mayi,
Here's FindAWF log, Uninstall list, Combofix log, and the contents of Notepad from step 4:
Find AWF report by noahdfear ©2006
bak folders found
~~~~~~~~~~~
Directory of C:\HP\KBD\BAK
07/06/2001 05:56 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes
Directory of C:\PROGRA~1\MICROS~3\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\SYMNET~1\BAK
04/28/2005 12:00 PM 100,056 SNDMon.exe
1 File(s) 100,056 bytes
Directory of C:\WINDOWS\SMINST\BAK
06/15/2001 06:34 PM 212,992 RECGUARD.EXE
1 File(s) 212,992 bytes
Directory of C:\WINDOWS\SYSTEM\BAK
05/07/1998 12:04 PM 52,736 hpsysdrv.exe
1 File(s) 52,736 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
08/04/2004 02:56 AM 15,360 ctfmon.exe
08/07/2001 07:36 PM 90,112 hkcmd.exe
2 File(s) 105,472 bytes
Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK
02/28/2005 06:46 PM 68,768 ccApp.exe
1 File(s) 68,768 bytes
Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK
09/04/2001 01:32 PM 196,608 hpztsb04.exe
1 File(s) 196,608 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
61440 Jul 6 2001 "C:\hp\KBD\KBD.EXE"
61440 Jul 6 2001 "C:\hp\KBD\bak\KBD.EXE"
100056 Apr 28 2005 "C:\Program Files\SymNetDrv\SNDMon.exe"
100056 Apr 28 2005 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
212992 Jun 15 2001 "C:\WINDOWS\SMINST\RECGUARD.EXE"
212992 Jun 15 2001 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
52736 May 7 1998 "C:\WINDOWS\SYSTEM\hpsysdrv.exe"
52736 May 7 1998 "C:\WINDOWS\SYSTEM\bak\hpsysdrv.exe"
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\bak\ctfmon.exe"
90112 Aug 7 2001 "C:\hp\drivers\video\HKCMD.EXE"
90112 Aug 7 2001 "C:\WINDOWS\SYSTEM32\bak\hkcmd.exe"
68768 Feb 28 2005 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
68768 Feb 28 2005 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
196608 Sep 4 2001 "C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\hpztsb04.exe"
196608 Sep 4 2001 "C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\bak\hpztsb04.exe"
end of report
UNINSTALL LIST:
10-Key
Active Disk
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe ActiveShare 1.5
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Illustrator 10.0.3
Adobe PageMaker 7.0
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0
Adobe SVG Viewer 3.0
ArcSoft Software Suite
Belarc Advisor 6.1
BHODemon 2.0.0.21
CC_ccStart
ccCommon
Corel Applications
CramMaster
Desktop Assistant
Detto IntelliMover
Diskeeper Lite
Easy Internet Sign-up
FinePixViewer Ver.3.2
FUJIFILM USB Driver
G-Force
HexDump extension for Ad-aware 6
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
hp center
hp deskjet 845c series
hp deskjet 845c series (Remove only)
HP Instant Support
HP PrecisionScan LTX
HP RecordNow
HP Share-to-Web
ImageMixer VCD for FinePix
Inactive HP Printer Drivers (Remove only)
Intel(R) PRO Network Adapters and Drivers
InterVideo WinDVD
Ioline SmarTrac Software
Iomega App Services
Iomega Backup 4.4
Iomega Quik Floppy Copy
IomegaWare
ITTutor Gold
Java 2 Runtime Environment Standard Edition v1.3.1_04
Java(TM) 6 Update 2
KazooStudio
KBD
Lavasoft Reghance 2.1
Lernout & Hauspie TruVoice American English TTS Engine
Letter Art 9.45 Base
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
LSP Explorer Pluginfor Ad-aware 6
Messenger Control Plugin for Ad-aware
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB928367)
Microsoft Baseline Security Analyzer 1.2.1
Microsoft Data Access Components KB870669
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft Office XP Media Content
Microsoft Office XP Professional with FrontPage
Microsoft Office XP Standard for Students and Teachers
Microsoft Pinball Arcade Trial
Microsoft Publisher 2002
Microsoft Works 6.0
Microsoft Works and Money 2002 Setup Launcher
MicroStaff WINASPI
Motherboard Monitor 5.0
MSRedist
MUSICMATCH Jukebox
My DSC
My Photo Center
Norton AntiVirus 2004
Norton AntiVirus 2004 (Symantec Corporation)
