Error loading rundll and chinese popups

T

TotalTech

New member
On Start up I recieve a rundll failed to load error of c:\windows\system32\w0hq.dll when I open up the internet explorer and click on links I recieve random popups to chinese based web pages, I ran the Kaspersky and it found 6 viruses and 32 infected objects but was unable to get a log file. Below is my HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:40 AM, on 11/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.abetterblade.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,C:\WINDOWS\system32\SVCH0ST.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AdPopup - {11F09AFD-75AD-4E51-AB43-E09E9351CE16} - C:\Program Files\Common Files\CPUSH\cpush.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: ff Class - {B9751A53-4494-4d7c-9732-AE3058D8145F} - C:\WINDOWS\system32\0841.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\RunOnce: [w0hq] %systemroot%\system32\Rundll32.exe %systemroot%\system32\w0hq.dll,DllUnregisterServer
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDEG32] LYLoader.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDWG32] LYLoadbr.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDCG32 ] LYLeador.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDOG32] LYLoador.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDSG32] LYLoadar.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDMG32] LYLoadmr.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDHG32] LYLoadhr.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDQG32] LYLoadqr.exe
O4 - HKUS\S-1-5-18\..\Run: [EFI Job Monitor] C:\WINDOWS\TEMP\JobMonitor\JobMonitor.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [EFI Job Monitor] C:\WINDOWS\TEMP\JobMonitor\JobMonitor.exe (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ¿ìËÑ - {BF5DC4AE-258C-43d5-9D80-1F7ACD734DD8} - C:\WINDOWS\Temp\minigame.exe (file missing)
O9 - Extra 'Tools' menuitem: ¿ìËÙËÑË÷ - {BF5DC4AE-258C-43d5-9D80-1F7ACD734DD8} - C:\WINDOWS\Temp\minigame.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.sidestep.com/get/k00726/sb028.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lagunatools.com
O17 - HKLM\Software\..\Telephony: DomainName = lagunatools.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lagunatools.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lagunatools.com
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: 739366DB - Unknown owner - C:\WINDOWS\system32\CE6E243B.EXE (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: F7B38D6E - Unknown owner - C:\WINDOWS\system32\4A4CB081.EXE (file missing)
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Unknown owner - C:\Program Files\Intel\NCS\Sync\NetSvc.exe (file missing)
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - Unknown owner - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe (file missing)
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Visual Studio Analyzer RPC bridge - Unknown owner - C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\varpc.exe (file missing)
O23 - Service: Windows Accounts Driver (windows_0) - Unknown owner - C:\WINDOWS\system32\kav.exe (file missing)

--
End of file - 10222 bytes
 
Hello TotalTech and welcome to the Forums :)

Sorry for the delay..

You're infected. These chinese infections can be pretty sticky to remove but let's see...One or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this article too.

At first you need to disable a few realtime protections. These may interfere with our cleaning process.
We'll enable these when you're clean...

Disable Spybot S&D Teatimer.
  • Run Spybot-S&D in Advanced Mode
  • If it is not already set to do this, go to the Mode menu select "Advanced Mode"
  • On the left hand side, click on Tools
  • Then click on the Resident icon in the list
  • Uncheck "Resident TeaTimer" and OK any prompts.
  • Restart your computer

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply along with a fresh Hijackthis log

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
 
My turn to apologize I had some RL issues come up. While I was gone a coleuge decided to "help" and made things worse. Now when I boot the laptop up I get no icons or start bar both in Normal mode and Safe Mode. I do have a moise pointer. I can bring up task manager with ctrl+alt Delete and go to the run cmd from there. I tested this by bringing up msconfig. I now have the machine locked up and away from "helping" hands.
 
here is the combofix log.

