Help - Search - Members - Calendar
Full Version: Slow computer/Blank Pop-ups
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive HijackThis Logs
elmashoak
Apr 12 2009, 11:33 PM
I know I have something on my computer, because it is running very, very slow and blank Windows Explorer pop-ups keep appearing periodically. I've run both Spybot Search and Destroy, and AdAware, but they both come back saying there are no malicious programs on my computer. Please Help.

I've set a restore point and run ERUNT and run an AdAware AE scan with the latest update.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:29:35 PM, on 4/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\SMART Technologies Inc\Senteo\SenteoSoftwareService.exe
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\WSFINALACLSERVICE.exe
C:\Program Files\SMART Technologies Inc\Senteo\SenteoHardwareService.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pccntmon.exe
C:\Program Files\SMART Board Software\Mobile Device Manager\Chinook.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Autobahn\autobahn.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\SMART Technologies Inc\Senteo\SenteoTray.exe
C:\Program Files\SMART Board Software\SMARTBoardTools.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\SMART Board Software\Aware.exe
C:\Program Files\SMART Board Software\Marker.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.riverside.dpsnc.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.riverside.dpsnc.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.riverside.dpsnc.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/hlidOffice...=EC010227221033
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Durham Public Schools
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2899f41a-c18a-4559-b5bb-cebe3baa83a7} - C:\WINDOWS\system32\zuyahoba.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Technologies Inc\Notebook Software\NotebookPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\Pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [aavctorun] C:\Program Files\VCASEL2000\vcsecure.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [linQ] C:\Program Files\SMART Board Software\Mobile Device Manager\MobDevMan.exe
O4 - HKLM\..\Run: [PDAlinQ] C:\Program Files\SMART Board Software\Mobile Device Manager\Chinook.exe
O4 - HKLM\..\Run: [SMART Mirror Driver Monitor Service] "C:\Program Files\Common Files\SMART Technologies Inc\Mirror Driver\MonitorService.exe"
O4 - HKLM\..\Run: [1829452e] rundll32.exe "C:\WINDOWS\system32\jigefuwi.dll",b
O4 - HKLM\..\Run: [reguhafife] Rundll32.exe "C:\WINDOWS\system32\dijineho.dll",s
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [CPM1b1a76b2] Rundll32.exe "c:\windows\system32\guhiziho.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [reguhafife] Rundll32.exe "C:\WINDOWS\system32\dijineho.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [reguhafife] Rundll32.exe "C:\WINDOWS\system32\dijineho.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: autobahn.lnk = C:\Program Files\Autobahn\autobahn.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: Senteo Menu.lnk = C:\Program Files\SMART Technologies Inc\Senteo\SenteoTray.exe
O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Board Software\SMARTBoardTools.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.riverside.dpsnc.net/
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://dps-21-trendcm/officescan/console/C...ll/WinNTChk.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://dps-21-trendcm/officescan/console/C...stall/setup.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - http://dps-21-trendcm/officescan/console/html/AtxEnc.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://dps-21-trendcm/officescan/console/C.../RemoveCtrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1117630597953
O16 - DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} (JInitiator 1.3.1.28) - https://esis.ncwise.org/forms/jinitiator/jinit13128.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dpsnc.local
O17 - HKLM\Software\..\Telephony: DomainName = dpsnc.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dpsnc.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dpsnc.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = dpsnc.local
O20 - AppInit_DLLs: c:\windows\system32\ratifuya.dll C:\WINDOWS\system32\vawopijo.dll c:\windows\system32\wifokuvi.dll c:\windows\system32\guhiziho.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\wifokuvi.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\wifokuvi.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\NTRtScan.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: Senteo™ Hardware - SMART Technologies Inc. - C:\Program Files\SMART Technologies Inc\Senteo\SenteoHardwareService.exe
O23 - Service: Senteo™ Software - SMART Technologies Inc. - C:\Program Files\SMART Technologies Inc\Senteo\SenteoSoftwareService.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board Software\SMARTBoardService.exe
O23 - Service: SMART Mirror Driver Monitor Service - SMART Technologies - C:\Program Files\Common Files\SMART Technologies Inc\Mirror Driver\MonitorService.exe
O23 - Service: OfficeScanNT Personal Firewall (TmPfw) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe (file missing)
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe (file missing)
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: VC WS CHANGEACL Service (wsfinalaclservice) - cpsi - C:\WINDOWS\system32\WSFINALACLSERVICE.exe

--
End of file - 12330 bytes
Rorschach112
Apr 12 2009, 11:55 PM
hello

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

elmashoak
Apr 13 2009, 01:48 AM
Thank you. Here is the Combofix log.

