Solved

Winlogon.exe High CPU Usage Safe Mode

Posted on 2009-04-10
27
9,529 Views
Last Modified: 2013-11-22
Hello

On one of my computers winlogon.exe is running at just over 50% even in safe mode. I've run Malware, Superanti-spyware, sfc /scannow and I still have the same problem? Can someone help?
0
Comment
Question by:mail2clk
  • 7
  • 7
  • 5
  • +5
27 Comments
 
LVL 6

Expert Comment

by:akrdm
ID: 24116128
Try creating a new user and see if the same thing happens with the new user. Let me know if this does not fix the issue.
0
 
LVL 8

Expert Comment

by:skywalker39
ID: 24116140
Hi mail2clk,

Try disabling everything in startup.Go to start, run, type msconfig, go to the startup tab, and uncheck all of them, disable all of them. Hit apply and ok, and reboot.
0
 
LVL 5

Expert Comment

by:wpathan
ID: 24116142
Please Install HijackThis
http://www.spychecker.com/program/hijackthis.html
and post the log for review
0
 
LVL 5

Expert Comment

by:wpathan
ID: 24116165
0
 
LVL 3

Expert Comment

by:lukefuno
ID: 24116183
download hijackthis and run it and place log file so i can take a look!
0
 

Author Comment

by:mail2clk
ID: 24116487
Here is the log from HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:46:35, on 10/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk/ig/dell?hl=en&client=dell-usuk-rel&channel=uk&ibd=2080404
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DMXLinkIE.iDMBHO - {0C4498B7-4D6A-4497-9445-110FCBF752AA} - C:\Program Files\FactSet\DealMaven\XLink\DMXLinkIE.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FactSet Linking Toolbar - {58ACEEFA-B243-42B9-9D1E-26E33C97BE2B} - C:\Program Files\FactSet\DealMaven\XLink\DMXLinkIE.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKLM\..\Policies\Explorer\Run: [1] regedit.exe /s \\lv.local\SysVol\lv.local\Policies\{E2D16B96-3098-42D9-8D15-E900628F359C}\Machine\Scripts\Startup\errorsuppression.reg
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://trs.webex.com/client/T25L10NSP41EP13-thomson/support/ieatgpc.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lv.local
O17 - HKLM\Software\..\Telephony: DomainName = lv.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{D474977E-616B-4A65-959C-723444D58631}: NameServer = 192.168.10.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lv.local
O18 - Protocol: fdstp2 - {EDA30510-6AD8-11D2-A1A4-00805F0F0690} - C:\Program Files\FactSet\fdstp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - Unknown owner - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe (file missing)
O23 - Service: McAfee Task Manager (McTaskManager) - Unknown owner - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 8816 bytes
0
 
LVL 3

Expert Comment

by:lukefuno
ID: 24116617
what kind of protection do you have?
0
 
LVL 3

Expert Comment

by:lukefuno
ID: 24116704
maybe try to do repair installation of xp!!!

here are steps:
Press Enter to start the Windows Setup. (boot from XP cd)

 Do Not choose "To repair a Windows XP installation using the Recovery Console, press  R", (you Do Not want to load Recovery Console).


Accept the License Agreement and Windows will search for existing Windows installations.

Select the XP installation you want to repair from the list and press R to start the repair.

 If Repair is not one of the options, END setup.

Setup will copy the necessary files to the hard drive and reboot.  Do not press any key to boot from CD when the message appears. Setup will continue as if it were doing a clean install, but your applications and settings will remain intact.

---

after that i would install anti virus to run scan again -- use eset anti virus free 30 day trail -- to catch leftover unwanted visitors, and then let me know how it goes!!!


0
 

Author Comment

by:mail2clk
ID: 24116781
McAfee Enterprise and a Juniper firewall with AV

I also disabled everything in startup.

Also I did run sfc /scannow
0
 
LVL 3

Expert Comment

by:lukefuno
ID: 24116922
according to hijack log this one is nasty!