ComboFix 07-12-02.6 - Administrator 2007-12-03 14:47:06.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.291 [GMT -8:00]
Running from: E:\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\_desktop.ini
C:\Documents and Settings\Administrator.LAGUNATOOLS\Favorites\-0007~1.lnk
C:\Documents and Settings\Administrator.LAGUNATOOLS\Favorites\-9895~1.lnk
C:\Documents and Settings\Administrator.LAGUNATOOLS\Favorites\_cctv0~1.lnk
C:\Documents and Settings\Administrator.LAGUNATOOLS\Favorites\9265~1.lnk
C:\Documents and Settings\Administrator.LAGUNATOOLS\Favorites\bfc1~1.lnk
C:\Documents and Settings\Torben.LAGUNATOOLS\Favorites\7BFA~1.URL
C:\Program Files\Common Files\cpush
C:\Program Files\Common Files\cpush\Uninst.exe
C:\WINDOWS\b721.exe
C:\WINDOWS\bb1.bmp
C:\WINDOWS\system32\601.dll
C:\WINDOWS\system32\drivers\mxdispdr.sys
C:\WINDOWS\TEMP.\~my1.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_IDNAUX
-------\LEGACY_MXDISPDR
-------\LEGACY_NPF
-------\LEGACY_WINDOWS_0
-------\mxdispdr
-------\nm
-------\NPF
-------\windows_0




((((((((((((((((((((((((( Files Created from 2007-11-03 to 2007-12-03 )))))))))))))))))))))))))))))))
.

2007-12-03 14:21 . 2007-12-03 14:21 <DIR> d-------- C:\HJTHIS
2007-11-20 08:35 . 2007-11-20 08:35 <DIR> d-------- C:\Program Files\Common Files\SolidWorks Shared
2007-11-20 08:35 . 2007-11-20 08:35 0 --a------ C:\WINDOWS\eDrawingOfficeAutomator.INI
2007-11-20 08:34 . 2007-11-20 08:34 <DIR> d-------- C:\Program Files\Common Files\eDrawings2008
2007-11-19 09:59 . 2007-11-19 09:59 <DIR> d-------- C:\WINDOWS\SYSTEM32\F11E4
2007-11-19 09:59 . 2007-11-19 09:59 19 --a------ C:\WINDOWS\SYSTEM32\setyahoo.ini
2007-11-16 10:44 . 2007-11-16 10:44 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-11-16 10:44 . 2007-11-16 10:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-16 09:57 . 2007-11-16 10:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-13 12:16 . 2007-11-13 12:46 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-13 12:15 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\SYSTEM32\msvcr80.dll
2007-11-13 11:03 . 2007-11-13 11:03 68 --a------ C:\WINDOWS\SYSTEM32\32f8cb
2007-11-13 10:33 . 2007-11-13 10:33 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-13 10:33 . 2007-11-13 10:33 68 --a------ C:\WINDOWS\SYSTEM32\2bce
2007-11-13 10:03 . 2007-11-13 10:03 68 --a------ C:\WINDOWS\SYSTEM32\1ca1
2007-11-13 09:33 . 2007-11-13 09:33 68 --a------ C:\WINDOWS\SYSTEM32\1b9b
2007-11-13 09:28 . 2007-07-09 05:16 582,656 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
2007-11-13 09:13 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll.mui
2007-11-13 09:03 . 2007-11-13 09:03 68 --a------ C:\WINDOWS\SYSTEM32\032f
2007-11-13 09:03 . 2007-11-13 11:05 29 --a------ C:\WINDOWS\SYSTEM32\2961-15-14
2007-11-13 08:46 . 2007-11-13 08:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2007-11-10 14:02 . 2007-11-10 14:02 <DIR> d-------- C:\Documents and Settings\Torben.LAGUNATOOLS\Application Data\Talkback

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-27 23:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-27 20:50 --------- d-----w C:\Documents and Settings\Torben.LAGUNATOOLS\Application Data\AdobeUM
2007-11-21 21:42 --------- d-----w C:\Program Files\SalesLogix
2007-11-19 18:02 --------- d-----w C:\Program Files\Trend Micro
2007-11-13 17:22 --------- d-----w C:\Documents and Settings\Administrator.LAGUNATOOLS\Application Data\U3
2007-11-13 16:01 --------- d-----w C:\Program Files\MSN Messenger
2007-11-13 15:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-13 15:56 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-22 17:48 579,808 ----a-w C:\WINDOWS\system32\drivers\FStopW.sys
2004-10-27 23:02 17,144 ----a-w C:\Documents and Settings\IT\Application Data\GDIPFONTCACHEV1.DAT
2004-10-26 23:46 13,312 ----a-w C:\Documents and Settings\Torben.LAGUNATOOLS\garbage-maybe.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-28_10.43.07.52 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-09 00:59:01 136,704 ----a-w C:\WINDOWS\catchme.exe
+ 2007-11-27 11:58:11 140,288 ----a-w C:\WINDOWS\catchme.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9751A53-4494-4d7c-9732-AE3058D8145F}]
C:\WINDOWS\system32\0841.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-31 08:33]
"ATI"="C:\WINDOWS\temp\ATi2evxx.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"F-PROT Antivirus Tray application"="C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe" [2007-10-24 14:28]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-03 23:56]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" []
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-16 16:17]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 14:24 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2003-08-20 18:24]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 10:28]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"w0hq"="C:\WINDOWS\system32\Rundll32.exe" [2004-08-03 23:56]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"EFI Job Monitor"="C:\WINDOWS\TEMP\JobMonitor\JobMonitor.exe" []

