=C:\WINDOWS\pss\Device Detector 2.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2003-07-29 11:30 335872 --a------ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bascstray]
BascsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CookiePatrol]
2003-05-29 20:47 69632 --a------ C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-03 23:56 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2002-12-17 18:16 360448 --a------ C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
2002-07-17 08:18 28672 --a------ C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\PROGRA~1\COMMON~1\onlinegame\fs2online.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 12.0]
2007-07-31 17:36 2037088 --a------ C:\Program Files\Norton Ghost\Agent\VProTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeScanNT Monitor]
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe -HideWindow

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PestPatrol Control Center]
2003-03-26 16:41 53248 --a------ C:\PROGRA~1\PESTPA~1\PPControl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPMemCheck]
2003-04-19 04:53 148480 --a------ C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
C:\PROGRA~1\COMMON~1\onlinegame\fs2online.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2007-08-31 16:46 1460560 --a------ C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TradeManager]
C:\PROGRA~1\Alibaba\TRADEM~1\TradeManager -hideframe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Visual Studio Analyzer RPC bridge"=3 (0x3)
"tmlisten"=2 (0x2)
"SolidWorks Licensing Service"=3 (0x3)
"ose"=3 (0x3)
"ntrtscan"=2 (0x2)
"NetSvc"=3 (0x3)
"LiveUpdate"=3 (0x3)
"IDriverT"=3 (0x3)
"gusvc"=2 (0x2)
"GoogleDesktopManager"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"WinDefend"=2 (0x2)
"Norton Ghost"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"BAsfIpM"=2 (0x2)

R0 FPAV_RTP;FPAV_RTP;C:\WINDOWS\system32\drivers\FStopW.sys
R1 RCFOX;SonicWALL IPsec Driver;\??\C:\WINDOWS\System32\Drivers\RCFOX.sys
R2 BASFND;BASFND;\??\C:\WINDOWS\system32\Drivers\BASFND.sys
R2 FPAVServer;F-PROT Antivirus for Windows system;"C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe"
R2 v2imount;Symantec V2i Mount Driver;C:\WINDOWS\system32\DRIVERS\v2imount.sys
R3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys
R3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys
S3 WimFltr;WimFltr;C:\WINDOWS\system32\DRIVERS\wimfltr.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{217e2492-9209-11dc-81d6-006073e0d381}]
\Shell\AutoRun\command - E:\DCoTMenu.exe
\Shell\menu\command - E:\DCoTMenu.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-06 17:19:45 C:\WINDOWS\Tasks\Daily.job"
- C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPWin.exe
"2007-11-28 17:54:13 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-11-28 16:28:07 C:\WINDOWS\Tasks\Weekly.job"
- C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPWin.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-07 13:51:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-07 13:53:08 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-03 14:54
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:56, on 2007-12-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
e:\a43\a43.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.abetterblade.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ATI] C:\WINDOWS\temp\ATi2evxx.exe
O4 - HKUS\S-1-5-18\..\Run: [EFI Job Monitor] C:\WINDOWS\TEMP\JobMonitor\JobMonitor.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [EFI Job Monitor] C:\WINDOWS\TEMP\JobMonitor\JobMonitor.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.sidestep.com/get/k00726/sb028.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lagunatools.com
O17 - HKLM\Software\..\Telephony: DomainName = lagunatools.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lagunatools.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lagunatools.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = lagunatools.com
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - Unknown owner - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe (file missing)

--
End of file - 5492 bytes

Hi :)

Ok good. looks better.

Now we'll try this.

At first we'll backup the explorer.exe file if it exists:

Go to C:\WINDOWS and find the file explorer.exe
If it exists, rename it to explorer.exe.old

Then

See if the file explorer.exe exists on one of the folders below:
C:\WINDOWS\ServicePackFiles\i386
C:\WINDOWS\System32\dllcache

If it exists, copy the file from one of the locations and paste it to the following folder (allow to overwrite if asked):

C:\WINDOWS

Now restart the computer and see if the desktop loads normally. :bigthumb:

Good news is I no longer have the DLL error when I start up but I still have no explorer. I even tried copying the explorer.exe from a laptop of the same model. No luck, my start bar pops up for a split second then it disappears.

Ok so we'll need to do some more research...

Once again you'll need to download the tool to your USB stick...

Make a new folder in the C:\drive called silentrunners
Download 'silent runners" from here: (direct download)
http://www.silentrunners.org/Silent%20Runners.vbs
Save it to your silentrunners folder.

Open the cmd
Type the following exactly and hit enter after each line.
cd c:\silentrunners and hit enter
"silent runners.vbs" -all and hit enter

Wait until it pops up saying its completed, then post the resulting logfile here
It will be very large. You may need several posts to include everything

"Silent Runners.vbs", revision 53, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output of all locations checked and all values found.


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
"swg" = "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" ["Google Inc."]
"ATI" = "C:\WINDOWS\temp\ATi2evxx.exe" [file not found]