O4 - HKLM..PoliciesExplorerRun: [1] regedit.exe /s \lv.localSysVollv.localPolicies{E2D16B96-3098-42D9-8D15-E900628F359C}Machi neScriptsStartuperrorsuppression.reg

--

now  i am not sure why. but i think doing a simple repair install will cure OS core problems without doing a clean install. i would do this, and then remove McAfee and go with eset 30 day trial. Eset catches most everthing. after that you can go back to McAfee if you want, but do a repair install first (if you want to save time) .

Let me know what you prefer!
Lf


0
 
LVL 27

Expert Comment

by:David-Howard
ID: 24116923
The following is listed as unknown and can be removed if you do not know its source. Please remove all entries in Safe Mode.

O2 - BHO: DMXLinkIE.iDMBHO - {0C4498B7-4D6A-4497-9445-110FCBF752AA} - C:\Program Files\FactSet\DealMaven\XLink\DMXLinkIE.dll

Unnecessary and can be removed.

O3 - Toolbar: FactSet Linking Toolbar - {58ACEEFA-B243-42B9-9D1E-26E33C97BE2B} - C:\Program

Corrupt entry. Remove.

O4 - HKLM..PoliciesExplorerRun: [1] regedit.exe /s \lv.localSysVollv.localPolicies{E2D16B96-3098-42D9-8D15-E900628F359C}Machi neScriptsStartuperrorsuppression.reg

Unknown. Remove if you do not know its source.

O18 - Protocol: fdstp2 - {EDA30510-6AD8-11D2-A1A4-00805F0F0690} - C:\Program Files\FactSet\fdstp.dll

I read that you have performed antimalware/antivirus scans. Have you run them in Safe Mode (F8 at startup).
If the above suggestions fail to correct the error you may need to run a Repair as mentioned.
XP Repair:
http://www.michaelstevenstech.com/XPrepairinstall.htm
A Repair is not designed to overwrite data but you should take precautions.
Additionally, while a Repair may correct the issue it will require that you reinstall your most current Service Pack as well as the Hotfixes that accompany it.
If the problem is only under one log in the user profile could possibly be corrupt.
To test, log in as a different user. If the problem does not persist chances are the profile is bad. In that case, you may need to recreate the profile of the user that is experiencing the issue.

0
 
LVL 66

Expert Comment

by:johnb6767
ID: 24121032

Dont do a repair yet.....Need to find out whats REALLY using the CPU, in case it is NOT actually winlogon.exe, but a loaded module....

Process Explorer for Windows
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx

Double click the offending file. Then Select the Threads tab, and see what .exe or .dll is using the CPU, and then select it by double clicking it....and copying/pasting the call stack here.....
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 24121034
Just out of curiousity....

errorsuppression.reg

Is this to supress errors in Offline File Synchronization? If you are using Offline Files, if the CSC is corrupted, it could cause winlogon to tank the cpu, caused by cscdll.dll. Lets get the  screenshots/pastings of PE....
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:mail2clk
ID: 24121055
John

That is what the error suppression reg was to suppress offline errors. how do I find the dll file which is causing the problem
0
 
LVL 3

Expert Comment

by:lukefuno
ID: 24121801
hey Johnb6767 -
<<in case it is NOT actually winlogon.exe, but a loaded module....>> where would loaded modules hang out by default in xp? just curious...


0
 
LVL 66

Expert Comment

by:johnb6767
ID: 24123431
See my post above about Process Explorer......

It is very common for the task manager to show that a file, say "iexplore.exe" is using the CPU excessivly. Using Process Explorer, when you double click on IExplore.exe, and notice that it might be Flasch9e.ocx using 50% of the CPU, which you have just narrowed down your troubleshooting.....

Let me clarify.....

<<in case it is NOT actually winlogon.exe, but a loaded module....>>

Probably would have read better if I stated...