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{62A612A4-4334-4424-4234-42261A31A238}"= C:\WINDOWS\system32\bbqpri.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\System32\LgNotify.dll 2003-06-20 05:03 110592 C:\WINDOWS\SYSTEM32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Extension-List\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\3]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\4]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\5]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\6]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\7]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\3]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\4]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\5]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\6]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\7]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-1005]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-1005\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-1005\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-1005\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-1005\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-1005\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-1005\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-1005\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-1005\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-500]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-500\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-500\Extension-List\{00000000-0000-0000-0000-000000000000}]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-500\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-500\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-500\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-500\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-500\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-500\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\GPLink-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\GPO-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Extension-List\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Extension-List\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPLink-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPLink-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPLink-List\3]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPLink-List\4]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPLink-List\5]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPO-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPO-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPO-List\3]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPO-List\4]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPO-List\5]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Scripts]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Scripts\Logoff]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Scripts\Logon]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Scripts\Logon\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Scripts\Logon\0\0]
"Script"=mapH.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203\GPLink-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203\GPLink-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203\GPO-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203\GPO-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\GPLink-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\GPLink-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\GPLink-List\3]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\GPLink-List\4]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\GPO-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\GPO-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\GPO-List\3]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\Scripts]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\Scripts\Logoff]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\Scripts\Logon]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\Scripts\Logon\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1235\Scripts\Logon\0\0]
"Script"=mapH.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\GPLink-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\GPLink-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\GPLink-List\3]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\GPO-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\GPO-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\GPO-List\3]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1280\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\Extension-List\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\Extension-List\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\GPLink-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\GPLink-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\GPLink-List\3]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\GPLink-List\4]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\GPO-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\GPO-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\GPO-List\3]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\GPO-List\4]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-500\Scripts]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1009]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1009\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1009\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1009\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1009\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1009\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1009\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1009\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1009\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1022]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1022\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1022\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1022\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1022\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-
 
1-5-21-843651394-707275292-1862565094-1022\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1022\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1022\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1022\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\Loopback-GPO-List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FPAVServer]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 2.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Device Detector 2.lnk
backup=C:\WINDOWS\pss\Device Detector 2.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2k0lcm1sg7r6]
C:\DOCUME~1\TORBEN~1.LAG\LOCALS~1\Temp\explorei.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2003-07-29 11:30 335872 --a------ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bascstray]
BascsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmdbcs]
C:\WINDOWS\cmdbcs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CookiePatrol]
2003-05-29 20:47 69632 --a------ C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-03 23:56 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2002-12-17 18:16 360448 --a------ C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
2002-07-17 08:18 28672 --a------ C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\PROGRA~1\COMMON~1\onlinegame\fs2online.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mhsa]
C:\DOCUME~1\ADMINI~1.LAG\LOCALS~1\Temp\mhso.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mnupyjkn]
C:\WINDOWS\mnupyjkn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 12.0]
2007-07-31 17:36 2037088 --a------ C:\Program Files\Norton Ghost\Agent\VProTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nqwindl]
C:\WINDOWS\nqwinll.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwnslop]
C:\WINDOWS\nwnslop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nzttlln]
C:\WINDOWS\nzttdll.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeScanNT Monitor]
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe -HideWindow