ComboFix 09-04-13.07 - Jean_Stave 2009-04-12 19:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.219 [GMT -4:00]
Running from: c:\documents and settings\jean_stave\Desktop\ComboFix.exe
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated)
FW: Trend Micro OfficeScan Enterprise Client Firewall *disabled*
FW: Trend Micro Personal Firewall *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\batujuko.dll
c:\windows\system32\dijineho.dll
c:\windows\system32\guhiziho.dll
c:\windows\system32\hovutale.dll
c:\windows\system32\iwufegij.ini
c:\windows\system32\jigefuwi.dll
c:\windows\system32\vawopijo.dll
c:\windows\system32\wifokuvi.dll
c:\windows\system32\wuduzuli.dll
c:\windows\system32\zuyahoba.dll

----- BITS: Possible infected sites -----

hxxp://updates.swarmcast.net
hxxp://monitor.dpsnc.local
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINDRIVER
-------\Service_WinDriver


((((((((((((((((((((((((( Files Created from 2009-03-14 to 2009-04-14 )))))))))))))))))))))))))))))))
.

2009-04-12 04:05 . 2009-04-12 04:05 0 ----a-w c:\windows\system32\AAWService_2009_04_12_00_05_17.dmp
2009-04-12 03:48 . 2009-04-12 03:48 -------- d-----w c:\program files\ERUNT
2009-04-11 12:24 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-10 17:11 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-10 17:11 . 2009-04-10 17:11 -------- dc----w c:\windows\system32\DRVSTORE
2009-04-10 17:04 . 2009-04-10 17:05 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-10 17:03 . 2009-04-10 17:11 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-10 17:03 . 2009-04-10 17:03 -------- d-----w c:\program files\Lavasoft
2009-04-10 03:21 . 2004-08-04 12:00 97280 ----a-w c:\windows\system32\bootvi.dll
2009-04-09 11:13 . 2009-04-09 11:13 809 ----a-w c:\windows\system32\LexFiles.usr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-14 00:22 . 2005-10-17 10:37 17408 ----a-w c:\windows\system32\rpcnetp.exe
2009-04-14 00:22 . 2005-10-17 10:38 17408 ----a-w c:\windows\system32\rpcnetp.dll
2009-04-14 00:22 . 2005-10-14 10:42 47104 ----a-w c:\windows\system32\rpcnet.dll
2009-04-14 00:21 . 2009-04-12 02:55 1116 ----a-w C:\aaw7boot.log
2009-04-13 23:27 . 2009-01-13 23:27 64000 --sha-w c:\windows\system32\sezerabo.exe
2009-04-12 21:44 . 2005-06-01 12:55 -------- d-----w c:\program files\Trend Micro
2009-04-12 21:30 . 2009-01-12 21:30 64000 --sha-w c:\windows\system32\jadebaji.exe
2009-04-12 03:56 . 2009-01-12 03:56 62976 --sha-w c:\windows\system32\husugudi.exe
2009-04-10 16:02 . 2009-01-10 16:02 64512 --sha-w c:\windows\system32\habemoya.exe
2009-04-10 03:42 . 2009-01-10 20:24 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-10 03:21 . 2009-01-10 03:21 61440 --sha-w c:\windows\system32\soremeno.exe
2009-04-10 03:21 . 2009-01-10 03:21 124928 --sha-w c:\windows\system32\rejufopa.exe
2009-03-20 00:18 . 2008-05-21 09:17 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-13 17:41 . 2009-03-13 17:40 -------- d-----w c:\program files\Autobahn
2009-02-10 21:45 . 2008-10-10 06:36 35840 ----a-w c:\windows\system32\diag2.dll
2009-02-09 11:13 . 2009-01-05 23:17 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-05 17:39 . 2008-08-21 15:07 75912 ----a-w c:\documents and settings\jean_stave\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-05 03:21 . 2009-02-05 03:21 1082 ----a-w C:\SenteoSoftwareService.history(2009-02-04).xml