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton Ghost
Norton WMI Update
NVIDIA Windows 2000/XP Display Drivers
OE Messenger Plugin for Ad-aware
PaperQuote '01
PC Pitstop Optimize 1.5
PC-Doctor for Windows
Photo Story 3 for Windows
PhotoParade Player
Pixelon Player
Python 1.5 combined Win32 extensions
Python 1.5.2 (final)
Quicken Financial Center
QuickLink MessageCenter III
QuickTime
QuikSync 3
RAMrocket
Registry Drill
Reveries Screen Saver
S3 Gamma
SabreWing 2
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926247)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Sentinel System Driver
Shockwave
Skypeâ„¢ Beta 0.95
Sonic Foundry Super Duper Music Looper XPress
Spam Buster
Stamps.com Internet Postage
Studio
Symantec Script Blocking Installer
SymNet
TaxACT 2003 Preparer's - 1040 Edition
TaxACT 2003 Preparer's - 1065 Edition
TaxACT 2003 Preparer's - 1120S Edition
TaxACT 2004
TaxACT Iowa 2003
TaxACT Iowa 2003 - 1065 Edition
TaxACT Iowa 2003 - 1120S Edition
TaxACT Iowa 2004
Tcl 8.0.5 for Windows
The Print Shop Premier Edition 5.0
TwistedPixel Visualization for Windows Media Player
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB936357)
Windows Backup Utility
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinPatrol
WinZip
WordPerfect Office 2002 Try Before You Buy
WordPerfect Office 2002 Try Before You Buy
Yahoo! Messenger
Zinio Reader
COMBOFIX LOG:
ComboFix 07-08-09.3 - "Owner" 2007-08-09 22:05:39.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.247 [GMT -5:00]
* Created a new restore point
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\bywtrp.dll
C:\WINDOWS\fihjkj.ini
C:\WINDOWS\jkjhif.dll
C:\WINDOWS\prtwyb.ini
C:\WINDOWS\system32\cryend.dll
C:\WINDOWS\system32\tmp1.tmp.dll
C:\WINDOWS\system32\tmp13FA.tmp.dll
C:\WINDOWS\system32\tmp1400.tmp.dll
C:\WINDOWS\system32\tmp49F.tmp.dll
C:\WINDOWS\system32\tmp54B.tmp.dll
C:\WINDOWS\system32\tmp563.tmp.dll
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_DOMAINSERVICE
-------\DomainService
((((((((((((((((((((((((( Files Created from 2007-07-10 to 2007-08-10 )))))))))))))))))))))))))))))))
2007-08-09 22:02 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-06 21:57 52,736 --a------ C:\WINDOWS\SYSTEM\hpsysdrv.exe
2007-07-21 12:14 <DIR> d-------- C:\DOCUME~1\Owner\.housecall6.6
2007-07-21 03:15 <DIR> d-------- C:\Program Files\PCPitstop
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-06 21:57 --------- d-------- C:\Program Files\SymNetDrv
2007-08-06 21:57 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-05 02:29 --------- d-------- C:\Program Files\PestPatrol
2007-07-28 23:26 1632 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-07-18 12:11 38567 --a------ C:\WINDOWS\system32\pcpbios.exe
2007-05-16 10:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 10:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 10:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 10:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 10:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 10:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
2005-02-16 06:42 27840 --a------ C:\WINDOWS\java\x.exe
2004-11-07 07:26 190664 --a------ C:\DOCUME~1\Owner\APPLIC~1\GDIPFONTCACHEV1.DAT
2004-06-13 07:00 28 --a------ C:\WINDOWS\java\vw\vrp80.bin
2000-12-12 12:17 100432 --------- C:\Program Files\Win2000PPAHotfix.exe
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A8FB8EB3-183B-4598-924D-86F0E5E37085}"= C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll [ ]
[HKEY_CLASSES_ROOT\CLSID\{A8FB8EB3-183B-4598-924D-86F0E5E37085}]
[HKEY_CLASSES_ROOT\PeoplePC.Toolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{994D628D-4D22-4DB9-B6DB-F7D9F1635817}]
[HKEY_CLASSES_ROOT\PeoplePC.Toolbar]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 12:04]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-06 17:56]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-06-15 18:34]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" []