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
"F-PROT Antivirus Tray application" = "C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe" ["FRISK Software"]
"MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]
"PRONoMgr.exe" = "C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [file not found]
"Google Desktop Search" = ""C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup" ["Google"]
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"Apoint" = "C:\Program Files\Apoint\Apoint.exe" ["Alps Electric Co., Ltd."]
"AdaptecDirectCD" = ""C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default) = "Windows Media Player"
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEToolbarHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Notifier BHO"
\InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{00022613-0000-0000-C000-000000000046}" = "Multimedia File Property Sheet"
-> {HKLM...CLSID} = "Multimedia File Property Sheet"
\InProcServer32\(Default) = "mmsys.cpl" [MS]
"{176d6597-26d3-11d1-b350-080036a75b03}" = "ICM Scanner Management"
-> {HKLM...CLSID} = "ICM Scanner Management"
\InProcServer32\(Default) = "icmui.dll" [MS]
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}" = "NTFS Security Page"
-> {HKLM...CLSID} = "Security Shell Extension"
\InProcServer32\(Default) = "rshx32.dll" [MS]
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}" = "OLE Docfile Property Page"
-> {HKLM...CLSID} = "OLE Docfile Property Page"
\InProcServer32\(Default) = "docprop.dll" [MS]
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}" = "Shell extensions for sharing"
-> {HKLM...CLSID} = "Shell extensions for sharing"
\InProcServer32\(Default) = "ntshrui.dll" [MS]
"{41E300E0-78B6-11ce-849B-444553540000}" = "PlusPack CPL Extension"
-> {HKLM...CLSID} = "PlusPack CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\System32\themeui.dll" [MS]
"{42071712-76d4-11d1-8b24-00a0c9068ff3}" = "Display Adapter CPL Extension"
-> {HKLM...CLSID} = "Display Adapter CPL Extension"
\InProcServer32\(Default) = "deskadp.dll" [MS]
"{42071713-76d4-11d1-8b24-00a0c9068ff3}" = "Display Monitor CPL Extension"
-> {HKLM...CLSID} = "Display Monitor CPL Extension"
\InProcServer32\(Default) = "deskmon.dll" [MS]
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{4E40F770-369C-11d0-8922-00A024AB2DBB}" = "DS Security Page"
-> {HKLM...CLSID} = "Security Shell Extension"
\InProcServer32\(Default) = "dssec.dll" [MS]
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}" = "Compatibility Page"
-> {HKLM...CLSID} = "Compatibility Page"
\InProcServer32\(Default) = "SlayerXP.dll" [MS]
"{56117100-C0CD-101B-81E2-00AA004AE837}" = "Shell Scrap DataHandler"
-> {HKLM...CLSID} = "Shell Scrap DataHandler"
\InProcServer32\(Default) = "shscrap.dll" [MS]
"{59099400-57FF-11CE-BD94-0020AF85B590}" = "Disk Copy Extension"
-> {HKLM...CLSID} = "Disk Copy Extension"
\InProcServer32\(Default) = "diskcopy.dll" [MS]
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}" = "Shell extensions for Microsoft Windows Network objects"
-> {HKLM...CLSID} = "Shell extensions for Microsoft Windows Network objects"
\InProcServer32\(Default) = "ntlanui2.dll" [MS]
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}" = "ICM Monitor Management"
-> {HKLM...CLSID} = "ICM Monitor Management"
\InProcServer32\(Default) = "C:\WINDOWS\System32\icmui.dll" [MS]
"{675F097E-4C4D-11D0-B6C1-0800091AA605}" = "ICM Printer Management"
-> {HKLM...CLSID} = "ICM Printer Management"
\InProcServer32\(Default) = "C:\WINDOWS\system32\icmui.dll" [MS]
"{77597368-7b15-11d0-a0c2-080036af3f03}" = "Web Printer Shell Extension"
-> {HKLM...CLSID} = "Web Printer Shell Extension"
\InProcServer32\(Default) = "printui.dll" [MS]
"{7988B573-EC89-11cf-9C00-00AA00A14F56}" = "Disk Quota UI"
-> {HKLM...CLSID} = "Microsoft Disk Quota UI"
\InProcServer32\(Default) = "dskquoui.dll" [MS]
"{85BBD920-42A0-1069-A2E4-08002B30309D}" = "Briefcase"
-> {HKLM...CLSID} = "Briefcase"
\InProcServer32\(Default) = "syncui.dll" [MS]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{BD84B380-8CA2-1069-AB1D-08000948F534}" = "Fonts"
-> {HKLM...CLSID} = "Fonts"
\InProcServer32\(Default) = "fontext.dll" [MS]
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}" = "ICC Profile"
-> {HKLM...CLSID} = "ICC Profile"
\InProcServer32\(Default) = "C:\WINDOWS\system32\icmui.dll" [MS]
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}" = "Printers Security Page"
-> {HKLM...CLSID} = "Security Shell Extension"
\InProcServer32\(Default) = "rshx32.dll" [MS]
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}" = "Shell extensions for sharing"
-> {HKLM...CLSID} = "Shell extensions for sharing"
\InProcServer32\(Default) = "ntshrui.dll" [MS]
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}" = "Display TroubleShoot CPL Extension"
-> {HKLM...CLSID} = "Display TroubleShoot CPL Extension"
\InProcServer32\(Default) = "deskperf.dll" [MS]
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}" = "Crypto PKO Extension"
-> {HKLM...CLSID} = "CryptPKO Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\cryptext.dll" [MS]
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}" = "Crypto Sign Extension"
-> {HKLM...CLSID} = "CryptSig Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\cryptext.dll" [MS]
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}" = "Network Connections"
-> {HKLM...CLSID} = "Network Connections"
\InProcServer32\(Default) = "C:\WINDOWS\system32\NETSHELL.dll" [MS]
"{992CFFA0-F557-101A-88EC-00DD010CCC48}" = "Network Connections"
-> {HKLM...CLSID} = "Network Connections"
\InProcServer32\(Default) = "C:\WINDOWS\system32\NETSHELL.dll" [MS]
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}" = "Scanners & Cameras"
-> {HKLM...CLSID} = "Scanners & Cameras"
\InProcServer32\(Default) = "wiashext.dll" [MS]
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}" = "Scanners & Cameras"
-> {HKLM...CLSID} = "Scanners & Cameras"
\InProcServer32\(Default) = "wiashext.dll" [MS]
"{905667aa-acd6-11d2-8080-00805f6596d2}" = "Scanners & Cameras"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "wiashext.dll" [MS]
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}" = "Scanners & Cameras"
-> {HKLM...CLSID} = "Scanners & Cameras"
\InProcServer32\(Default) = "wiashext.dll" [MS]
"{83bbcbf3-b28a-4919-a5aa-73027445d672}" = "Scanners & Cameras"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "wiashext.dll" [MS]
"{F0152790-D56E-4445-850E-4F3117DB740C}" = "Remote Sessions CPL Extension"
-> {HKLM...CLSID} = "Remote Sessions CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\System32\remotepg.dll" [MS]
"{60254CA5-953B-11CF-8C96-00AA00B8708C}" = "Shell extensions for Windows Script Host"
-> {HKLM...CLSID} = "Shell Extension For Windows Script Host"
\InProcServer32\(Default) = "C:\WINDOWS\System32\wshext.dll" [MS]
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}" = "Microsoft Data Link"
-> {HKLM...CLSID} = "Microsoft OLE DB Service Component Data Links"
\InProcServer32\(Default) = "C:\Program Files\Common Files\system\ole db\oledb32.dll" [MS]
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}" = "Tasks Folder Icon Handler"
-> {HKLM...CLSID} = "Scheduling UI icon handler"
\InProcServer32\(Default) = "C:\WINDOWS\System32\mstask.dll" [MS]
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}" = "Tasks Folder Shell Extension"
-> {HKLM...CLSID} = "Scheduling UI property sheet handler"
\InProcServer32\(Default) = "C:\WINDOWS\System32\mstask.dll" [MS]
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}" = "Scheduled Tasks"
-> {HKLM...CLSID} = "Scheduled Tasks"

\InProcServer32\(Default) = "C:\WINDOWS\System32\mstask.dll" [MS]
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}" = "Search"
-> {HKLM...CLSID} = "Search"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}" = "Help and Support"
-> {HKLM...CLSID} = "Help and Support"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}" = "Help and Support"
-> {HKLM...CLSID} = "Windows Security"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}" = "Run..."
-> {HKLM...CLSID} = "Run..."
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}" = "Internet"
-> {HKLM...CLSID} = "Internet"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}" = "E-mail"
-> {HKLM...CLSID} = "E-mail"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{D20EA4E1-3957-11d2-A40B-0C5020524152}" = "Fonts"
-> {HKLM...CLSID} = "Fonts"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{D20EA4E1-3957-11d2-A40B-0C5020524153}" = "Administrative Tools"
-> {HKLM...CLSID} = "Administrative Tools"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}" = "Audio Media Properties Handler"
-> {HKLM...CLSID} = "Audio Media Properties Handler"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shmedia.dll" [MS]
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}" = "Video Media Properties Handler"
-> {HKLM...CLSID} = "Video Media Properties Handler"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shmedia.dll" [MS]
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}" = "Wav Properties Handler"
-> {HKLM...CLSID} = "Wav Properties Handler"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shmedia.dll" [MS]
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}" = "Avi Properties Handler"
-> {HKLM...CLSID} = "Avi Properties Handler"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shmedia.dll" [MS]
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}" = "Midi Properties Handler"
-> {HKLM...CLSID} = "Midi Properties Handler"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shmedia.dll" [MS]
"{c5a40261-cd64-4ccf-84cb-c394da41d590}" = "Video Thumbnail Extractor"
-> {HKLM...CLSID} = "Video Thumbnail Extractor"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shmedia.dll" [MS]
"{5E6AB780-7743-11CF-A12B-00AA004AE837}" = "Microsoft Internet Toolbar"
-> {HKLM...CLSID} = "Microsoft Internet Toolbar"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}" = "Download Status"
-> {HKLM...CLSID} = "Download Status"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}" = "Augmented Shell Folder"
-> {HKLM...CLSID} = "Augmented Shell Folder"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{6413BA2C-B461-11d1-A18A-080036B11A03}" = "Augmented Shell Folder 2"
-> {HKLM...CLSID} = "Augmented Shell Folder 2"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}" = "BandProxy"
-> {HKLM...CLSID} = "BandProxy"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}" = "Microsoft BrowserBand"
-> {HKLM...CLSID} = "Microsoft BrowserBand"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{30D02401-6A81-11d0-8274-00C04FD5AE38}" = "IE Search Band"
-> {HKLM...CLSID} = "IE Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}" = "In-pane search"
-> {HKLM...CLSID} = "In-pane search"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{07798131-AF23-11d1-9111-00A0C98BA67D}" = "Web Search"
-> {HKLM...CLSID} = "Web Search"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}" = "Registry Tree Options Utility"
-> {HKLM...CLSID} = "Registry Tree Options Utility"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}" = "&Address"
-> {HKLM...CLSID} = "&Address"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{A08C11D2-A228-11d0-825B-00AA005B4383}" = "Address EditBox"
-> {HKLM...CLSID} = "Address EditBox"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{00BB2763-6A77-11D0-A535-00C04FD7D062}" = "Microsoft AutoComplete"
-> {HKLM...CLSID} = "Microsoft AutoComplete"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{7376D660-C583-11d0-A3A5-00C04FD706EC}" = "TridentImageExtractor"
-> {HKLM...CLSID} = "TridentImageExtractor"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{6756A641-DE71-11d0-831B-00AA005B4383}" = "MRU AutoComplete List"
-> {HKLM...CLSID} = "MRU AutoComplete List"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}" = "Custom MRU AutoCompleted List"
-> {HKLM...CLSID} = "Custom MRU AutoCompleted List"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{7e653215-fa25-46bd-a339-34a2790f3cb7}" = "Accessible"
-> {HKLM...CLSID} = "Accessible"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{acf35015-526e-4230-9596-becbe19f0ac9}" = "Track Popup Bar"
-> {HKLM...CLSID} = "Track Popup Bar"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}" = "Address Bar Parser"
-> {HKLM...CLSID} = "Address Bar Parser"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{00BB2764-6A77-11D0-A535-00C04FD7D062}" = "Microsoft History AutoComplete List"
-> {HKLM...CLSID} = "Microsoft History AutoComplete List"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{03C036F1-A186-11D0-824A-00AA005B4383}" = "Microsoft Shell Folder AutoComplete List"
-> {HKLM...CLSID} = "Microsoft Shell Folder AutoComplete List"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{00BB2765-6A77-11D0-A535-00C04FD7D062}" = "Microsoft Multiple AutoComplete List Container"
-> {HKLM...CLSID} = "Microsoft Multiple AutoComplete List Container"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}" = "Shell Band Site Menu"
-> {HKLM...CLSID} = "Shell Band Site Menu"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}" = "Shell DeskBarApp"
-> {HKLM...CLSID} = "Shell DeskBarApp"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}" = "Shell DeskBar"
-> {HKLM...CLSID} = "Shell DeskBar"