2009-02-05 03:21 . 2009-01-13 19:12 23537 ----a-w C:\SenteoSoftwareService.history.xml
2008-01-09 16:06 . 2005-09-08 13:13 75136 ----a-w c:\documents and settings\tim_brown\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-10 16:02 . 2009-01-10 16:02 64512 --sha-w c:\windows\system32\habemoya.exe
2009-04-12 03:56 . 2009-01-12 03:56 62976 --sha-w c:\windows\system32\husugudi.exe
2009-04-12 21:30 . 2009-01-12 21:30 64000 --sha-w c:\windows\system32\jadebaji.exe
2009-04-10 03:21 . 2009-01-10 03:21 124928 --sha-w c:\windows\system32\rejufopa.exe
2009-04-13 23:27 . 2009-01-13 23:27 64000 --sha-w c:\windows\system32\sezerabo.exe
2009-04-10 03:21 . 2009-01-10 03:21 61440 --sha-w c:\windows\system32\soremeno.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-15 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-15 126976]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"WinVNC"="c:\program files\UltraVNC\WinVNC.exe" [2004-06-20 630854]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\Pccntmon.exe" [2007-09-06 710000]
"aavctorun"="c:\program files\VCASEL2000\vcsecure.exe" [2004-10-01 278615]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-13 143360]
"linQ"="c:\program files\SMART Board Software\Mobile Device Manager\MobDevMan.exe" [2006-03-02 688128]
"PDAlinQ"="c:\program files\SMART Board Software\Mobile Device Manager\Chinook.exe" [2005-06-03 331776]
"SMART Mirror Driver Monitor Service"="c:\program files\Common Files\SMART Technologies Inc\Mirror Driver\MonitorService.exe" [2004-08-26 319488]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-18 2247]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
autobahn.lnk - c:\program files\Autobahn\autobahn.exe [2009-01-21 712408]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-12-02 618557]
Program Neighborhood Agent.lnk - c:\program files\Citrix\ICA Client\pnagent.exe [2005-04-04 233744]
Senteo Menu.lnk - c:\program files\SMART Technologies Inc\Senteo\SenteoTray.exe [2007-07-25 1185032]
SMART Board Tools.lnk - c:\program files\SMART Board Software\SMARTBoardTools.exe [2006-11-24 3411968]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 118784]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL"= 0 (0x0)
"NoPwdPage"= 0 (0x0)
"NoProfilePage"= 0 (0x0)
"NoDevMgrPage"= 0 (0x0)
"NoConfigPage"= 0 (0x0)
"NoFileSysPage"= 0 (0x0)
"NoVirtMemPage"= 0 (0x0)
"ConnectHomeDirToRoot"= 1 (0x1)
"EnableProfileQuota"= 0 (0x0)
"MaxProfileSize"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoManageMyComputerVerb"= 1 (0x1)
"NoHardwareTab"= 1 (0x1)
"SpecifyDefaultButtons"= 0 (0x0)
"NoRecentDocsNetHood"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoNetworkConnections"= 1 (0x1)
"NoNetConnectDisconnect"= 1 (0x1)
"NoSimpleStartMenu"= 0 (0x0)
"ForceClassicControlPanel"= 0 (0x0)
"DisablePersonalDirChange"= 1 (0x1)
"NoPropertiesRecycleBin"= 1 (0x1)
"NoAutoUpdate"= 1 (0x1)
"NoDFSTab"= 1 (0x1)
"NoSecurityTab"= 1 (0x1)
"RestrictRun"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)
"ForceStartMenuLogOff"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"0"= bckgzm.exe
"1"= chkrzm.exe
"2"= freecell.exe
"3"= hrtzzm.exe
"4"= mshearts.exe
"5"= pinball.exe
"6"= rvsezm.exe
"7"= shimgvw.dll
"8"= shvlzm.exe
"9"= sol.exe
"10"= spider.exe
"11"= winmine.exe
"12"= wmplayer.exe