<<in case it is NOT actually winlogon.exe, but a loaded module under the parent process of winlogon.exe....>>
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24124294
Just for future reference for users who have Hijackthis:
You can also do this with Hijackthis  "Open The Misc.Tools Section" > "Open Process Manager" > checkmark "Show Dlls"

Highlight the winlogon.exe process and it will show you all the Dlls that load with it and options what to do including checking the properties etc.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 24124684
Correct, but you can't view call stacks.... Thats whats critical about PE, is once you see the call stack, you can *ussualy* determine the problem.....
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24124726
Yes of course Process Explorer can do that which Hijackthis cannot compete.

mail2clk,

You might also try running Combofix, the log may show us the culprit..the Hijackthis log shows that the system is running in diagnostic mode so there may be some startup/loading entries that aren't being scanned..

Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
0
 

Author Comment

by:mail2clk
ID: 24126387

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 06:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
eFax 4.2.lnk - C:\Program Files\eFax Messenger 4.2\J2GTray.exe [2006-12-07 16:02:22 612352]
EMBASSY Trust Suite Secure Update.lnk - C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [2006-01-30 18:11:48 192512]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 23:07:32 81920]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2008-02-08 12:10:00 394856]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-21 08:56 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wxvault.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages      REG_MULTI_SZ         msv1_0 wvauth

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office Outlook 2007.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office Outlook 2007.lnk
backup=C:\WINDOWS\pss\Microsoft Office Outlook 2007.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Timbuktu Pro.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Timbuktu Pro.lnk
backup=C:\WINDOWS\pss\Timbuktu Pro.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\msiexec.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"21:TCP"= 21:TCP:FTP
"1417:TCP"= 1417:TCP:Timbuktu Control
"1418:TCP"= 1418:TCP:Timbuktu Observe
"1419:TCP"= 1419:TCP:Timbuktu Send
"1420:TCP"= 1420:TCP:Timbuktu Exchange

R4 LMIRfsClientNP;LMIRfsClientNP; [x]
S1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [2008-05-28 10:33 8944]
S1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys [2008-05-28 10:33 55024]
S2 ASFIPmon;Broadcom ASF IP Monitor;C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe [2006-03-17 18:25 65536]
S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2008-02-28 15:31 12856]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2008-10-10 12:56 47640]
S2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 22:38 24652]
S3 FLMckUsb;AuthenTec TruePrint USB Driver for AES 3400, 3500, and 4000 Fingerprint Sensors;C:\WINDOWS\system32\DRIVERS\ATTchDrv.sys [2007-08-28 15:44 88064]
S3 SASENUM;SASENUM;C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [2008-05-28 10:33 7408]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12      REG_MULTI_SZ         Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b19c49e5-7f9a-11db-bb6c-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-13 C:\WINDOWS\Tasks\User_Feed_Synchronization-{7116AF03-ED93-4F18-877B-D0977941A5AD}.job
- C:\WINDOWS\system32\msfeedssync.exe [2007-08-13 19:36]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.co.uk/ig/dell?hl=en&client=dell-usuk-rel&channel=uk&ibd=0061124
IE: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {B4013A24-D514-4752-BF4A-E48E0C0B715D} = 192.168.10.10,195.8.69.7,195.8.69.12
DPF: {C7C7152F-6E85-44F3-A14B-A7F85FDDEA3B} - hxxp://h16.e-tmm.com/bin/tol7inst.cab
.
0
 

Author Comment

by:mail2clk
ID: 24126421
John
Here is the stack
ntkrnlpa.exe+0x2bf2a
ntdll.dll!KiFastSystemCallRet
cscdll.dll!WinlogonLogoffEvent+0x17eb
cscdll.dll!MprServiceProc+0x4bc
cscdll.dll!WinlogonStartShellEvent+0x185
cscdll.dll!MprServiceProc+0x1b
cscdll.dll!WinlogonStartupEvent+0x40
kernel32.dll!GetModuleFileNameA+0x1b4
0
 