\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}" = "Shell Rebar BandSite"
-> {HKLM...CLSID} = "Shell Rebar BandSite"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}" = "User Assist"
-> {HKLM...CLSID} = "User Assist"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}" = "Global Folder Settings"
-> {HKLM...CLSID} = "Global Folder Settings"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}" = "Favorites Band"
-> {HKLM...CLSID} = "Favorites Band"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]
"{0A89A860-D7B1-11CE-8350-444553540000}" = "Shell Automation Inproc Service"
-> {HKLM...CLSID} = "Shell Automation Inproc Service"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}" = "Shell DocObject Viewer"
-> {HKLM...CLSID} = "Shell DocObject Viewer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw32.dll" [file not found]
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}" = "Microsoft Browser Architecture"
-> {HKLM...CLSID} = "Microsoft Browser Architecture"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw32.dll" [file not found]
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}" = "InternetShortcut"
-> {HKLM...CLSID} = "Internet Shortcut"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw32.dll" [file not found]
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}" = "Microsoft Url History Service"
-> {HKLM...CLSID} = "Microsoft Url History Service"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw32.dll" [file not found]
"{FF393560-C2A7-11CF-BFF4-444553540000}" = "History"
-> {HKLM...CLSID} = "History"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw32.dll" [file not found]
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}" = "Temporary Internet Files"
-> {HKLM...CLSID} = "Temporary Internet Files"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}" = "Temporary Internet Files"
-> {HKLM...CLSID} = "Temporary Internet Files"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = "Microsoft Url Search Hook"
-> {HKLM...CLSID} = "Microsoft Url Search Hook"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}" = "IE4 Suite Splash Screen"
-> {HKLM...CLSID} = "IE4 Suite Splash Screen"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}" = "CDF Extension Copy Hook"
-> {HKLM...CLSID} = "CDF Extension Copy Hook"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]
"{131A6951-7F78-11D0-A979-00C04FD705A2}" = "ISFBand OC"
-> {HKLM...CLSID} = "ISFBand OC"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}" = "Search Assistant OC"
-> {HKLM...CLSID} = "Search Assistant OC"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}" = "The Internet"
-> {HKLM...CLSID} = "The Internet"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{871C5380-42A0-1069-A2EA-08002B30309D}" = "Internet Name Space"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw32.dll" [file not found]
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}" = "Explorer Band"
-> {HKLM...CLSID} = "Explorer Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw32.dll" [file not found]
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}" = "Sendmail service"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\sendmail.dll" [MS]
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}" = "Sendmail service"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\sendmail.dll" [MS]
"{88C6C381-2E85-11D0-94DE-444553540000}" = "ActiveX Cache Folder"
-> {HKLM...CLSID} = "ActiveX Cache Folder"
\InProcServer32\(Default) = "C:\WINDOWS\system32\occache.dll" [MS]
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" = "WebCheck"
-> {HKLM...CLSID} = "WebCheck"
\InProcServer32\(Default) = "C:\WINDOWS\system32\webcheck.dll" [MS]
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}" = "Subscription Mgr"
-> {HKLM...CLSID} = "Subscription Mgr"
\InProcServer32\(Default) = "C:\WINDOWS\system32\webcheck.dll" [MS]
"{F5175861-2688-11d0-9C5E-00AA00A45957}" = "Subscription Folder"
-> {HKLM...CLSID} = "Subscription Folder"
\InProcServer32\(Default) = "C:\WINDOWS\system32\webcheck.dll" [MS]
"{08165EA0-E946-11CF-9C87-00AA005127ED}" = "WebCheckWebCrawler"
-> {HKLM...CLSID} = "WebCheckWebCrawler"
\InProcServer32\(Default) = "C:\WINDOWS\system32\webcheck.dll" [MS]
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}" = "WebCheckChannelAgent"
-> {HKLM...CLSID} = "WebCheckChannelAgent"
\InProcServer32\(Default) = "C:\WINDOWS\system32\webcheck.dll" [MS]
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}" = "TrayAgent"
-> {HKLM...CLSID} = "TrayAgent"
\InProcServer32\(Default) = "C:\WINDOWS\system32\webcheck.dll" [MS]
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}" = "Code Download Agent"
-> {HKLM...CLSID} = "Code Download Agent"
\InProcServer32\(Default) = "C:\WINDOWS\system32\webcheck.dll" [MS]
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}" = "ConnectionAgent"
-> {HKLM...CLSID} = "ConnectionAgent"
\InProcServer32\(Default) = "C:\WINDOWS\system32\webcheck.dll" [MS]
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}" = "PostAgent"
-> {HKLM...CLSID} = "PostAgent"
\InProcServer32\(Default) = "C:\WINDOWS\system32\webcheck.dll" [MS]
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}" = "WebCheck SyncMgr Handler"
-> {HKLM...CLSID} = "WebCheck SyncMgr Handler"
\InProcServer32\(Default) = "C:\WINDOWS\system32\webcheck.dll" [MS]
"{352EC2B7-8B9A-11D1-B8AE-006008059382}" = "Shell Application Manager"
-> {HKLM...CLSID} = "Shell Application Manager"
\InProcServer32\(Default) = "C:\WINDOWS\System32\appwiz.cpl" [MS]
"{0B124F8F-91F0-11D1-B8B5-006008059382}" = "Installed Apps Enumerator"
-> {HKLM...CLSID} = "Installed Apps Enumerator"
\InProcServer32\(Default) = "C:\WINDOWS\System32\appwiz.cpl" [MS]
"{CFCCC7A0-A282-11D1-9082-006008059382}" = "Darwin App Publisher"
-> {HKLM...CLSID} = "Darwin App Publisher"
\InProcServer32\(Default) = "C:\WINDOWS\System32\appwiz.cpl" [MS]
"{e84fda7c-1d6a-45f6-b725-cb260c236066}" = "Shell Image Verbs"
-> {HKLM...CLSID} = "Shell Image Verbs"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shimgvw.dll" [MS]
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}" = "Shell Image Data Factory"
-> {HKLM...CLSID} = "Shell Image Data Factory"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shimgvw.dll" [MS]
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}" = "GDI+ file thumbnail extractor"
-> {HKLM...CLSID} = "GDI+ file thumbnail extractor"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shimgvw.dll" [MS]
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}" = "Summary Info Thumbnail handler (DOCFILES)"
-> {HKLM...CLSID} = "Summary Info Thumbnail handler (DOCFILES)"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shimgvw.dll" [MS]
"{EAB841A0-9550-11cf-8C16-00805F1408F3}" = "HTML Thumbnail Extractor"
-> {HKLM...CLSID} = "HTML Thumbnail Extractor"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shimgvw.dll" [MS]
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}" = "Shell Image Property Handler"
-> {HKLM...CLSID} = "Shell Image Property Handler"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shimgvw.dll" [MS]
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}" = "Web Publishing Wizard"
-> {HKLM...CLSID} = "Web Publishing Wizard"
\InProcServer32\(Default) = "C:\WINDOWS\System32\netplwiz.dll" [MS]
"{add36aa8-751a-4579-a266-d66f5202ccbb}" = "Print Ordering via the Web"
-> {HKLM...CLSID} = "Print Ordering via the Web"
\InProcServer32\(Default) = "C:\WINDOWS\System32\netplwiz.dll" [MS]
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}" = "Shell Publishing Wizard Object"
-> {HKLM...CLSID} = "Shell Publishing Wizard Object"
\InProcServer32\(Default) = "C:\WINDOWS\System32\netplwiz.dll" [MS]
"{58f1f272-9240-4f51-b6d4-fd63d1618591}" = "Get a Passport Wizard"
-> {HKLM...CLSID} = "Get a Passport Wizard"
\InProcServer32\(Default) = "C:\WINDOWS\System32\netplwiz.dll" [MS]
"{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}" = "Compressed (zipped) Folder"
-> {HKLM...CLSID} = "CompressedFolder"
\InProcServer32\(Default) = "C:\WINDOWS\System32\zipfldr.dll" [MS]
"{BD472F60-27FA-11cf-B8B4-444553540000}" = "Compressed (zipped) Folder Right Drag Handler"
-> {HKLM...CLSID} = "Compressed (zipped) Folder Right Drag Handler"
\InProcServer32\(Default) = "C:\WINDOWS\System32\zipfldr.dll" [MS]
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}" = "Compressed (zipped) Folder SendTo Target"
-> {HKLM...CLSID} = "Compressed (zipped) Folder SendTo Target"
\InProcServer32\(Default) = "C:\WINDOWS\System32\zipfldr.dll" [MS]
"{63da6ec0-2e98-11cf-8d82-444553540000}" = "FTP Folders Webview"
-> {HKLM...CLSID} = "Microsoft FTP Folder"
\InProcServer32\(Default) = "C:\WINDOWS\System32\msieftp.dll" [MS]
"{883373C3-BF89-11D1-BE35-080036B11A03}" = "Microsoft DocProp Shell Ext"
-> {HKLM...CLSID} = "Microsoft DocProp Shell Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\docprop2.dll" [MS]
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}" = "Microsoft DocProp Inplace Edit Box Control"
-> {HKLM...CLSID} = "Microsoft DocProp Inplace Edit Box Control"
\InProcServer32\(Default) = "C:\WINDOWS\System32\docprop2.dll" [MS]
"{8EE97210-FD1F-4B19-91DA-67914005F020}" = "Microsoft DocProp Inplace ML Edit Box Control"
-> {HKLM...CLSID} = "Microsoft DocProp Inplace ML Edit Box Control"
\InProcServer32\(Default) = "C:\WINDOWS\System32\docprop2.dll" [MS]
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}" = "Microsoft DocProp Inplace Droplist Combo Control"
-> {HKLM...CLSID} = "Microsoft DocProp Inplace Droplist Combo Control"
\InProcServer32\(Default) = "C:\WINDOWS\System32\docprop2.dll" [MS]
"{6A205B57-2567-4A2C-B881-F787FAB579A3}" = "Microsoft DocProp Inplace Calendar Control"
-> {HKLM...CLSID} = "Microsoft DocProp Inplace Calendar Control"
\InProcServer32\(Default) = "C:\WINDOWS\System32\docprop2.dll" [MS]
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}" = "Microsoft DocProp Inplace Time Control"
-> {HKLM...CLSID} = "Microsoft DocProp Inplace Time Control"