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PestPatrol Control Center]
2003-03-26 16:41 53248 --a------ C:\PROGRA~1\PESTPA~1\PPControl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPMemCheck]
2003-04-19 04:53 148480 --a------ C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qjsa]
C:\DOCUME~1\ADMINI~1.LAG\LOCALS~1\Temp\qjso.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
C:\PROGRA~1\COMMON~1\onlinegame\fs2online.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2007-08-31 16:46 1460560 --a------ C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\testrun]
C:\WINDOWS\testexe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tlsa]
C:\DOCUME~1\ADMINI~1.LAG\LOCALS~1\Temp\tlso.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TradeManager]
C:\PROGRA~1\Alibaba\TRADEM~1\TradeManager -hideframe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\upxdnd]
C:\WINDOWS\upxdnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wdsa]
C:\DOCUME~1\ADMINI~1.LAG\LOCALS~1\Temp\wdso.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wgsa]
C:\DOCUME~1\ADMINI~1.LAG\LOCALS~1\Temp\wgso.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wincdb]
C:\WINDOWS\wincdb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wlsa]
C:\DOCUME~1\ADMINI~1.LAG\LOCALS~1\Temp\wlso.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wosa]
C:\DOCUME~1\TORBEN~1.LAG\LOCALS~1\Temp\woso.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zcrbzk2s]
C:\DOCUME~1\TORBEN~1.LAG\LOCALS~1\Temp\iexpl0re.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Visual Studio Analyzer RPC bridge"=3 (0x3)
"tmlisten"=2 (0x2)
"SolidWorks Licensing Service"=3 (0x3)
"ose"=3 (0x3)
"ntrtscan"=2 (0x2)
"NetSvc"=3 (0x3)
"LiveUpdate"=3 (0x3)
"IDriverT"=3 (0x3)
"gusvc"=2 (0x2)
"GoogleDesktopManager"=3 (0x3)
"F7B38D6E"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"WinDefend"=2 (0x2)
"739366DB"=2 (0x2)
"Norton Ghost"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"BAsfIpM"=2 (0x2)

R0 bpdudhg5;bpdudhg;C:\WINDOWS\system32\DRIVERS\bpdudhg5.sys
R0 FPAV_RTP;FPAV_RTP;C:\WINDOWS\system32\drivers\FStopW.sys
R1 RCFOX;SonicWALL IPsec Driver;\??\C:\WINDOWS\System32\Drivers\RCFOX.sys
R2 BASFND;BASFND;\??\C:\WINDOWS\system32\Drivers\BASFND.sys
R2 FPAVServer;F-PROT Antivirus for Windows system;"C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe"
R2 v2imount;Symantec V2i Mount Driver;C:\WINDOWS\system32\DRIVERS\v2imount.sys
R3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys
R3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys
S2 gaiz95nu;gaiz95nu;\??\C:\WINDOWS\system32\drivers\gaiz95nu.sys
S2 t1p1r0l;t1p1r0l;\??\C:\WINDOWS\system32\drivers\t1p1r0l.sys
S3 WimFltr;WimFltr;C:\WINDOWS\system32\DRIVERS\wimfltr.sys
S4 739366DB;739366DB;C:\WINDOWS\system32\CE6E243B.EXE -d
S4 F7B38D6E;F7B38D6E;C:\WINDOWS\system32\4A4CB081.EXE -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{217e2492-9209-11dc-81d6-006073e0d381}]
\Shell\AutoRun\command - E:\DCoTMenu.exe
\Shell\menu\command - E:\DCoTMenu.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{95192103-834D-71CF-64CD-51E15112AF20}]
C:\WINDOWS\system32\nwizhx2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BA312103-F04D-31cf-64CD-21EF5011CF20}]
C:\WINDOWS\system32\nwizqjsj.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-11-29 02:02:07 C:\WINDOWS\Tasks\Daily.job"
- C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPWin.exe
"2007-11-28 17:54:13 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-11-28 16:28:07 C:\WINDOWS\Tasks\Weekly.job"
- C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPWin.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-03 14:53:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-03 14:54:38 - machine was rebooted
.
--- E O F ---
 