Author Comment

by:mail2clk
ID: 24126431
Winlogon DLL's in use

jjjj
jjjj
jjjj
jjjj
jjjj
Security
Winlogon
(0x%x,0x%x)
OptionValue
system\currentcontrolset\control\safeboot\option
AEPolicy
SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrollment
!This program cannot be run in DOS mode.
[Rich
CS P
.text
`.data
.rsrc
ADVAPI32.dll
AUTHZ.dll
CRYPT32.dll
GDI32.dll
KERNEL32.dll
NTDLL.DLL
msvcrt.dll
NDdeApi.dll
PROFMAP.dll
PSAPI.DLL
REGAPI.dll
RPCRT4.dll
Secur32.dll
SETUPAPI.dll
USER32.dll
USERENV.dll
VERSION.dll
WINSTA.dll
WINTRUST.dll
WS2_32.dll
wyP
wxj
wuw
wea
wDR
wCi
wSw
Flw
Plw
[lw(?lw
Glw
Blw~Blwhclw+Ulw
MPz
wIb
vkE
vIE
vOc
6vVS6v9
S6vY
6vQr6v
n6vIw6v9
qMf
hGS?(
MHH
ohh
nhh
%lee
fDB
m_YY
n_YY
mnYX
sll
@U\VV
!MHH
FBB
gaa
|PKK
voo
5MHH
SNN
Jpii
mff
lee
uRP
FBB
vrkk
IDD
rOM
mQLL
<,mff
vSQ
YTT
@UJJ
qee
KAA
qee
uch\\
KAA
FBB
mQLL
YTT
!MHH
FBB
gaa
|PKK
voo
5MHH
SNN
Jpii
mff
lee
uRP
vrkk
IDD
rOM
<,mff
vSQ
KBB
MDD
OFF
YVLL
@eVLL
pee
PGG
qff
PGG
TKK
ujj
VLL
Z}mbb
xmm
ZQQ
BQHH
cSJJ
odd
pee
IAA
WNN
d)kaa
z_VV
AJBB
vMEE
TLL
vll
cLK
BULL
LDD
1*dZZ
4mWNN
F3SJJ
bXX
zoo
YPP
IMB::
YPP
KAA
R_TT
yxPFF
a^SS
'ZOO
26KAA
dZZ
/mbb
ULL
LCC
0>cXX
ysUKK
PGG
qff
PGG
TKK
pdd
ZPP
JAA
|TJJ
dXX
d)kaa
z_VV
AJBB
vMEE
TLL
vll
cLK
u>SV
wbf
SVW
PQPQ
SVW
PQS
SVW
u$SPQPQ
SVW
RPQPQ
SVW
PQPQS
(SVW
VPQ
Gc`H
0SVW
s HA
(SVW
RQPV
,SVW
4SVW
szS
SVW`
PWW
PSV
PSV
PSV
PSV
SVW3
Rhh
PWW
PSV
PSV
PSV
PSV
RPj
Rhl
SVW`
PWW
PSV
PSV
PSV
PSV
RPj
hrdx
VhBf
Rhp
SVW`
PSV
PSV
PSV
PSV
SVWj
RPj
Rht
SVW`
PWW
PSV
PSV
PSV
PSV
RPj
Pj@VW
v4SW
FG;u
SVW
@H+AD
pPj
pPj
pPj
pPj
pPj
@H+AD
pPj
pPj
pPj
pPj
pPj
pPj
pPj
pPj
pPj
pPj
pPj
pPj
pPj
@H+AD
pPj
pPj
@H+AD
pPj
pPj
@H+AD
pPj
pPj
pPj
pPj
tGF#
QQS
tNG
ollmentRefreshTime
Software\Policies\Microsoft\Windows\System
userinit.exe
Default
UserInitAutoEnroll
UserInitAutoEnrollMode
ShellReadyEvent
AUTOENRL:UserEnrollmentShellTimer
AUTOENRL:UserEnrollmentTimer
AUTOENRL:MachineEnrollmentTimer
AUTOENRL:TriggerUserEnrollment
Local\
AUTOENRL:TriggerMachineEnrollment
Global\
Warning Sounds
Control Panel\Accessibility
/Hotkey
UtilMan
utilman.exe /debug
ForceAutoLogon
WINLOGON
AutoAdminLogon
DefaultUserName
DefaultDomainName
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
\Registry\Machine\System\CurrentControlSet\Control\Terminal Server
fSingleSessionPerUser
EnableConcurrentSessions
System\CurrentControlSet\Control\Terminal Server\Licensing Core
%4d:%02d:%02d
Global\TermSrvReadyEvent
unknown    
OEM Driver
%dx%d %s
AutoSelectLogon
Container-%lx
Provider-%lx
Reader-%lx
Card-%lx
Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SCLogon