\InProcServer32\(Default) = "C:\WINDOWS\System32\docprop2.dll" [MS]
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}" = "Directory Query UI"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\dsquery.dll" [MS]
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}" = "Shell properties for a DS object"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\dsquery.dll" [MS]
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}" = "Directory Object Find"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\dsquery.dll" [MS]
"{F020E586-5264-11d1-A532-0000F8757D7E}" = "Directory Start/Search Find"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\dsquery.dll" [MS]
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}" = "Directory Property UI"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\dsuiext.dll" [MS]
"{62AE1F9A-126A-11D0-A14B-0800361B1103}" = "Directory Context Menu Verbs"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\dsuiext.dll" [MS]
"{ECF03A33-103D-11d2-854D-006008059367}" = "MyDocs Copy Hook"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\mydocs.dll" [MS]
"{ECF03A32-103D-11d2-854D-006008059367}" = "MyDocs Drop Target"
-> {HKLM...CLSID} = "MyDocs Drop Target"
\InProcServer32\(Default) = "C:\WINDOWS\System32\mydocs.dll" [MS]
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}" = "MyDocs Properties"
-> {HKLM...CLSID} = "MyDocs menu and properties"
\InProcServer32\(Default) = "C:\WINDOWS\System32\mydocs.dll" [MS]
"{750fdf0e-2a26-11d1-a3ea-080036587f03}" = "Offline Files Menu"
-> {HKLM...CLSID} = "Offline Files Menu"
\InProcServer32\(Default) = "C:\WINDOWS\System32\cscui.dll" [MS]
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}" = "Offline Files Folder Options"
-> {HKLM...CLSID} = "Offline Files Folder Options"
\InProcServer32\(Default) = "C:\WINDOWS\System32\cscui.dll" [MS]
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}" = "Offline Files Folder"
-> {HKLM...CLSID} = "Offline Files Folder"
\InProcServer32\(Default) = "C:\WINDOWS\System32\cscui.dll" [MS]
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}" = "Microsoft Agent Character Property Sheet Handler"
-> {HKLM...CLSID} = "Microsoft Agent Character Property Sheet Handler"
\InProcServer32\(Default) = "C:\WINDOWS\msagent\agentpsh.dll" [MS]
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}" = "DfsShell"
-> {HKLM...CLSID} = "DfsShell Class"
\InProcServer32\(Default) = "C:\WINDOWS\System32\dfsshlex.dll" [MS]
"{60fd46de-f830-4894-a628-6fa81bc0190d}" = "%DESC_PublishDropTarget%"
-> {HKLM...CLSID} = "DropTarget Object for Photo Printing Wizard"
\InProcServer32\(Default) = "C:\WINDOWS\System32\photowiz.dll" [MS]
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}" = "MMC Icon Handler"
-> {HKLM...CLSID} = "ExtractIcon Class"
\InProcServer32\(Default) = "C:\WINDOWS\System32\mmcshext.dll" [MS]
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}" = ".CAB file viewer"
-> {HKLM...CLSID} = "Cabinet File"
\InProcServer32\(Default) = "cabview.dll" [MS]
"{32714800-2E5F-11d0-8B85-00AA0044F941}" = "For &People..."
-> {HKLM...CLSID} = "For &People..."
\InProcServer32\(Default) = "C:\Program Files\Outlook Express\wabfind.dll" [MS]
"{8DD448E6-C188-4aed-AF92-44956194EB1F}" = "Windows Media Player Play as Playlist Context Menu Handler"
-> {HKLM...CLSID} = "WMP Burn Audio CD Launcher"
\InProcServer32\(Default) = "C:\WINDOWS\system32\wmpshell.dll" [MS]
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}" = "Windows Media Player Burn Audio CD Context Menu Handler"
-> {HKLM...CLSID} = "WMP Play As Playlist Launcher"
\InProcServer32\(Default) = "C:\WINDOWS\system32\wmpshell.dll" [MS]
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}" = "Windows Media Player Add to Playlist Context Menu Handler"
-> {HKLM...CLSID} = "WMP Add To Playlist Launcher"
\InProcServer32\(Default) = "C:\WINDOWS\system32\wmpshell.dll" [MS]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {HKLM...CLSID} = "Adaptec DirectCD Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}" = "Auto Update Property Sheet Extension"
-> {HKLM...CLSID} = "Auto Update Property Sheet Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\wuaucpl.cpl" [MS]
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}" = "Set Program Access and Defaults"
-> {HKLM...CLSID} = "Set Program Access and Defaults"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{596AB062-B4D2-4215-9F74-E9109B0A8153}" = "Previous Versions Property Page"
-> {HKLM...CLSID} = "Previous Versions Property Page"
\InProcServer32\(Default) = "C:\WINDOWS\System32\twext.dll" [MS]
"{9DB7A13C-F208-4981-8353-73CC61AE2783}" = "Previous Versions"
-> {HKLM...CLSID} = "Previous Versions"
\InProcServer32\(Default) = "C:\WINDOWS\System32\twext.dll" [MS]
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}" = "Extensions Manager Folder"
-> {HKLM...CLSID} = "Extensions Manager Folder"
\InProcServer32\(Default) = "C:\WINDOWS\system32\extmgr.dll" [MS]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}" = "Web Folders"
-> {HKLM...CLSID} = "Web Folders"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{1D2680C9-0E2A-469d-B787-065558BC7D43}" = "Fusion Cache"
-> {HKLM...CLSID} = "Fusion Cache"
\InProcServer32\(Default) = "C:\WINDOWS\system32\mscoree.dll" [MS]
"{8e9d6600-f84a-11ce-8daa-00aa004a5691}" = "Shell extensions for NetWare"
-> {HKLM...CLSID} = "NetWare Objects"
\InProcServer32\(Default) = "nwprovau.dll" [MS]
"{e3f2bac0-099f-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare"
-> {HKLM...CLSID} = "NetWare UNC Folder Menu"
\InProcServer32\(Default) = "nwprovau.dll" [MS]
"{52c68510-09a0-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare"
-> {HKLM...CLSID} = "NetWare Hood Verbs"
\InProcServer32\(Default) = "nwprovau.dll" [MS]
"{07C45BB1-4A8C-4642-A1F5-237E7215FF66}" = "IE Microsoft BrowserBand"
-> {HKLM...CLSID} = "IE Microsoft BrowserBand"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{1C1EDB47-CE22-4bbb-B608-77B48F83C823}" = "IE Fade Task"
-> {HKLM...CLSID} = "IE Fade Task"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{205D7A97-F16D-4691-86EF-F3075DCCA57D}" = "IE Menu Desk Bar"
-> {HKLM...CLSID} = "IE Menu Desk Bar"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{3028902F-6374-48b2-8DC6-9725E775B926}" = "IE AutoComplete"
-> {HKLM...CLSID} = "IE AutoComplete"