1-5-21-843651394-707275292-1862565094-1022\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1022\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1022\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1022\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-1368\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-843651394-707275292-1862565094-500\Loopback-GPO-List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FPAVServer]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 2.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Device Detector 2.lnk
backup=C:\WINDOWS\pss\Device Detector 2.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2k0lcm1sg7r6]
C:\DOCUME~1\TORBEN~1.LAG\LOCALS~1\Temp\explorei.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2003-07-29 11:30 335872 --a------ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bascstray]
BascsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmdbcs]
C:\WINDOWS\cmdbcs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CookiePatrol]
2003-05-29 20:47 69632 --a------ C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-03 23:56 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2002-12-17 18:16 360448 --a------ C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
2002-07-17 08:18 28672 --a------ C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\PROGRA~1\COMMON~1\onlinegame\fs2online.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mhsa]
C:\DOCUME~1\ADMINI~1.LAG\LOCALS~1\Temp\mhso.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mnupyjkn]
C:\WINDOWS\mnupyjkn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 12.0]
2007-07-31 17:36 2037088 --a------ C:\Program Files\Norton Ghost\Agent\VProTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nqwindl]
C:\WINDOWS\nqwinll.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwnslop]
C:\WINDOWS\nwnslop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nzttlln]
C:\WINDOWS\nzttdll.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeScanNT Monitor]
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe -HideWindow

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PestPatrol Control Center]
2003-03-26 16:41 53248 --a------ C:\PROGRA~1\PESTPA~1\PPControl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPMemCheck]
2003-04-19 04:53 148480 --a------ C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qjsa]
C:\DOCUME~1\ADMINI~1.LAG\LOCALS~1\Temp\qjso.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
C:\PROGRA~1\COMMON~1\onlinegame\fs2online.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2007-08-31 16:46 1460560 --a------ C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\testrun]
C:\WINDOWS\testexe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tlsa]
C:\DOCUME~1\ADMINI~1.LAG\LOCALS~1\Temp\tlso.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TradeManager]
C:\PROGRA~1\Alibaba\TRADEM~1\TradeManager -hideframe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\upxdnd]
C:\WINDOWS\upxdnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wdsa]
C:\DOCUME~1\ADMINI~1.LAG\LOCALS~1\Temp\wdso.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wgsa]
C:\DOCUME~1\ADMINI~1.LAG\LOCALS~1\Temp\wgso.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wincdb]
C:\WINDOWS\wincdb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wlsa]
C:\DOCUME~1\ADMINI~1.LAG\LOCALS~1\Temp\wlso.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wosa]
C:\DOCUME~1\TORBEN~1.LAG\LOCALS~1\Temp\woso.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zcrbzk2s]
C:\DOCUME~1\TORBEN~1.LAG\LOCALS~1\Temp\iexpl0re.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Visual Studio Analyzer RPC bridge"=3 (0x3)
"tmlisten"=2 (0x2)
"SolidWorks Licensing Service"=3 (0x3)
"ose"=3 (0x3)
"ntrtscan"=2 (0x2)
"NetSvc"=3 (0x3)
"LiveUpdate"=3 (0x3)
"IDriverT"=3 (0x3)
"gusvc"=2 (0x2)
"GoogleDesktopManager"=3 (0x3)
"F7B38D6E"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"WinDefend"=2 (0x2)
"739366DB"=2 (0x2)
"Norton Ghost"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"BAsfIpM"=2 (0x2)