ediskeer.dll
Starter
_CsCapLib
Microsoft Enhanced Cryptographic Provider v1.0
Non-fatal error (%d:%016I64X) occurred.
Error (%d:%016I64X). Rebooting.
Error (%d:%016I64X). Shutting down.
Windows Starter Edition
TMP
TEMP
HOMEPATH
HOMESHARE
HOMEDRIVE
System\CurrentControlSet\Control\Session Manager\Environment
GinaDll
msgina.dll
Key
RASMAN
KeepRasConnections
COMPUTERNAME
vpn
netapi32.dll
IMM32.DLL
Start
SYSTEM\CurrentControlSet\Services\NetDDE
ClipSrv
default
WinSta0
\\.\pipe\NetDDE
WinSta0\Default
NDDE$
NDDEAgnt
WlMprNotifyWinlogonWindow
WlMprNotifyPassword
WlMprNotifyOldPassword
WlMprNotifyOldPasswordValid
WlMprNotifyDomain
WlMprNotifyUserName
WlMprNotifyStationHandle
WlMprNotifyStationName
WlMprNotifyDesktop
WlMprNotifyLogonFlag
WlMprNotifyLogonId
WlMprNotifyProvider
WlMprNotifyPassThrough
WlMprNotifyChangeInfo
%s\Winlogon
ntsd -d %s%s
mpnotify
mpnotify.exe
Class
system\CurrentControlSet\Services\
\NetworkProvider
ProviderOrder
system\CurrentControlSet\Control\NetworkProvider\Order
\cdfs
\fat
\ntfs
AllocateDASD
AllocateCDRoms
AllocateFloppies
AppEvents\Schemes\Apps\PowerCfg\CriticalBatteryAlarm\.Current
AppEvents\Schemes\Apps\PowerCfg\LowBatteryAlarm\.Current
Low Battery Alarm Program
Critical Battery Alarm Program
SnapShot
Maximize
Minimize
RestoreDown
RestoreUp
Close
Open
MenuCommand
MenuPopup
SystemAsterisk
SystemExclamation
SystemQuestion
SystemHand
.Default
SAS window class
sethc %ws
PromptPasswordOnResume
Software\Policies\Microsoft\Windows\System\Power
ShadowFilter
Software\Microsoft\Remote Desktop
__DDrawExclMode__
__DDrawCheckExclMode__
taskmgr.exe
WINSTATIONNAME
Software\Policies\Microsoft\Windows\Control Panel\Desktop
eControl Panel\Desktop
Shell
explorer.exe
AutoRestartShell
SAS Logon Notify
SAS window
scrnsave.scr
(NONE)
SCRNSAVE.EXE
ScreenSaverGracePeriod
Screen-saver
RestrictNonInteractiveAccess
\Sessions\%d\BaseNamedObjects
lsass.exe
System
%SystemRoot%\system32\userinit.exe
nddeagnt
userinit
Nddeagnt.exe
Userinit
\INSTALLATION_SECURITY_HOLD
SetupType
SYSTEM\Setup
SetupShutdownRequired
SystemSetupInProgress
syssetup.dll
Repair
HibernationPreviouslyEnabled
SetWin9xUpgradePasswords
\migpwd.exe
Winsta0\Winlogon
MigPwd
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SYSTEM\CurrentControlSet\Control\MiniNT
dnetplwiz.dll
RunNetAccessWizard
winsta0\Default
ntsd %s %s
Cmdline
\Security\NetworkProviderLoad
Autochk
bootex.log
Fonts
PagingFiles
\temppf.sys
srrstr.dll
RestoreInProgress
Software\Microsoft\Windows NT\CurrentVersion\SystemRestore
System shutting down.
\Sessions\%ld\DosDevices