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-09-04 13:32]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-02-28 18:46]
"nwiz"="nwiz.exe" [2003-07-28 14:19 C:\WINDOWS\SYSTEM32\nwiz.exe]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-04-28 12:00]
"PC Pitstop Optimize Scheduler"="C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe" [2007-07-09 16:51]
"PCPitstop Optimize Registration Reminder"="C:\Program Files\PCPitstop\Optimize\Reminder.exe" [2007-07-09 16:51]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"Microsoft Works Update Detection"="c:\Program Files\Microsoft Works\WkDetect.exe" []
C:\Documents and Settings\Owner\Start Menu\Programs\Zinio\Startup\
Desktop Assistant.lnk - C:\Program Files\2nd Story Software\Desktop Assistant\Dsktop.exe [2004-12-01 08:28:08]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 05:44:06]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hotbar]
C:\Program Files\Hotbar\bin\4.3.2.0\HbInst.exe /Upgrade
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Startup Options]
C:\Program Files\Iomega\Common\ImgStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
????????Ÿ
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
c:\Program Files\Microsoft Works\WkDetect.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperQuote '01]
C:\Program Files\PaperQuote\PQ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
????????Ÿ
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windows auto update]
msblast.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel]
C:\Program Files\WildTangent\Apps\GameChannel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SCardDrv"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"IgfxTray"=C:\WINDOWS\System32\igfxtray.exe
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
"REGSHAVE"=C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
"Iomega Drive Icons"=C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
R0 iomdisk;Iomega Devices Disk Filter Services;C:\WINDOWS\system32\DRIVERS\iomdisk.sys
R1 mbmiodrvr;mbmiodrvr;\??\C:\WINDOWS\System32\mbmiodrvr.sys
R2 MASPINT;MASPINT;C:\WINDOWS\system32\drivers\MASPINT.sys
R2 Sentinel;Sentinel;C:\WINDOWS\system32\Drivers\SENTINEL.SYS
R3 Intels51;Intel(R) 536EP V.92 Modem;C:\WINDOWS\system32\DRIVERS\Intels51.sys
R3 MxlW2k;MxlW2k;C:\WINDOWS\system32\drivers\MxlW2k.sys
R3 Ps2;PS2;C:\WINDOWS\system32\DRIVERS\PS2.sys
S3 DCamUSBSQTECH;Dual-Mode DSC(2770);C:\WINDOWS\system32\Drivers\SQcaptur.sys
S3 Freedom;FREEDOM Miniport;C:\WINDOWS\system32\DRIVERS\FREEDOM.SYS
S3 ltmodem5;Lucent Modem Driver;C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys
S3 PCDRDRV;Pcdr CPU Helper Driver;C:\WINDOWS\system32\drivers\PCDRDRV.sys
S3 PcdrNt;PcdrNt;C:\WINDOWS\system32\drivers\PcdrNt.sys
S3 SNMP;SNMP Service;C:\WINDOWS\System32\snmp.exe
S3 SNMPTRAP;SNMP Trap Service;C:\WINDOWS\System32\snmptrap.exe
S3 StillCam;Still Serial Digital Camera Driver;C:\WINDOWS\system32\DRIVERS\serscan.sys
S4 SimpTcp;Simple TCP/IP Services;C:\WINDOWS\System32\tcpsvcs.exe
Contents of the 'Scheduled Tasks' folder
2007-08-10 02:39:31 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2007-08-09 22:10:24
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-09 22:14:12 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-09 22:13
--- E O F ---
CONTENTS OF NOTEPAD from Step 4:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"AutoRestartShell"=dword:00000001
"DefaultDomainName"="HEAVEN"
"DefaultUserName"="Owner"
"LegalNoticeCaption"=""
"LegalNoticeText"=""
"PowerdownAfterShutdown"="0"
"ReportBootOk"="1"
"Shell"="Explorer.exe"
"ShutdownWithoutLogon"="0"
"System"=""
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"VmApplet"="rundll32 shell32,Control_RunDLL \"sysdm.cpl\""
"SfcQuota"=dword:ffffffff
"allocatecdroms"="0"
"allocatedasd"="0"