R0 bpdudhg5;bpdudhg;C:\WINDOWS\system32\DRIVERS\bpdudhg5.sys
R0 FPAV_RTP;FPAV_RTP;C:\WINDOWS\system32\drivers\FStopW.sys
R1 RCFOX;SonicWALL IPsec Driver;\??\C:\WINDOWS\System32\Drivers\RCFOX.sys
R2 BASFND;BASFND;\??\C:\WINDOWS\system32\Drivers\BASFND.sys
R2 FPAVServer;F-PROT Antivirus for Windows system;"C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe"
R2 v2imount;Symantec V2i Mount Driver;C:\WINDOWS\system32\DRIVERS\v2imount.sys
R3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys
R3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys
S2 gaiz95nu;gaiz95nu;\??\C:\WINDOWS\system32\drivers\gaiz95nu.sys
S2 t1p1r0l;t1p1r0l;\??\C:\WINDOWS\system32\drivers\t1p1r0l.sys
S3 WimFltr;WimFltr;C:\WINDOWS\system32\DRIVERS\wimfltr.sys
S4 739366DB;739366DB;C:\WINDOWS\system32\CE6E243B.EXE -d
S4 F7B38D6E;F7B38D6E;C:\WINDOWS\system32\4A4CB081.EXE -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{217e2492-9209-11dc-81d6-006073e0d381}]
\Shell\AutoRun\command - E:\DCoTMenu.exe
\Shell\menu\command - E:\DCoTMenu.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{95192103-834D-71CF-64CD-51E15112AF20}]
C:\WINDOWS\system32\nwizhx2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BA312103-F04D-31cf-64CD-21EF5011CF20}]
C:\WINDOWS\system32\nwizqjsj.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-11-29 02:02:07 C:\WINDOWS\Tasks\Daily.job"
- C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPWin.exe
"2007-11-28 17:54:13 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-11-28 16:28:07 C:\WINDOWS\Tasks\Weekly.job"
- C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPWin.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-03 14:53:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-03 14:54:38 - machine was rebooted
.
--- E O F ---
 
Ok. You have a lot of infections there.

Now that you've ran combofix, does the computer start in normal mode or safe mode?
 
it will start in either mode but I have no desktop icons no start menu and no explorer. To get you the combo fix and HJT I have them on a usb thumb drive and ran them from there through the dos prompt.
 
Hi again :)

Sorry for the delay...

Ok looks bad. You have loads of these chinese pests there. One or more of the identified infections is a backdoor trojan :sick:

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

I can help you in the cleaning if you don't want to reformat but there is a possibility that we can't get you 100% clean.

Also as the pc doesn't start, it is possible that we would have to do a repair installation and the see if the pc starts. If that works, then we'd have to try cleaning.

There is this one thing we can do and see if it helps:

You'll have to download the following scanner to the USB and run it via dos prompt.

Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Restart your computer to the safe mode:
  • Restart your computer
  • Start tapping the F8 key when the computer restarts.
  • When the start menu opens, choose Safe mode
  • Press Enter. The computer then begins to start in Safe mode.
Run a scan with Dr.Web CureIt
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, you should now mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found
    check.gif
  • If so, click it and then click the next icon right below and select Move incurable
  • After the scan, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot the computer in Normal Mode,
  • Post the Cure-it report and a fresh HijackThis log

Please let us know what you have decided to do in your next post:bigthumb:
 
Cureit log

bpdudhg5.sys;c:\windows\system32\drivers;Adware.QQHelp;Incurable.Moved.;
bb1.bmp.vir;C:\qoobox\Quarantine\C\WINDOWS;Adware.Sogou.origin;Incurable.Moved.;
601.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32;Adware.Sogou.origin;Incurable.Moved.;
 
HJT log ran after cureit

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:10, on 2007-12-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.abetterblade.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: ff Class - {B9751A53-4494-4d7c-9732-AE3058D8145F} - C:\WINDOWS\system32\0841.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ATI] C:\WINDOWS\temp\ATi2evxx.exe
O4 - HKUS\S-1-5-18\..\Run: [EFI Job Monitor] C:\WINDOWS\TEMP\JobMonitor\JobMonitor.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [EFI Job Monitor] C:\WINDOWS\TEMP\JobMonitor\JobMonitor.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.sidestep.com/get/k00726/sb028.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lagunatools.com
O17 - HKLM\Software\..\Telephony: DomainName = lagunatools.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lagunatools.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lagunatools.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = lagunatools.com
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
 
continued

O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - Unknown owner - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe (file missing)

--
End of file - 5612 bytes
 
the HJT log was done with the pc running in normal mode but I still have no desktop or explorer. Like before I ran the utilities through cmd prompt.

If possible I'd like to salvage this computer since the user has programs on it that are only on this computer. If it is beyond saving I guess he will learn from this painful lesson of his lost data. Thank you for all of your efforts in assisting me on this.
 