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\0\0]
"Script"=dpsadmin.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\dpsnc.local\dfs\SDP\Integrade Pro 9.2\Servers_Config.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=dpsadmin.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\2\0]
"Script"=jinit.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\3\0]
"Script"=\\dpsnc.local\dfs\VCaselConfigs\Scripts\dcinfo-ad1-ws.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-110101\Scripts\Logoff\0\0]
"Script"=logoff.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-110101\Scripts\Logon\0\0]
"Script"=autopcc.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-110101\Scripts\Logon\1\0]
"Script"=logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-111407\Scripts\Logoff\0\0]
"Script"=logoff.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-111407\Scripts\Logon\0\0]
"Script"=logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-111525\Scripts\Logoff\0\0]
"Script"=logoff.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-111525\Scripts\Logon\0\0]
"Script"=logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-111614\Scripts\Logoff\0\0]
"Script"=logoff.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-111614\Scripts\Logon\0\0]
"Script"=logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-111840\Scripts\Logoff\0\0]
"Script"=logoff.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-111840\Scripts\Logon\0\0]
"Script"=autopcc.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-111840\Scripts\Logon\1\0]
"Script"=logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-111858\Scripts\Logoff\0\0]
"Script"=logoff.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-111858\Scripts\Logon\0\0]
"Script"=logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-112035\Scripts\Logoff\0\0]
"Script"=logoff.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-112035\Scripts\Logon\0\0]
"Script"=autopcc.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-112035\Scripts\Logon\1\0]
"Script"=logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-112082\Scripts\Logoff\0\0]
"Script"=logoff.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-112082\Scripts\Logon\0\0]
"Script"=logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-112127\Scripts\Logoff\0\0]
"Script"=logoff.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-112127\Scripts\Logon\0\0]
"Script"=autopcc.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-112127\Scripts\Logon\1\0]
"Script"=logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-136352\Scripts\Logoff\0\0]
"Script"=authenticat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-136352\Scripts\Logon\0\0]
"Script"=authenticat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-136352\Scripts\Logon\1\0]
"Script"=\\dpsnc.local\dfs\SDP\Scripts\65_SAT_icon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-136352\Scripts\Logon\2\0]
"Script"=Stu_Apps.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-145636\Scripts\Logoff\0\0]
"Script"=authenticat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-145636\Scripts\Logon\0\0]
"Script"=authenticat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-145636\Scripts\Logon\1\0]
"Script"=\\dpsnc.local\dfs\SDP\Scripts\65_SAT_icon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-145636\Scripts\Logon\2\0]
"Script"=Stu_Apps.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-150530\Scripts\Logoff\0\0]
"Script"=authenticat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-150530\Scripts\Logon\0\0]
"Script"=authenticat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-150530\Scripts\Logon\1\0]
"Script"=\\dpsnc.local\dfs\SDP\Scripts\65_SAT_icon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-150530\Scripts\Logon\2\0]
"Script"=Stu_Apps.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-155617\Scripts\Logoff\0\0]
"Script"=logoff.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-155617\Scripts\Logoff\1\0]
"Script"=logoff.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-155617\Scripts\Logoff\2\0]
"Script"=logoff.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-155617\Scripts\Logoff\3\0]
"Script"=logoff.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-155617\Scripts\Logon\0\0]