-winlogon %d
-setup
LsaStart
%SystemRoot%\system32\lsass.exe
SaveDumpStart
%SystemRoot%\system32\savedump.exe
ShutdownStateSnapshot
ShutdownEventPending
SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability
TempDestination
DumpFile
\Registry\Machine\System\CurrentControlSet\Control\CrashControl\MachineCrash
\MEMORY.DMP
EventFlag
SYSTEM\CurrentControlSet\Control\Watchdog\Display
SYSTEM\CurrentControlSet\Control\CrashControl\MachineCrash
ServiceControllerStart
%SystemRoot%\system32\services.exe
InitShutdown
%02d:%02d:%02d
%d days
Win32 Registry/SystemShutdown module
Win32 SystemShutdown module
%u.%u.%u.%u
AllowMultipleTSSessions
DisableIdleLogonTimeout
\\.\Pipe\TerminalServer\AutoReconnect
Global\TS-WPAAE
TermService
winlogon: user logon event
RCommonProgramFiles
CommonFilesDir
ProgramFiles
ProgramFilesDir
Software\Microsoft\Windows\CurrentVersion
APPDATA
shell32.dll
SESSIONNAME
Console
USERDNSDOMAIN
Volatile Environment
USERPROFILE
USERDNSDOMAIN=\NT4
NoPopupsOnBoot
System\CurrentControlSet\Control\Windows
RasAutodialLogoffUserDone
RasAutodialLogoffUser
winlogon:  User GPO Event %d
Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableBkGndGroupPolicy
Software\Policies\Microsoft\Windows\System\Scripts\
MaxGPOScriptWait
wlnotify.dll
Software\Policies\Microsoft\Windows NT\Terminal Services
PerSessionTempDir
System\CurrentControlSet\Control\Terminal Server
UserInitGPOScriptType
Startup
winlogon:  machine GPO Event %d
RunStartupScriptSync
NETLOGON
NTDS.IndexRecreateEvent
Shutdown
Logoff
RunLogonScriptSync
Logon
Run Group Policy Logon Scripts
Finish User Group Policy
Begin User Group Policy
Finish Machine Group Policy
Begin Machine Group Policy
win9xupg
RunGrpConv
System\CurrentControlSet\Control\SafeBoot\Option
PrimaryDnsSuffix
NV PrimaryDnsSuffix
Software\Policies\Microsoft\System\DNSclient
Domain
NV Domain
Hostname
NV Hostname
System\CurrentControlSet\Services\Tcpip\Parameters
e%windir%\system32\sfc.dll
ALLUSERSPROFILE
Local\WinlogonTSSynchronizeEvent
ntsd -d -p %d
ntdll.dll
WinStationsDisabled
\Sessions\%d\BaseNamedObjects\ReconEvent
\BaseNamedObjects\ReconEvent
Global\SingleSesMutex
Windows setup has completed, and the computer must restart.
UserRequestedUpdate
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate
wuaueng.dll
sbasesrv.dll
Windows Update
Reset ComCtl32
%SystemRoot%\system32\msgina.dll
%windir%\system32\
CLSID
NoDebugThread
DisableLockWorkstation
COMCTL32
powrprof.dll
Shell32.dll
Software\Microsoft\Windows NT\CurrentVersion\Winlogon\LocalUsers
::{20D04FE0-3AEA-1069-A2D8-08002B30309D}