\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{43886CD5-6529-41c4-A707-7B3C92C05E68}" = "IE Navigation Bar"
-> {HKLM...CLSID} = "IE Navigation Bar"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{44C76ECD-F7FA-411c-9929-1B77BA77F524}" = "IE Menu Site"
-> {HKLM...CLSID} = "IE Menu Site"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{4B78D326-D922-44f9-AF2A-07805C2A3560}" = "IE Menu Band"
-> {HKLM...CLSID} = "IE Menu Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{6038EF75-ABFC-4e59-AB6F-12D397F6568D}" = "IE Microsoft History AutoComplete List"
-> {HKLM...CLSID} = "IE Microsoft History AutoComplete List"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE}" = "IE Tracking Shell Menu"
-> {HKLM...CLSID} = "IE Tracking Shell Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{6CF48EF8-44CD-45d2-8832-A16EA016311B}" = "IE IShellFolderBand"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{73CFD649-CD48-4fd8-A272-2070EA56526B}" = "IE BandProxy"
-> {HKLM...CLSID} = "IE BandProxy"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8}" = "IE MRU AutoComplete List"
-> {HKLM...CLSID} = "IE MRU AutoComplete List"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E}" = "IE RSS Feeder Folder"
-> {HKLM...CLSID} = "IE RSS Feeds Folder"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{9D958C62-3954-4b44-8FAB-C4670C1DB4C2}" = "IE Microsoft Shell Folder AutoComplete List"
-> {HKLM...CLSID} = "IE Microsoft Shell Folder AutoComplete List"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{B31C5FAE-961F-415b-BAF0-E697A5178B94}" = "IE Microsoft Multiple AutoComplete List Container"
-> {HKLM...CLSID} = "IE Microsoft Multiple AutoComplete List Container"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{BC476F4C-D9D7-4100-8D4E-E043F6DEC409}" = "Microsoft Browser Architecture"
-> {HKLM...CLSID} = "Microsoft Browser Architecture"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A}" = "IE Shell Rebar BandSite"
-> {HKLM...CLSID} = "IE Shell Rebar BandSite"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{E6EE9AAC-F76B-4947-8260-A9F136138E11}" = "IE Shell Band Site Menu"
-> {HKLM...CLSID} = "IE Shell Band Site Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{F2CF5485-4E02-4f68-819C-B92DE9277049}" = "&Links"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E}" = "IE Registry Tree Options Utility"
-> {HKLM...CLSID} = "IE Registry Tree Options Utility"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75}" = "IE User Assist"
-> {HKLM...CLSID} = "IE User Assist"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{FDE7673D-2E19-4145-8376-BBD58C4BC7BA}" = "IE Custom MRU AutoCompleted List"
-> {HKLM...CLSID} = "IE Custom MRU AutoCompleted List"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"
-> {HKLM...CLSID} = "ShellLink for Application References"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"
-> {HKLM...CLSID} = "Shell Icon Handler for Application References"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{6B19FEC2-A45B-11CF-9045-00A0C9039735}" = "Registered ActiveX Controls"
-> {HKLM...CLSID} = "Registered ActiveX Controls"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL" [MS]
"{D545EBD1-BD92-11CF-8772-00A0C9039735}" = "Developer Studio Components"
-> {HKLM...CLSID} = "Developer Studio Components"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL" [MS]
"{4700D2DB-2BEE-477d-ACE3-CBFFDFBAF81D}" = "F-PROT Shell Context Menu Handler"
-> {HKLM...CLSID} = "CFriskShellExtension Class"
\InProcServer32\(Default) = "C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\shellext.dll" ["FRISK Software International"]
"{21D928D4-4850-45E3-9982-AD57051ECD42}" = "Edrawings Document Thumbnail Handler"
-> {HKLM...CLSID} = "EdrawingThumbNailProvider Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\eDrawings2008\edrwthumbnailprovider.dll" ["Solidworks"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}" = "Browseui preloader"
-> {HKLM...CLSID} = "Browseui preloader"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{8C7461EF-2B13-11d2-BE35-3078302C2030}" = "Component Categories cache daemon"
-> {HKLM...CLSID} = "Component Categories cache daemon"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}" = (no title provided)
-> {HKLM...CLSID} = "URL Exec Hook"
\InProcServer32\(Default) = "shell32.dll" [MS]
<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
\InProcServer32\(Default) = "C:\PROGRA~1\WINDOW~4\MpShHook.dll" [MS]

HKCU\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"PostBootReminder" = "{7849596a-48ea-486e-8937-a2a3009f31a9}"
-> {HKLM...CLSID} = "PostBootReminder object"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"CDBurn" = "{fbeb8a05-beee-4442-804e-409d6c4515e9}"
-> {HKLM...CLSID} = "ShellFolder for CD Burning"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"WebCheck" = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
-> {HKLM...CLSID} = "WebCheck"
\InProcServer32\(Default) = "C:\WINDOWS\system32\webcheck.dll" [MS]
"SysTray" = "{35CEC8A3-2BE6-11D2-8773-92E220524153}"
-> {HKLM...CLSID} = "SysTray"
\InProcServer32\(Default) = "C:\WINDOWS\System32\stobject.dll" [MS]

HKCU\Software\Microsoft\Command Processor\
"AutoRun" = (value not found)

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"Shell" = (value not found)

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
"load" = (value not found)
"run" = (value not found)

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
"Shell" = (value not found)

HKLM\Software\Microsoft\Command Processor\
"AutoRun" = (value not found)

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\
<<!>> "AppInit_DLLs" = "C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL" ["Google"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
"GinaDLL" = (value not found)
"Shell" = "Explorer.exe" [MS]
"Taskman" = (value not found)
"Userinit" = "C:\WINDOWS\system32\userinit.exe," [MS]
"System" = (empty string)

HKLM\System\CurrentControlSet\Control\SafeBoot\Option\
"UseAlternateShell" = (value not found)

HKLM\System\CurrentControlSet\Control\SecurityProviders\
"SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKLM\System\CurrentControlSet\Control\Session Manager\
"BootExecute" = "autocheck autochk *"

HKLM\System\CurrentControlSet\Control\WOW\
"cmdline" = "C:\WINDOWS\system32\ntvdm.exe" [MS]
"wowcmdline" = "C:\WINDOWS\system32\ntvdm.exe -a C:\WINDOWS\system32\krnl386" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
crypt32chain\DLLName = "crypt32.dll" [MS]
cryptnet\DLLName = "cryptnet.dll" [MS]
cscdll\DLLName = "cscdll.dll" [MS]
ScCertProp\DLLName = "wlnotify.dll" [MS]
Schedule\DLLName = "wlnotify.dll" [MS]
sclgntfy\DLLName = "sclgntfy.dll" [MS]
<<!>> Sebring\DLLName = "C:\WINDOWS\System32\LgNotify.dll" ["Intel Corporation"]
SensLogn\DLLName = "WlNotify.dll" [MS]
termsrv\DLLName = "wlnotify.dll" [MS]
WgaLogon\DLLName = "WgaLogon.dll" [MS]
wlballoon\DLLName = "wlnotify.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
Your Image File Name Here without a path\Debugger = "ntsd -d" [MS]

HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon\

HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\

HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup\

HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown\

HKLM\Software\Classes\PROTOCOLS\Filter\
application/octet-stream\CLSID = "{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"
-> {HKLM...CLSID} = "Cor MIME Filter, CorFltr, CorFltr 1"
\InProcServer32\(Default) = "mscoree.dll" [MS]
application/x-complus\CLSID = "{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"
-> {HKLM...CLSID} = "Cor MIME Filter, CorFltr, CorFltr 1"
\InProcServer32\(Default) = "mscoree.dll" [MS]
application/x-msdownload\CLSID = "{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"
-> {HKLM...CLSID} = "Cor MIME Filter, CorFltr, CorFltr 1"
\InProcServer32\(Default) = "mscoree.dll" [MS]
Class Install Handler\CLSID = "{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"
-> {HKLM...CLSID} = "AP Class Install Handler filter"
\InProcServer32\(Default) = "C:\WINDOWS\system32\urlmon.dll" [MS]
deflate\CLSID = "{8f6b0360-b80d-11d0-a9b3-006097942311}"
-> {HKLM...CLSID} = "AP encoding/decoding Filters"
\InProcServer32\(Default) = "C:\WINDOWS\system32\urlmon.dll" [MS]
gzip\CLSID = "{8f6b0360-b80d-11d0-a9b3-006097942311}"
-> {HKLM...CLSID} = "AP encoding/decoding Filters"
\InProcServer32\(Default) = "C:\WINDOWS\system32\urlmon.dll" [MS]
lzdhtml\CLSID = "{8f6b0360-b80d-11d0-a9b3-006097942311}"
-> {HKLM...CLSID} = "AP encoding/decoding Filters"
\InProcServer32\(Default) = "C:\WINDOWS\system32\urlmon.dll" [MS]
text/webviewhtml\CLSID = "{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"
-> {HKLM...CLSID} = "WebView MIME Filter"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{0D2E74C4-3C34-11d2-A27E-00C04FC30871}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
{24F14F01-7B1C-11d1-838f-0000F80461CF}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
{24F14F02-7B1C-11d1-838f-0000F80461CF}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
{66742402-F9B9-11D1-A202-0000F81FEDEE}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
F-PROT Antivirus\(Default) = "{4700D2DB-2BEE-477d-ACE3-CBFFDFBAF81D}"
-> {HKLM...CLSID} = "CFriskShellExtension Class"
\InProcServer32\(Default) = "C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\shellext.dll" ["FRISK Software International"]
Offline Files\(Default) = "{750fdf0e-2a26-11d1-a3ea-080036587f03}"
-> {HKLM...CLSID} = "Offline Files Menu"
\InProcServer32\(Default) = "C:\WINDOWS\System32\cscui.dll" [MS]
Open With\(Default) = "{09799AFB-AD67-11d1-ABCD-00C04FC30936}"
-> {HKLM...CLSID} = "Open With Context Menu Handler"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
Open With EncryptionMenu\(Default) = "{A470F8CF-A1E8-4f65-8335-227475AA5C46}"
-> {HKLM...CLSID} = "Encryption Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
EncryptionMenu\(Default) = "{A470F8CF-A1E8-4f65-8335-227475AA5C46}"
-> {HKLM...CLSID} = "Encryption Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
Offline Files\(Default) = "{750fdf0e-2a26-11d1-a3ea-080036587f03}"
-> {HKLM...CLSID} = "Offline Files Menu"
\InProcServer32\(Default) = "C:\WINDOWS\System32\cscui.dll" [MS]
Sharing\(Default) = "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"
-> {HKLM...CLSID} = "Shell extensions for sharing"
\InProcServer32\(Default) = "ntshrui.dll" [MS]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
F-PROT Antivirus\(Default) = "{4700D2DB-2BEE-477d-ACE3-CBFFDFBAF81D}"
-> {HKLM...CLSID} = "CFriskShellExtension Class"
\InProcServer32\(Default) = "C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\shellext.dll" ["FRISK Software International"]
NetWareUNCMenu\(Default) = "{e3f2bac0-099f-11cf-8daa-00aa004a5691}"
-> {HKLM...CLSID} = "NetWare UNC Folder Menu"
\InProcServer32\(Default) = "nwprovau.dll" [MS]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
Send To\(Default) = "{7BA4C740-9E81-11CF-99D3-00AA004AE837}"
-> {HKLM...CLSID} = "Microsoft SendTo Service"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]


Default executables:
--------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bat

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cmd

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.com

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hta

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pif

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.scr

HKLM\Software\Classes\.bat\(Default) = "batfile"
HKLM\Software\Classes\batfile\shell\open\command\(Default) = ""%1" %*"

HKLM\Software\Classes\.cmd\(Default) = "cmdfile"
HKLM\Software\Classes\cmdfile\shell\open\command\(Default) = ""%1" %*"

HKLM\Software\Classes\.com\(Default) = "comfile"
HKLM\Software\Classes\comfile\shell\open\command\(Default) = ""%1" %*"

HKLM\Software\Classes\.exe\(Default) = "exefile"
HKLM\Software\Classes\exefile\shell\open\command\(Default) = ""%1" %*"

HKLM\Software\Classes\.hta\(Default) = "htafile"
HKLM\Software\Classes\htafile\shell\open\command\(Default) = "C:\WINDOWS\system32\mshta.exe "%1" %*"

HKLM\Software\Classes\.pif\(Default) = "piffile"
HKLM\Software\Classes\piffile\shell\open\command\(Default) = ""%1" %*"

HKLM\Software\Classes\.scr\(Default) = "scrfile"
HKLM\Software\Classes\scrfile\shell\open\command\(Default) = ""%1" /S"


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDriveTypeAutoRun" = (REG_DWORD) dword:0x00000091
{User Configuration|Administrative Templates|Windows Components|AutoPlay Policies|
Turn off Autoplay}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDriveAutoRun" = (REG_DWORD) dword:0x03FFFFFF
{Turn off autoplay for drive letter}

"NoDriveTypeAutoRun" = (REG_DWORD) dword:0x000000FF
{Computer Configuration|Administrative Templates|Windows Components|AutoPlay Policies|
Turn off Autoplay}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowCpl\

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate\

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\

HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel\

HKCU\Software\Policies\Microsoft\Internet Explorer\Download\

HKLM\Software\Policies\Microsoft\Internet Explorer\Download\

HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\

HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\

HKCU\Software\Policies\Microsoft\Internet Explorer\Main\

HKLM\Software\Policies\Microsoft\Internet Explorer\Main\

HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\

HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\

HKCU\Software\Policies\Microsoft\Internet Explorer\PhishingFilter\

HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter\

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\

HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions\

HKCU\Software\Policies\Microsoft\Internet Explorer\Security\

HKLM\Software\Policies\Microsoft\Internet Explorer\Security\

HKCU\Software\Policies\Microsoft\MMC\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\

HKCU\Software\Policies\Microsoft\Windows\Network Connections\

HKCU\Software\Policies\Microsoft\Windows\System\

HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0\

HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0\

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"dontdisplaylastusername" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Interactive logon: Do not display last user name}

"legalnoticetext" = (REG_SZ) (empty string)
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Interactive logon: Message text for users attempting to log on}

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore\


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\dell.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = (value not set)


DESKTOP.INI DLL launch in local fixed drive directories:
--------------------------------------------------------

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache\7ZTT4DHE\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache\BXM6HEXB\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache\QEYOC5OQ\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache\Y61MC2UI\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw32.dll" [file not found]

C:\Documents and Settings\Administrator.LAGUNATOOLS\Local Settings\Application Data\Microsoft\Feeds Cache\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Administrator.LAGUNATOOLS\Local Settings\Application Data\Microsoft\Feeds Cache\7YMO97DU\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Administrator.LAGUNATOOLS\Local Settings\Application Data\Microsoft\Feeds Cache\JFPU9KGB\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Administrator.LAGUNATOOLS\Local Settings\Application Data\Microsoft\Feeds Cache\K6C6D241\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Administrator.LAGUNATOOLS\Local Settings\Application Data\Microsoft\Feeds Cache\Y2GQ66C7\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Administrator.LAGUNATOOLS\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw32.dll" [file not found]

C:\Documents and Settings\Administrator.LAGUNATOOLS\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw32.dll" [file not found]

C:\Documents and Settings\Administrator.LAGUNATOOLS\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Administrator.LAGUNATOOLS\Local Settings\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Administrator.LAGUNATOOLS\Local Settings\Temporary Internet Files\Content.IE5\28QFCZ1D\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Administrator.LAGUNATOOLS\Local Settings\Temporary Internet Files\Content.IE5\4DQGUEQ1\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Administrator.LAGUNATOOLS\Local Settings\Temporary Internet Files\Content.IE5\8CRA0OCX\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Administrator.LAGUNATOOLS\Local Settings\Temporary Internet Files\Content.IE5\MJI8G3AE\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Barrett\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw32.dll" [file not found]

C:\Documents and Settings\Barrett\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw32.dll" [file not found]

C:\Documents and Settings\Barrett\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Catherine\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw32.dll" [file not found]

C:\Documents and Settings\Catherine\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw32.dll" [file not found]

C:\Documents and Settings\Catherine\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Default User\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw32.dll" [file not found]

C:\Documents and Settings\Default User\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw32.dll" [file not found]

C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Derek\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw32.dll" [file not found]

C:\Documents and Settings\Derek\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw32.dll" [file not found]

C:\Documents and Settings\Derek\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\IT\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw32.dll" [file not found]

C:\Documents and Settings\IT\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw32.dll" [file not found]

C:\Documents and Settings\IT\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\it.LAGUNATOOLS\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw32.dll" [file not found]

C:\Documents and Settings\it.LAGUNATOOLS\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw32.dll" [file not found]

C:\Documents and Settings\it.LAGUNATOOLS\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\jdean\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw32.dll" [file not found]

C:\Documents and Settings\jdean.TOOLS\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw32.dll" [file not found]

C:\Documents and Settings\LocalService\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw32.dll" [file not found]

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw32.dll" [file not found]

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\morgan\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw32.dll" [file not found]

C:\Documents and Settings\morgan\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw32.dll" [file not found]

C:\Documents and Settings\morgan\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw32.dll" [file not found]

C:\Documents and Settings\Torben\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw32.dll" [file not found]

C:\Documents and Settings\Torben\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw32.dll" [file not found]

C:\Documents and Settings\Torben\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Torben.LAGUNATOOLS\Local Settings\Application Data\Microsoft\Feeds Cache\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Torben.LAGUNATOOLS\Local Settings\Application Data\Microsoft\Feeds Cache\0COTBV0Y\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Torben.LAGUNATOOLS\Local Settings\Application Data\Microsoft\Feeds Cache\6P0IT1VC\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Torben.LAGUNATOOLS\Local Settings\Application Data\Microsoft\Feeds Cache\Y7BCRT7Q\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Torben.LAGUNATOOLS\Local Settings\Application Data\Microsoft\Feeds Cache\YX539ZVK\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\Documents and Settings\Torben.LAGUNATOOLS\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw32.dll" [file not found]