"Script"=autopcc.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-155617\Scripts\Logon\1\0]
"Script"=logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-155617\Scripts\Logon\2\0]
"Script"=logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-155617\Scripts\Logon\3\0]
"Script"=\\dpsnc.local\dfs\SDP\Scripts\65_SAT_icon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-155617\Scripts\Logon\4\0]
"Script"=\\dpsnc.local\dfs\SDP\Scripts\Stu_Apps.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-155617\Scripts\Logon\5\0]
"Script"=autopcc.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-155617\Scripts\Logon\6\0]
"Script"=logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-155617\Scripts\Logon\7\0]
"Script"=logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-155617\Scripts\Logon\8\0]
"Script"=\\dpsnc.local\dfs\SDP\Scripts\65_SAT_icon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-156239\Scripts\Logoff\0\0]
"Script"=logoff.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-156239\Scripts\Logon\0\0]
"Script"=logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-156239\Scripts\Logon\1\0]
"Script"=\\dpsnc.local\dfs\SDP\Scripts\65_SAT_icon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-156239\Scripts\Logon\2\0]
"Script"=Stu_Apps.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-158692\Scripts\Logoff\0\0]
"Script"=logoff.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-158692\Scripts\Logoff\1\0]
"Script"=logoff.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-158692\Scripts\Logoff\2\0]
"Script"=logoff.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-158692\Scripts\Logoff\3\0]
"Script"=logoff.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-158692\Scripts\Logon\0\0]
"Script"=autopcc.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-158692\Scripts\Logon\1\0]
"Script"=logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-158692\Scripts\Logon\2\0]
"Script"=logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-158692\Scripts\Logon\3\0]
"Script"=\\dpsnc.local\dfs\SDP\Scripts\65_SAT_icon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-158692\Scripts\Logon\4\0]
"Script"=\\dpsnc.local\dfs\SDP\Scripts\Stu_Apps.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-158692\Scripts\Logon\5\0]
"Script"=autopcc.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-158692\Scripts\Logon\6\0]
"Script"=logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-158692\Scripts\Logon\7\0]
"Script"=logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-158692\Scripts\Logon\8\0]
"Script"=\\dpsnc.local\dfs\SDP\Scripts\65_SAT_icon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-159251\Scripts\Logoff\0\0]
"Script"=logoff.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-159251\Scripts\Logon\0\0]
"Script"=autopcc.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-159251\Scripts\Logon\1\0]
"Script"=logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-159251\Scripts\Logon\2\0]
"Script"=\\dpsnc.local\dfs\SDP\Scripts\65_XTWO.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-159251\Scripts\Logon\3\0]
"Script"=\\dpsnc.local\dfs\SDP\Scripts\65_SAT_icon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-159251\Scripts\Logon\4\0]
"Script"=\\dpsnc.local\dfs\SDP\Scripts\65_XONE.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-159251\Scripts\Logon\5\0]
"Script"=\\dpsnc.local\dfs\sdp\Scripts\PrinterAdd.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-159251\Scripts\Logon\5\1]
"Script"=\\dpsnc.local\dfs\sdp\Scripts\PrinterAdd.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-159251\Scripts\Logon\6\0]
"Script"=\\dpsnc.local\dfs\SDP\Scripts\Tea_Apps.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-163270\Scripts\Logoff\0\0]
"Script"=logoff.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-163270\Scripts\Logon\0\0]
"Script"=logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-163270\Scripts\Logon\1\0]
"Script"=\\dpsnc.local\dfs\SDP\Scripts\65_SAT_icon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-163270\Scripts\Logon\2\0]
"Script"=\\dpsnc.local\dfs\SDP\Scripts\Stu_Apps.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-171591\Scripts\Logoff\0\0]
"Script"=logoff.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-171591\Scripts\Logon\0\0]