Hi :)

Ok. Now I need you to save the following text file (instructions below) to your memory stick


Open notepad and copy/paste the text in the quotebox below into it:

Code: 
File::
C:\WINDOWS\SYSTEM32\32f8cb
C:\WINDOWS\SYSTEM32\2bce
C:\WINDOWS\SYSTEM32\1ca1
C:\WINDOWS\SYSTEM32\1b9b
C:\WINDOWS\SYSTEM32\032f
C:\WINDOWS\system32\0841.dll
C:\WINDOWS\system32\bbqpri.dll 
C:\WINDOWS\cmdbcs.exe
C:\WINDOWS\mnupyjkn.exe
C:\WINDOWS\nqwinll.exe
C:\WINDOWS\nwnslop.exe
C:\WINDOWS\nzttdll.exe
C:\WINDOWS\testexe.exe
C:\WINDOWS\upxdnd.exe
C:\WINDOWS\wincdb.exe
C:\WINDOWS\system32\drivers\gaiz95nu.sys
C:\WINDOWS\system32\drivers\t1p1r0l.sys
C:\WINDOWS\system32\CE6E243B.EXE 
C:\WINDOWS\system32\4A4CB081.EXE 
C:\WINDOWS\system32\nwizqjsj.exe
C:\WINDOWS\system32\nwizhx2.exe

Folder::
C:\WINDOWS\SYSTEM32\F11E4

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9751A53-4494-4d7c-9732-AE3058D8145F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"w0hq"=-

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{62A612A4-4334-4424-4234-42261A31A238}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2k0lcm1sg7r6]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmdbcs]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mhsa]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mnupyjkn]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nqwindl]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwnslop]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nzttlln]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qjsa]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\testrun]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tlsa]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\upxdnd]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wdsa]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wgsa]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wincdb]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wlsa]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wosa]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zcrbzk2s]

[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{95192103-834D-71CF-64CD-51E15112AF20}]

[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BA312103-F04D-31cf-64CD-21EF5011CF20}]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"F7B38D6E"=-
"739366DB"=-

Driver::
bpdudhg5
gaiz95nu
t1p1r0l 
739366DB  
F7B38D6E

Save this as "CFScript"

Now you'll need to move this CFScript to the ComboFix (like in the picture below)

CFScript.gif


Alternatively you can copy the file CFScript to your clipboard (CTRL+C) and then select ComboFix.exe and paste the CFScript (CTRL+V) to ComboFix.exe

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
 
combofix log

ComboFix 07-12-02.6 - Administrator 2007-12-07 13:46:06.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.217 [GMT -8:00]
Running from: E:\ComboFix.exe
Command switches used :: E:\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\cmdbcs.exe
C:\WINDOWS\mnupyjkn.exe
C:\WINDOWS\nqwinll.exe
C:\WINDOWS\nwnslop.exe
C:\WINDOWS\nzttdll.exe
C:\WINDOWS\SYSTEM32\032f
C:\WINDOWS\system32\0841.dll
C:\WINDOWS\SYSTEM32\1b9b
C:\WINDOWS\SYSTEM32\1ca1
C:\WINDOWS\SYSTEM32\2bce
C:\WINDOWS\SYSTEM32\32f8cb
C:\WINDOWS\system32\4A4CB081.EXE
C:\WINDOWS\system32\bbqpri.dll
C:\WINDOWS\system32\CE6E243B.EXE
C:\WINDOWS\system32\drivers\gaiz95nu.sys
C:\WINDOWS\system32\drivers\t1p1r0l.sys
C:\WINDOWS\system32\nwizhx2.exe
C:\WINDOWS\system32\nwizqjsj.exe
C:\WINDOWS\testexe.exe
C:\WINDOWS\upxdnd.exe
C:\WINDOWS\wincdb.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\032f
C:\WINDOWS\SYSTEM32\1b9b
C:\WINDOWS\SYSTEM32\1ca1
C:\WINDOWS\SYSTEM32\2bce
C:\WINDOWS\SYSTEM32\32f8cb
C:\WINDOWS\SYSTEM32\F11E4

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_739366DB
-------\LEGACY_BPDUDHG5
-------\LEGACY_F7B38D6E
-------\LEGACY_GAIZ95NU
-------\LEGACY_T1P1R0L
-------\739366DB
-------\F7B38D6E
-------\gaiz95nu
-------\t1p1r0l


((((((((((((((((((((((((( Files Created from 2007-11-07 to 2007-12-07 )))))))))))))))))))))))))))))))
.