C:\Documents and Settings\Torben.LAGUNATOOLS\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw32.dll" [file not found]

C:\Documents and Settings\Torben.LAGUNATOOLS\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\WINDOWS\assembly\DESKTOP.INI
[.ShellClassInfo]
CLSID={1D2680C9-0E2A-469d-B787-065558BC7D43}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\mscoree.dll" [MS]

C:\WINDOWS\Downloaded Program Files\DESKTOP.INI
[.ShellClassInfo]
CLSID={88C6C381-2E85-11d0-94DE-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\occache.dll" [MS]

C:\WINDOWS\Fonts\DESKTOP.INI
[.ShellClassInfo]
UICLSID={BD84B380-8CA2-1069-AB1D-08000948F534}
-> {HKLM...CLSID}\InProcServer32\(Default) = "fontext.dll" [MS]

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw32.dll" [file not found]

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw32.dll" [file not found]

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4PQ7052J\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8DARKL23\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C9M7KX6B\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KPABW9QF\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

C:\WINDOWS\Tasks\DESKTOP.INI
[.ShellClassInfo]
CLSID={d6277990-4c6a-11cf-8d87-00aa0060f5bf}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\mstask.dll" [MS]


Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\Administrator.LAGUNATOOLS\Start Menu\Programs\Startup

C:\Documents and Settings\All Users\Start Menu\Programs\Startup


Enabled Scheduled Tasks:
------------------------

"Daily" -> launches: "C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPWin.exe /scan Daily" ["FRISK Software"]
"Weekly" -> launches: "C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPWin.exe /scan Weekly" ["FRISK Software"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 24
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{01E04581-4EEE-11D0-BFE9-00AA005B4383}"
-> {HKLM...CLSID} = "&Address"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{01E04581-4EEE-11D0-BFE9-00AA005B4383}"
-> {HKLM...CLSID} = "&Address"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]
"{0E5CBF21-D15F-11D0-8301-00AA005B4383}"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]
{4D5C8C25-D075-11D0-B416-00C04FB90376}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Tip of the Day"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]

HKLM\Software\Classes\CLSID\{30D02401-6A81-11D0-8274-00C04FD5AE38}\(Default) = "IE Search Band"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

HKLM\Software\Classes\CLSID\{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}\(Default) = "&Discuss"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "shdocvw.dll" [MS]

HKLM\Software\Classes\CLSID\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\(Default) = "File Search Explorer Band"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]

HKLM\Software\Classes\CLSID\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}\(Default) = "Favorites Band"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]

HKLM\Software\Classes\CLSID\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}\(Default) = "History Band"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]

HKLM\Software\Classes\CLSID\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}\(Default) = "Explorer Band"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw32.dll" [file not found]

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {HKLM...CLSID} = "Web Browser Applet Control"
\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS]

{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Internet Explorer Address Prefixes:
-----------------------------------

Prefix for bare domain ("domain-name-here.com")

HKLM\Software\Microsoft\Windows\CurrentVersion\URL\Default Prefix\
(Default) = "http://"

Prefix for specific service (i.e., "www")

HKLM\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes\
"ftp" = "ftp://"
"gopher" = "gopher://"
"home" = "http://"
"mosaic" = "http://"
"www" = "http://"
<<H>> "windx" = "windx://"
<<H>> "windx." = "windx://"


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = (no title provided)
-> {HKLM...CLSID} = "Microsoft Url Search Hook"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
"NavigationFailure" = "res://ieframe.dll/navcancl.htm" [MS]
"DesktopItemNavigationFailure" = "res://ieframe.dll/navcancl.htm" [MS]
"NavigationCanceled" = "res://ieframe.dll/navcancl.htm" [MS]
"OfflineInformation" = "res://ieframe.dll/offcancl.htm" [MS]
"Home" = dword:0x0000010E
"blank" = "res://mshtml.dll/blank.htm" [MS]
"PostNotCached" = "res://ieframe.dll/repost.htm" [MS]
"NoAdd-ons" = "res://ieframe.dll/noaddon.htm" [MS]
"NoAdd-onsInfo" = "res://ieframe.dll/noaddoninfo.htm" [MS]
"SecurityRisk" = "res://ieframe.dll/securityatrisk.htm" [MS]
"Tabs" = "res://ieframe.dll/tabswelcome.htm" [MS]


HOSTS file
----------

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\
"DataBasePath" = "C:\WINDOWS\System32\drivers\etc"

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 1 domain name to an IP address,
and this is the localhost IP address


All Running Services (Display Name, Service Name, Path {Service DLL}):
----------------------------------------------------------------------

Application Layer Gateway Service, ALG, "C:\WINDOWS\System32\alg.exe" [MS]
Automatic Updates, wuauserv, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\wuauserv.dll" [MS]}
Client Service for NetWare, NWCWorkstation, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\nwwks.dll" [MS]}
COM+ Event System, EventSystem, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\es.dll" [MS]}
Computer Browser, Browser, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\browser.dll" [MS]}
Cryptographic Services, CryptSvc, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\cryptsvc.dll" [MS]}
DCOM Server Process Launcher, DcomLaunch, "C:\WINDOWS\system32\svchost -k DcomLaunch" {"C:\WINDOWS\system32\rpcss.dll" [MS]}
DHCP Client, Dhcp, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\dhcpcsvc.dll" [MS]}
Distributed Link Tracking Client, TrkWks, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\trkwks.dll" [MS]}
DNS Client, Dnscache, "C:\WINDOWS\System32\svchost.exe -k NetworkService" {"C:\WINDOWS\System32\dnsrslvr.dll" [MS]}
Error Reporting Service, ERSvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\ersvc.dll" [MS]}
Event Log, Eventlog, "C:\WINDOWS\system32\services.exe" [MS]
F-PROT Antivirus for Windows system, FPAVServer, ""C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe"" ["FRISK Software"]
Help and Support, helpsvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll" [MS]}
HID Input Service, HidServ, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\hidserv.dll" [MS]}
IPSEC Services, PolicyAgent, "C:\WINDOWS\System32\lsass.exe" [MS]
Logical Disk Manager, dmserver, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\dmserver.dll" [MS]}
Net Logon, Netlogon, "C:\WINDOWS\System32\lsass.exe" [MS]
Network Connections, Netman, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\netman.dll" [MS]}
Network Location Awareness (NLA), Nla, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\mswsock.dll" [MS]}
Plug and Play, PlugPlay, "C:\WINDOWS\system32\services.exe" [MS]
Print Spooler, Spooler, "C:\WINDOWS\system32\spoolsv.exe" [MS]
Protected Storage, ProtectedStorage, "C:\WINDOWS\system32\lsass.exe" [MS]
Remote Access Connection Manager, RasMan, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\rasmans.dll" [MS]}
Remote Procedure Call (RPC), RpcSs, "C:\WINDOWS\system32\svchost -k rpcss" {"C:\WINDOWS\System32\rpcss.dll" [MS]}
Remote Registry, RemoteRegistry, "C:\WINDOWS\system32\svchost.exe -k LocalService" {"C:\WINDOWS\system32\regsvc.dll" [MS]}
Secondary Logon, seclogon, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\seclogon.dll" [MS]}
Security Accounts Manager, SamSs, "C:\WINDOWS\system32\lsass.exe" [MS]
Server, lanmanserver, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\srvsvc.dll" [MS]}
Shell Hardware Detection, ShellHWDetection, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\shsvcs.dll" [MS]}
Smart Card, SCardSvr, "C:\WINDOWS\System32\SCardSvr.exe" [MS]
System Event Notification, SENS, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\sens.dll" [MS]}
System Restore Service, srservice, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\srsvc.dll" [MS]}
Task Scheduler, Schedule, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\schedsvc.dll" [MS]}
TCP/IP NetBIOS Helper, LmHosts, "C:\WINDOWS\System32\svchost.exe -k LocalService" {"C:\WINDOWS\System32\lmhsvc.dll" [MS]}
Telephony, TapiSrv, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\tapisrv.dll" [MS]}
Terminal Services, TermService, "C:\WINDOWS\System32\svchost -k DComLaunch" {"C:\WINDOWS\System32\termsrv.dll" [MS]}
Themes, Themes, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\shsvcs.dll" [MS]}
WebClient, WebClient, "C:\WINDOWS\System32\svchost.exe -k LocalService" {"C:\WINDOWS\System32\webclnt.dll" [MS]}
Windows Audio, AudioSrv, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\audiosrv.dll" [MS]}
Windows Firewall/Internet Connection Sharing (ICS), SharedAccess, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\ipnathlp.dll" [MS]}
Windows Image Acquisition (WIA), stisvc, "C:\WINDOWS\System32\svchost.exe -k imgsvc" {"C:\WINDOWS\system32\wiaservc.dll" [MS]}
Windows Management Instrumentation, winmgmt, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\wbem\WMIsvc.dll" [MS]}
Windows Time, w32time, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\w32time.dll" [MS]}
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
Wireless Zero Configuration, WZCSVC, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\wzcsvc.dll" [MS]}
Workstation, lanmanworkstation, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\wkssvc.dll" [MS]}