"Script"=\\dpsnc.local\dfs\SDP\INTEGRD_CP\INTEGRD_CP.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-171591\Scripts\Logon\1\0]
"Script"=logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-171591\Scripts\Logon\2\0]
"Script"=\\dpsnc.local\dfs\SDP\Scripts\Tea_Apps.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-171591\Scripts\Logon\2\1]
"Script"=\\dpsnc.local\dfs\sdp\Scripts\Stu_Apps.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-171591\Scripts\Logon\3\0]
"Script"=\\dpsnc.local\dfs\SDP\Scripts\65_SAT_icon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-171591\Scripts\Logon\4\0]
"Script"=\\DPSNC.LOCAL\DFS\SDP\Scripts\MapDrive.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-171591\Scripts\Logon\4\1]
"Script"=\\dpsnc.local\dfs\sdp\Scripts\MapDrive.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-171591\Scripts\Logon\5\0]
"Script"=\\dpsnc.local\dfs\SDP\Scripts\65_XONE.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-171591\Scripts\Logon\6\0]
"Script"=\\dpsnc.local\dfs\sdp\Scripts\PrinterAdd.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-171591\Scripts\Logon\6\1]
"Script"=\\dpsnc.local\dfs\sdp\Scripts\PrinterAdd.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-171591\Scripts\Logon\7\0]
"Script"=Tea_Apps.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-171591\Scripts\Logon\7\1]
"Script"=Stu_Apps.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-185651\Scripts\Logoff\0\0]
"Script"=authenticat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-185651\Scripts\Logon\0\0]
"Script"=authenticat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-185651\Scripts\Logon\1\0]
"Script"=\\dpsnc.local\dfs\SDP\Scripts\65_SAT_icon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-185651\Scripts\Logon\2\0]
"Script"=Stu_Apps.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-191107\Scripts\Logoff\0\0]
"Script"=authenticat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-191107\Scripts\Logon\0\0]
"Script"=authenticat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-191107\Scripts\Logon\1\0]
"Script"=\\dpsnc.local\dfs\SDP\Scripts\65_SAT_icon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-191107\Scripts\Logon\2\0]
"Script"=Stu_Apps.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-195591\Scripts\Logoff\0\0]
"Script"=authenticat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-195591\Scripts\Logon\0\0]
"Script"=authenticat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-195591\Scripts\Logon\1\0]
"Script"=\\dpsnc.local\dfs\SDP\Scripts\65_XTWO.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-195591\Scripts\Logon\2\0]
"Script"=\\dpsnc.local\dfs\SDP\Scripts\65_SAT_icon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-195591\Scripts\Logon\3\0]
"Script"=\\dpsnc.local\dfs\sdp\scripts\MapSingleShare\MapSingleShare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-195591\Scripts\Logon\3\1]
"Script"=\\dpsnc.local\dfs\sdp\scripts\MapSingleShare\MapSingleShare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-195591\Scripts\Logon\4\0]
"Script"=\\dpsnc.local\dfs\SDP\Scripts\65_XONE.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-195591\Scripts\Logon\5\0]
"Script"=\\dpsnc.local\dfs\sdp\Scripts\PrinterAdd.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-195591\Scripts\Logon\5\1]
"Script"=\\dpsnc.local\dfs\sdp\Scripts\PrinterAdd.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-195591\Scripts\Logon\6\0]
"Script"=Tea_Apps.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-195591\Scripts\Logon\6\1]
"Script"=Stu_Apps.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-201120\Scripts\Logoff\0\0]
"Script"=authenticat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-201120\Scripts\Logon\0\0]
"Script"=authenticat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-201120\Scripts\Logon\1\0]
"Script"=\\dpsnc.local\dfs\SDP\Scripts\65_SAT_icon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-201120\Scripts\Logon\2\0]
"Script"=Stu_Apps.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-61984\Scripts\Logoff\0\0]
"Script"=logoff.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-61984\Scripts\Logon\0\0]
"Script"=autopcc.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-61984\Scripts\Logon\1\0]
"Script"=logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-7677\Scripts\Logoff\0\0]