2007-12-06 09:28 . 2007-12-06 09:32 <DIR> d-------- C:\Documents and Settings\Administrator.LAGUNATOOLS\DoctorWeb
2007-12-03 14:21 . 2007-12-03 14:21 <DIR> d-------- C:\HJTHIS
2007-11-20 08:35 . 2007-11-20 08:35 <DIR> d-------- C:\Program Files\Common Files\SolidWorks Shared
2007-11-20 08:35 . 2007-11-20 08:35 0 --a------ C:\WINDOWS\eDrawingOfficeAutomator.INI
2007-11-20 08:34 . 2007-11-20 08:34 <DIR> d-------- C:\Program Files\Common Files\eDrawings2008
2007-11-19 09:59 . 2007-11-19 09:59 19 --a------ C:\WINDOWS\SYSTEM32\setyahoo.ini
2007-11-16 10:44 . 2007-11-16 10:44 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-11-16 10:44 . 2007-11-16 10:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-16 09:57 . 2007-11-16 10:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-13 12:16 . 2007-11-13 12:46 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-13 12:15 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\SYSTEM32\msvcr80.dll
2007-11-13 10:33 . 2007-11-13 10:33 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-13 09:28 . 2007-07-09 05:16 582,656 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
2007-11-13 09:13 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll.mui
2007-11-13 09:03 . 2007-11-13 11:05 29 --a------ C:\WINDOWS\SYSTEM32\2961-15-14
2007-11-13 08:46 . 2007-11-13 08:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2007-11-10 14:02 . 2007-11-10 14:02 <DIR> d-------- C:\Documents and Settings\Torben.LAGUNATOOLS\Application Data\Talkback

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-27 23:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-27 20:50 --------- d-----w C:\Documents and Settings\Torben.LAGUNATOOLS\Application Data\AdobeUM
2007-11-21 21:42 --------- d-----w C:\Program Files\SalesLogix
2007-11-19 18:02 --------- d-----w C:\Program Files\Trend Micro
2007-11-13 17:22 --------- d-----w C:\Documents and Settings\Administrator.LAGUNATOOLS\Application Data\U3
2007-11-13 16:01 --------- d-----w C:\Program Files\MSN Messenger
2007-11-13 15:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-13 15:56 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-22 17:48 579,808 ----a-w C:\WINDOWS\system32\drivers\FStopW.sys
2004-10-27 23:02 17,144 ----a-w C:\Documents and Settings\IT\Application Data\GDIPFONTCACHEV1.DAT
2004-10-26 23:46 13,312 ----a-w C:\Documents and Settings\Torben.LAGUNATOOLS\garbage-maybe.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-28_10.43.07.52 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-09 00:59:01 136,704 ----a-w C:\WINDOWS\catchme.exe
+ 2007-11-27 11:58:11 140,288 ----a-w C:\WINDOWS\catchme.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-31 08:33]
"ATI"="C:\WINDOWS\temp\ATi2evxx.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"F-PROT Antivirus Tray application"="C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe" [2007-10-24 14:28]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-03 23:56]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" []
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-16 16:17]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 14:24 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2003-08-20 18:24]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 10:28]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"EFI Job Monitor"="C:\WINDOWS\TEMP\JobMonitor\JobMonitor.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\System32\LgNotify.dll 2003-06-20 05:03 110592 C:\WINDOWS\SYSTEM32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Extension-List\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\3]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\4]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\5]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\6]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\7]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\3]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\4]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\5]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\6]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\7]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-1005]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-1005\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-1005\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-1005\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-1005\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-1005\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-1005\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-1005\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-1005\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-500]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-500\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-500\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-500\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-500\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-500\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-500\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-500\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2305495557-1519959921-965136123-500\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\GPLink-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\GPO-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1113\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Extension-List\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Extension-List\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPLink-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPLink-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPLink-List\3]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPLink-List\4]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPLink-List\5]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPO-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPO-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPO-List\3]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPO-List\4]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\GPO-List\5]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Scripts]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Scripts\Logoff]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Scripts\Logon]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Scripts\Logon\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1138\Scripts\Logon\0\0]
"Script"=mapH.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-636250577-1678753426-315690109-1203\Extension-List]
 
You must log in or register to reply here.
Back
Top