Keyboard Driver Filters:
------------------------

HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = "kbdclass" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]
BJ Language Monitor\Driver = "cnbjmon.dll" [MS]
HP Master Monitor\Driver = "HPBMMON.DLL" ["Hewlett-Packard"]
hpzlnt05\Driver = "hpzlnt05.dll" ["HP"]
Local Port\Driver = "localspl.dll" [MS]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
PJL Language Monitor\Driver = "pjlmon.dll" [MS]
Standard TCP/IP Port\Driver = "tcpmon.dll" [MS]
TeleMagic Fax Monitor 35\Driver = "dtmon.dll" ["Data Techniques, Inc."]
USB Monitor\Driver = "usbmon.dll" [MS]


-- (total run time: 143 seconds)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

woo you weren't joking that it was going to be a long one. There it is for you though, thank you for all of your help.

Yea a long one, will take some time to go through...

Ou could run this scanner too (we'll see if there is something hidden)

Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-12-10 12:23:50
Windows 5.1.2600 Service Pack 2


---- Kernel code sections - GMER 1.0.13 ----

? System32\Drivers\hiber_WMILIB.SYS The system cannot find the file specified.

---- User IAT/EAT - GMER 1.0.13 ----

IAT C:\WINDOWS\system32\ZCfgSvc.exe[732] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\WINDOWS\system32\ZCfgSvc.exe[732] @ C:\WINDOWS\system32\RPCRT4.dll [ADVAPI32.dll!OpenServiceW] [6F8A065D] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\WINDOWS\system32\ZCfgSvc.exe[732] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\WINDOWS\system32\ZCfgSvc.exe[732] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\WINDOWS\system32\ZCfgSvc.exe[732] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\WINDOWS\system32\ZCfgSvc.exe[732] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\WINDOWS\system32\ZCfgSvc.exe[732] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\WINDOWS\system32\ZCfgSvc.exe[732] @ C:\WINDOWS\system32\SHELL32.dll [ADVAPI32.dll!ControlService] [6F8A0680] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\WINDOWS\system32\ZCfgSvc.exe[732] @ C:\WINDOWS\system32\SHELL32.dll [ADVAPI32.dll!OpenServiceW] [6F8A065D] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\WINDOWS\system32\ZCfgSvc.exe[732] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\WINDOWS\system32\ZCfgSvc.exe[732] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\WINDOWS\system32\ZCfgSvc.exe[732] @ C:\WINDOWS\system32\WS2HELP.dll [ADVAPI32.dll!OpenServiceA] [6F8A063A] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\WINDOWS\system32\ZCfgSvc.exe[732] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\WINDOWS\system32\ZCfgSvc.exe[732] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!OpenServiceW] [6F8A065D] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\WINDOWS\system32\ZCfgSvc.exe[732] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!ControlService] [6F8A0680] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\WINDOWS\system32\ZCfgSvc.exe[732] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\WINDOWS\system32\ZCfgSvc.exe[732] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F859E1D6] FStopW.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F859E322] FStopW.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F8ACF156] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F8ACE9DA] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F8ACEFBF] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F8ACFCE2] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F8ACE9BC] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F8584B02] symsnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F8584B02] symsnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F8584B02] symsnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F8584B02] symsnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F8584B02] symsnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F8584B02] symsnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F8584B02] symsnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F8584B02] symsnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F8584B02] symsnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F8584B02] symsnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F8584B02] symsnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F8584B02] symsnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F8584B02] symsnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F8584B02] symsnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F8584B02] symsnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F8584B02] symsnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F8584B02] symsnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F8584B02] symsnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F8584B02] symsnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F8584B02] symsnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F8584B02] symsnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F8584B02] symsnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F8584B02] symsnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F8584B02] symsnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F8584B02] symsnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F8584B02] symsnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE_NAMED_PIPE [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLOSE [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_INFORMATION [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_INFORMATION [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_EA [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_EA [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_VOLUME_INFORMATION [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_VOLUME_INFORMATION [F8584B02] symsnap.sys

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DIRECTORY_CONTROL [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FILE_SYSTEM_CONTROL [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_LOCK_CONTROL [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE_MAILSLOT [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_SECURITY [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_SECURITY [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CHANGE [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_QUOTA [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_QUOTA [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE_NAMED_PIPE [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CLOSE [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_READ [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_WRITE [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_QUERY_INFORMATION [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SET_INFORMATION [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_QUERY_EA [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SET_EA [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_FLUSH_BUFFERS [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_QUERY_VOLUME_INFORMATION [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SET_VOLUME_INFORMATION [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DIRECTORY_CONTROL [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_FILE_SYSTEM_CONTROL [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DEVICE_CONTROL [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_INTERNAL_DEVICE_CONTROL [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SHUTDOWN [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_LOCK_CONTROL [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CLEANUP [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE_MAILSLOT [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_QUERY_SECURITY [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SET_SECURITY [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_POWER [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SYSTEM_CONTROL [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DEVICE_CHANGE [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_QUERY_QUOTA [F8584B02] symsnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SET_QUOTA [F8584B02] symsnap.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [F859E1D6] FStopW.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [F859E322] FStopW.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [F859E19C] FStopW.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [F8ACF156] TmPreFlt.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [F8ACE9DA] TmPreFlt.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [F8ACEFBF] TmPreFlt.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [F8ACFCE2] TmPreFlt.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [F8ACE9BC] TmPreFlt.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [F8ACC628] TmPreFlt.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [F8ACC628] TmPreFlt.sys

Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE F7976400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE F7976400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ F7976400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION F7976400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION F7976400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION F7976400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL F7976400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL F7976400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL F7976400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN F7979C74
Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL F7976400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP F7976400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP F7976400
Device \FileSystem\Cdfs \Cdfs FastIoCheckIfPossible F7979BCE

---- EOF - GMER 1.0.13 ----

Hi :)

Okay nothing looks fishy in the registry.

We could try if running the System File Checker helps us. Please follow these instructions -> Link (http://dwightblackburn.com/winxp/)

Reboot and let me know if it helped.

Ran the tool you linked and it ran just fine with no errors on reboot I still have no desktop or explorer.

Hi :)

Okay, now I think that the only thing to do is to do a repair installation (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/doug92.mspx) :sad:

Or if you want, a full reformat and a fresh installation. Let me know if you want to format and I'll give instructions.

:bigthumb:

Success I have a Desktop and explorer again.

Do you want another HJT log to double check everything?

Hi


Success I have a Desktop and explorer again. That's great news. May I ask that what did you do?

Yes post a fresh HJT log just to be sure... :bigthumb:

I did the install/ repair. Seems to have worked except that when I try to run Windows updates they download but they fail to install. I have been able to install a few of them manually but there are 82 still to go.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:06, on 2007-12-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.abetterblade.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ATI] C:\WINDOWS\temp\ATi2evxx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [EFI Job Monitor] C:\WINDOWS\TEMP\JobMonitor\JobMonitor.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [EFI Job Monitor] C:\WINDOWS\TEMP\JobMonitor\JobMonitor.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.sidestep.com/get/k00726/sb028.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lagunatools.com
O17 - HKLM\Software\..\Telephony: DomainName = lagunatools.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lagunatools.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lagunatools.com
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - Unknown owner - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe (file missing)

--
End of file - 5929 bytes

Hi again, it is looking clean now :)

The Windows update problem, you're not alone. Here is a site (http://support.microsoft.com/?kbid=906602) that may help (also links for contacting MS support)


You can remove the tools we used.

You don't seem to have a third-party firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) installed. You must install one firewall.
It is possible that you're using the Windows XP firewall. That is of course better than nothing but I recommend that you install a more advanced firewall that gives more protection. Windows firewall doesn't eg protect your computer from inbound threats. This means that any malware on your computer is free to "phone home" for more instructions. Remember to use only one firewall at the same time. I'll give you a few alternatives if you want to install a third-party firewall:

These are good (free) firewalls: Sunbelt-Kerio (http://www.sunbelt-software.com/Kerio.cfm)
ZoneAlarm (http://www.zonelabs.com/)
Sygate (http://http://www.majorgeeks.com/download.php?det=3356)
Outpost (http://www.majorgeeks.com/download.php?det=1056)
Comodo (http://www.personalfirewall.comodo.com)


=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.

Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.

Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)

Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.

Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?

Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Stay clean and be safe ;)