shell32.dll,10
Microsoft.NetDriveReconnectFailed
USERNAME
Owner
Data
GBG
Skew1
System\CurrentControlSet\Control\Lsa
SecureBoot
Impersonate
Asynchronous
MaxWait
DLLName
SafeMode
%SystemRoot%\system32\sfc.dll
sfc.dll
termsrv
Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
tWINSCARD.DLL
DefaultPIN
SCard$AllReaders
\\?PnP?\Notification
O:SYG:SYD:(A;;RC;;;SY)
ncalrpc
%s-%lx
sclogonrpc
VerboseStatus
wkssvc:  MUP finished initializing event
lanmanworkstation
WaitForNetwork
MaxRetrySysvolAccess
\\%s\sysvol\*.*
SysVolReadyEvent
SysVolReady
SYSTEM\CurrentControlSet\Services\netlogon\parameters
NtdsDelayedStartupCompletedEvent
RpcSs
SamSs
Winlogon Job %x-%x
\SAM_SERVICE_STARTED
Comctl32.dll
WindowsLogon.manifest
eventlog
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
ncacn_np
\PIPE\
Remote\%d\GdiPlus
Remote\%d\Control Panel\Desktop
Software\Microsoft\Windows\CurrentVersion\ThemeManager\Remote\%d
Software\Microsoft\Windows\CurrentVersion\Explorer\Remote\%d
UserPreferencesMask
Yes
HighQualityRender
FontSmoothingType
SmoothScroll
DragFullWindows
ThemeActive
Wallpaper
TaskbarAnimations
Force Blank
ActiveDesktop
uxtheme.dll
TSConnectEvent
\Security\WxApiPort
0x%08lX
Smart Card Logon
TypesSupported
EventMessageFile
%SystemRoot%\System32\scarddlg.dll
System\CurrentControlSet\Services\EventLog\Application\Smart Card Logon
.bak
Software\Microsoft\Windows NT\CurrentVersion\ProfileList
NextLogonCacheable
UserPreference
LocalProfile
ShutdownWithoutLogon
OOBE Job
\oobe\msoobe.exe
%s\EmbdTrst.dll
MediaCenter
Installed
Global\WPA_LT_MUTEX
Global\WPA_PR_MUTEX
Global\WPA_HWID_MUTEX
Global\WPA_RT_MUTEX
OOBETimer
Windows Product Activation
\wpabaln.exe
BCDFGHJKMPQRTVWXY2346789
Microsoft Strong Cryptographic Provider
%s\oembios.bin
IDR_WPA_LICSTORE
Global\WPA_LICSTORE_MUTEX
-OEM-
System\WPA\
%s%s-%s
xpsp2res.dll
WlxDisconnectNotify
WlxReconnectNotify
WlxGetConsoleSwitchCredentials
WlxRemoveStatusMessage
WlxGetStatusMessage
WlxDisplayStatusMessage
WlxNetworkProviderLoad
WlxScreenSaverNotify
WlxStartApplication
WlxShutdown
WlxLogoff
WlxIsLogoffOk
WlxIsLockOk
WlxWkstaLockedSAS
WlxDisplayLockedNotice
WlxLoggedOnSAS
WlxActivateUserShell
WlxLoggedOutSAS
WlxDisplaySASNotice
WlxInitialize
WlxNegotiate
NetMessageNameDel
NetMessageNameEnum
ImmDisableIme
ScreenSaverIsSecure
NoAutoReturnToWelcome
ScreenSaveActive
RepairStartMenuItems
SetupSetDisplay
NetAccessWizard
ResumeRestore
CTXDOMN
CTXUSRN
CTXSRVR
SHGetFolderPathW
TermsrvCreateTempDir
SfcGetNextProtectedFile
DbgBreakPoint
BaseSrvNewObDirAcls
InitCommonControlsEx