"Script"=logoff.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-7677\Scripts\Logon\0\0]
"Script"=logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-7677\Scripts\Logon\1\0]
"Script"=\\dpsnc.local\dfs\SDP\Scripts\65_XTWO.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-7677\Scripts\Logon\2\0]
"Script"=\\dpsnc.local\dfs\SDP\Scripts\65_SAT_icon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-7677\Scripts\Logon\3\0]
"Script"=\\dpsnc.local\dfs\SDP\Scripts\65_XONE.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-7677\Scripts\Logon\4\0]
"Script"=\\dpsnc.local\dfs\sdp\Scripts\PrinterAdd.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-7677\Scripts\Logon\4\1]
"Script"=\\dpsnc.local\dfs\sdp\Scripts\PrinterAdd.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-7677\Scripts\Logon\5\0]
"Script"=Tea_Apps.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-7677\Scripts\Logon\5\1]
"Script"=Stu_Apps.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-7747\Scripts\Logoff\0\0]
"Script"=logoff.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-7747\Scripts\Logoff\1\0]
"Script"=logoff.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-7747\Scripts\Logon\0\0]
"Script"=autopcc.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-7747\Scripts\Logon\1\0]
"Script"=\\dpsnc.local\dfs\SDP\Scripts\65_XTWO.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-7747\Scripts\Logon\2\0]
"Script"=\\dpsnc.local\dfs\SDP\Scripts\65_SAT_icon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-7747\Scripts\Logon\3\0]
"Script"=\\dpsnc.local\dfs\SDP\Scripts\Tea_Apps.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-7747\Scripts\Logon\4\0]
"Script"=logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-7747\Scripts\Logon\5\0]
"Script"=autopcc.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-7747\Scripts\Logon\6\0]
"Script"=\\dpsnc.local\dfs\SDP\Scripts\65_XTWO.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-7747\Scripts\Logon\7\0]
"Script"=\\dpsnc.local\dfs\SDP\Scripts\65_SAT_icon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-7747\Scripts\Logon\8\0]
"Script"=logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-83347\Scripts\Logoff\0\0]
"Script"=logoff.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-83347\Scripts\Logon\0\0]
"Script"=logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-91018\Scripts\Logoff\0\0]
"Script"=logoff.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-91018\Scripts\Logoff\1\0]
"Script"=logoff.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-91018\Scripts\Logoff\2\0]
"Script"=logoff.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-91018\Scripts\Logoff\3\0]
"Script"=logoff.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-91018\Scripts\Logon\0\0]
"Script"=\\dpsnc.local\dfs\sdp\Scripts\move_favorites.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-91018\Scripts\Logon\1\0]
"Script"=autopcc.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-91018\Scripts\Logon\2\0]
"Script"=logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-91018\Scripts\Logon\3\0]
"Script"=logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-91018\Scripts\Logon\4\0]
"Script"=\\dpsnc.local\dfs\SDP\Scripts\65_SAT_icon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-91018\Scripts\Logon\5\0]
"Script"=\\dpsnc.local\dfs\sdp\Scripts\move_favorites.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-91018\Scripts\Logon\6\0]
"Script"=autopcc.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-91018\Scripts\Logon\7\0]
"Script"=logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-91018\Scripts\Logon\8\0]
"Script"=logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-91018\Scripts\Logon\9\0]
"Script"=\\dpsnc.local\dfs\SDP\Scripts\65_SAT_icon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-92335\Scripts\Logoff\0\0]
"Script"=logoff.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-92335\Scripts\Logon\0\0]
"Script"=logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-93650\Scripts\Logoff\0\0]
"Script"=logoff.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-93650\Scripts\Logon\0\0]
"Script"=autopcc.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1198204733-3122656313-790680861-93650\Scripts\Logon\1\0]
"Script"=logon.cmd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Autobahn\\autobahn.exe"=