"allocatefloppies"="0"
"cachedlogonscount"="10"
"forceunlocklogon"=dword:00000000
"passwordexpirywarning"=dword:0000000e
"scremoveoption"="0"
"AllowMultipleTSSessions"=dword:00000001
"UIHost"=hex(2):6c,00,6f,00,67,00,6f,00,6e,00,75,00,69,00,2e,00,65,00,78,00,65,\
00,00,00
"LogonType"=dword:00000001
"Background"="0 0 0"
"DebugServerCommand"="no"
"SFCDisable"=dword:00000004
"WinStationsDisabled"="0"
"HibernationPreviouslyEnabled"=dword:00000001
"ShowLogonOptions"=dword:00000001
"AltDefaultUserName"="Owner"
"AltDefaultDomainName"="HEAVEN"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=hex(2):64,00,73,00,6b,00,71,00,75,00,6f,00,74,00,61,00,2e,00,64,00,\
6c,00,6c,00,00,00
"ProcessGroupPolicy"="ProcessGroupPolicy"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@="Internet Explorer Zonemapping"
"DllName"=hex(2):69,00,65,00,64,00,6b,00,63,00,73,00,33,00,32,00,2e,00,64,00,\
6c,00,6c,00,00,00
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=hex(2):73,00,63,00,65,00,63,00,6c,00,69,00,2e,00,64,00,6c,00,6c,00,\
00,00
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:000003c0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"=hex(2):69,00,65,00,64,00,6b,00,63,00,73,00,33,00,32,00,2e,00,64,00,\
6c,00,6c,00,00,00
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=hex(2):73,00,63,00,65,00,63,00,6c,00,69,00,2e,00,64,00,6c,00,6c,00,\
00,00
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@="Software Installation"
"DllName"=hex(2):61,00,70,00,70,00,6d,00,67,00,6d,00,74,00,73,00,2e,00,64,00,\
6c,00,6c,00,00,00
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=hex(7):28,00,41,00,70,00,70,00,6c,00,69,00,63,00,61,00,74,00,69,\
00,6f,00,6e,00,20,00,4d,00,61,00,6e,00,61,00,67,00,65,00,6d,00,65,00,6e,00,\
74,00,2c,00,41,00,70,00,70,00,6c,00,69,00,63,00,61,00,74,00,69,00,6f,00,6e,\
00,29,00,00,00,28,00,4d,00,73,00,69,00,49,00,6e,00,73,00,74,00,61,00,6c,00,\
6c,00,65,00,72,00,2c,00,41,00,70,00,70,00,6c,00,69,00,63,00,61,00,74,00,69,\
00,6f,00,6e,00,29,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Event"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,98,46,96,2e,56,ab,32,48,8f,a9,0d,6b,df,91,98,be,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,a0,f7,1b,fc,7b,cc,56,3b,\
ac,93,e0,e3,5e,4f,32,e5,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,3a,\
cc,76,44,3d,ff,23,e3,76,78,fb,4c,82,80,42,f7,b0,01,00,00,ee,dd,99,f7,a6,91,\
17,15,e7,97,95,32,de,7d,3b,98,8a,79,4d,21,93,4d,67,25,14,e0,ed,66,ca,43,1d,\
d8,4c,c0,85,a2,15,2b,75,80,0b,59,fa,bd,f2,da,8e,19,33,0b,b5,92,21,61,09,39,\
d4,d7,32,89,62,fc,14,cc,e3,17,59,06,2c,5a,1f,cb,d6,6d,95,1d,76,c8,cb,06,21,\
74,7e,ae,8c,51,a1,55,b0,35,81,23,ae,2d,71,3f,09,62,5c,f2,0a,8e,53,7b,0d,92,\
79,8f,e1,74,f3,8a,7a,4c,85,5a,75,eb,d8,0e,85,68,bf,ba,f8,05,3d,23,11,ce,f4,\
03,d2,0a,b5,ac,ae,3c,a1,fd,f4,81,21,68,3f,03,fe,09,a9,e7,f6,95,82,e6,af,fe,\
de,38,2c,3e,28,c5,74,b0,68,19,09,3d,a1,d9,ae,f5,ad,2d,89,a9,9c,50,2f,e4,c1,\
60,c1,a7,35,fb,9e,62,5d,3b,86,2d,b3,99,3b,a8,f9,60,9a,31,f8,64,5d,45,32,7c,\
e5,e1,a9,eb,0f,6f,92,66,5f,41,22,65,8a,e1,3c,fc,4c,66,13,f1,ca,07,0d,92,59,\
98,4c,a6,d4,37,d1,91,66,2a,68,65,14,8f,5f,6f,90,a3,a1,13,14,cd,05,88,19,c2,\
ac,c3,43,43,a9,df,e1,cb,56,f2,9b,26,11,0f,55,7d,39,c8,7a,c4,6d,30,4d,73,f8,\
8a,6e,ef,a8,65,59,04,7b,90,b4,9c,02,8e,5b,0d,5e,62,c9,d0,fb,54,95,8c,b1,2d,\
90,2b,16,d6,0e,11,a5,f2,36,c0,a2,8f,85,af,46,95,56,2f,da,75,df,aa,d1,83,8f,\
ba,52,0e,ee,0d,0d,97,a4,af,c4,15,70,7d,d7,cd,33,c8,5b,fd,8e,5a,5f,e8,1a,7e,\
b3,c1,0d,cc,35,26,80,c3,83,cc,a6,5c,fa,aa,14,92,52,9d,69,3c,6f,65,d6,45,cc,\
98,7c,ea,ab,1a,be,f6,b6,99,2f,21,e6,1a,dc,81,12,02,1b,5d,95,3f,b3,f7,88,6e,\
4c,8e,71,14,cc,76,85,15,31,ff,54,84,e3,87,10,29,8b,31,0a,a6,44,96,38,fa,47,\
08,14,00,00,00,7d,6d,ba,91,c0,3c,44,40,7a,7b,c6,81,0d,1e,bc,f5,c4,89,6f,7d
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SCLogon]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000