R2 SMART Mirror Driver Monitor Service;SMART Mirror Driver Monitor Service;c:\program files\Common Files\SMART Technologies Inc\Mirror Driver\MonitorService.exe [2004-08-26 319488]
R2 TmFilter;Trend Micro Filter; [x]
R2 TmPreFilter;Trend Micro PreFilter; [x]
R3 TmPfw;OfficeScanNT Personal Firewall; [x]
R3 TmProxy;OfficeScan NT Proxy Service; [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S2 Senteo™ Hardware;Senteo™ Hardware;c:\program files\SMART Technologies Inc\Senteo\SenteoHardwareService.exe [2007-07-25 513288]
S2 Senteo™ Software;Senteo™ Software;c:\program files\SMART Technologies Inc\Senteo\SenteoSoftwareService.exe [2007-07-25 562440]
S2 wsfinalaclservice;VC WS CHANGEACL Service;c:\windows\system32\WSFINALACLSERVICE.exe [2004-05-20 241753]
S3 smrtdrv;SMART Technologies Inc. Mirror Driver;c:\windows\system32\DRIVERS\smrtdrv.sys [2004-04-22 2432]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2007-08-27 314896]


--- Other Services/Drivers In Memory ---

*Deregistered* - ALG
*Deregistered* - AudioSrv
*Deregistered* - BITS
*Deregistered* - Browser
*Deregistered* - BthServ
*Deregistered* - btwdins
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - helpsvc
*Deregistered* - HTTPFilter
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - Lavasoft Ad-Aware Service
*Deregistered* - LmHosts
*Deregistered* - MDM
*Deregistered* - Netlogon
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RemoteRegistry
*Deregistered* - Rpcnet
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - Senteo™ Hardware
*Deregistered* - Senteo™ Software
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - SMART Board Service
*Deregistered* - SMART Mirror Driver Monitor Service
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - tmtdi
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - UPHClean
*Deregistered* - uphcleanhlp
*Deregistered* - upnphost
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - WinDriver6
*Deregistered* - winmgmt
*Deregistered* - winvnc
*Deregistered* - wltrysvc
*Deregistered* - WMPNetworkSvc
*Deregistered* - wscsvc
*Deregistered* - WSearch
*Deregistered* - wsfinalaclservice
*Deregistered* - wuauserv
*Deregistered* - WudfPf
*Deregistered* - WudfSvc
*Deregistered* - WZCSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8135d0c1-d273-11d9-a788-806d6172696f}]
\Shell\AutoRun\command - d:\programs\nu2menu\nu2menu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8ae1cc53-e333-11d9-afb9-806d6172696f}]
\Shell\AutoRun\command - d:\programs\nu2menu\nu2menu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a60da1f9-e352-11d9-a0fd-806d6172696f}]
\Shell\AutoRun\command - d:\programs\nu2menu\nu2menu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f09c2679-e405-11d9-b1ab-806d6172696f}]
\Shell\AutoRun\command - d:\programs\nu2menu\nu2menu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6399753-e34f-11d9-bc09-806d6172696f}]
\Shell\AutoRun\command - d:\programs\nu2menu\nu2menu.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 15:06]
.
- - - - ORPHANS REMOVED - - - -

BHO-{2899f41a-c18a-4559-b5bb-cebe3baa83a7} - c:\windows\system32\zuyahoba.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.riverside.dpsnc.net/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} - hxxp://dps-21-trendcm/officescan/console/html/AtxEnc.cab
DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} - hxxps://esis.ncwise.org/forms/jinitiator/jinit13128.exe
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-13 20:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2952)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\rpcnet.exe
c:\program files\SMART Board Software\SMARTBoardService.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\system32\searchindexer.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Citrix\ICA Client\ssonsvr.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\WLTRAY.EXE
c:\program files\SMART Board Software\Aware.exe
c:\program files\SMART Board Software\Marker.exe
.
**************************************************************************
.
Completion time: 2009-04-13 20:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-14 00:42

Pre-Run: 16,177,795,072 bytes free
Post-Run: 17,108,717,568 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

648 --- E O F --- 2009-04-07 23:42
Rorschach112
Apr 13 2009, 08:24 PM
hello

Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
http://www.lavasoftsupport.com/index.php?showtopic=25020

Collect::
c:\windows\system32\sezerabo.exe
c:\windows\system32\jadebaji.exe
c:\windows\system32\husugudi.exe
c:\windows\system32\habemoya.exe
c:\windows\system32\soremeno.exe
c:\windows\system32\rejufopa.exe
c:\windows\system32\habemoya.exe
c:\windows\system32\husugudi.exe
c:\windows\system32\jadebaji.exe
c:\windows\system32\rejufopa.exe
c:\windows\system32\sezerabo.exe
c:\windows\system32\soremeno.exe
c:\windows\system32\bootvi.dll

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8135d0c1-d273-11d9-a788-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8ae1cc53-e333-11d9-afb9-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a60da1f9-e352-11d9-a0fd-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f09c2679-e405-11d9-b1ab-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6399753-e34f-11d9-bc09-806d6172696f}]


Suspect::


Save this as CFScript.txt




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

Rorschach112
Apr 16 2009, 09:54 PM
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Thank You !
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.