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Winlogon
SetActivePwrScheme
GetActivePwrScheme
DllGetClassObject
A:\startkey.key
Reconnect
Disconnect
PostShell
StartShell
Unlock
Lock
StopScreenSaver
StartScreenSaver
Shutdown
Startup
Logoff
Logon
SfcWLEventLogon
SfcWLEventLogoff
SCardAccessStartedEvent
SCardIsValidContext
SCardCancel
SCardGetCardTypeProviderNameW
SCardListCardsW
SCardListReadersW
SCardFreeMemory
SCardEstablishContext
SCardGetStatusChangeW
SCardReleaseContext
SCLogonSecurityCallback: AuthzAccessCheck failed - %lx
SCLogonSecurityCallback: RpcGetAuthorizationContextForClient failed - %lx
SclogonInit: ConvertStringSecurityDescriptorToSecurityDescriptorW failed - %lx
SclogonInit: RpcServerRegisterIfEx failed - %lx
SclogonInit: RpcServerUseProtseqEpW failed - %lx
ScHelperInitializeContext failed - %lx
jYIx
HnH
ImageOkToRunOnEmbeddedNT
IKq
KwV
US]CQ
%08x,%08x,%08x,%08x
Hash%03d
HashSize
HashBlocks
Type
yMS
nKl
OEM-5.1
Version
"Copyright (c) 1997 Microsoft Corp.1
Microsoft Corporation1!0
Microsoft Root Authority0
"Copyright (c) 1997 Microsoft Corp.1
Microsoft Corporation1!0
Microsoft Root Authority0
Bdy
kzb#
lUa
zmtN
"Copyright (c) 1997 Microsoft Corp.1
Microsoft Corporation1!0
Microsoft Root Authority
Z38nM
%s%ls
D:PAR(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)
Global\WPA_LICSTORE_MUTEX
Global\WPA_HWID_MUTEX
Global\WPA_LT_MUTEX
Global\WPA_RT_MUTEX
Global\WPA_PR_MUTEX
CDROM
DiskDrive
Display
hdc
SCSIAdapter
DEST
GetIfTable
\iphlpapi.dll
%02X%02X%02X%02X%02X%02X
GenuineIntel
%s Family %d Model %d
Non-x86
RSA1
VVVV
WSWj
PPPPj
PVh
PSSSSSSSj
PSSSSSSh
PSSSSSS
tqj
SWV
PVht
WWWPW9>t
PWh
WWWW
tch
Vhot
WWWW
WWW
Vhot
PPP9E
Vhot
PPPP
jxYf
PhL
SSSSS
tAIu:f
ZVj
WuK
jxV
PVhR{
PSV
Hu@W
tSSh*|
PPh
ShH
PSh
PSh
Pjd
WjG
PWWj
PWWj
Vhh
t$8hA
PSSj
PSSW
ztE
QWh
PSSW
ztf
Phh
PWh
t$$hm
PVVj
QSVW
PVWj
uBd
WSj
ttWj
SVW
VSj
tgVj
PVhl
WSW
tbh
jjW
WWh
RPh8
PSSj
j hB
zuD
SVW
t$@hc
WWh
WPh
VWS
WWh
j hB
PWS
PSW
FVSS
WWh
PPP
sHh
sHPh
j hB
ChP
WPh
CXQP
tih
WPh
sHh
pHSh
;AHu
SWh
WWh
WWh
t$(hq%
SSh
SPh
WVS
SSh
t$0hl
jxC
VSj
PWh?
WWWhx
Pj j
SSS
Wj0Y3
VWj(Y
QPj
PWWh
PWWh
tfW
tLWW
BBFF
u}jhj
FHu
uXV
j Wh N
v`Sh
vAV
vFV
Ht#Ht
Hu!j
tof
tih
SVW
BFFf9
PPPW
HHu$V
QSVW
toW
t+Hu$f
ShH
YYt%9^0u j
ShX
QVW
SVW
Pj@j
t4Ht
tHd
VVVVVW
VVhX
SVW3
PVVVW
QQSW
PWW
t>Wj
SVW
jW[tY
Shp
vOH;
PWj
WWWW
VVj
PhZ
QSP
SVW
jxV
GWj
XPj
tRh
tKh
PWVh
PPjNP
tWV
PWS
WhSE
PWVhy
tFj
WWV
tgh
PWW
YYt
FFh
PVh$
PSSj
YYt#
t}VVVh
jAVVj
VVP
SVW
VVh
vZh
VVh
QQVW
PWWj
QQS
uoW
QQV
HtbH
SSSSSS
HHj
VRWQ
YYuE
YYu1
VGh
tDSh
t0Sh
uOW
urQ
t`VRQ
tOS
GWh
VVPPPPh
PhT
VVVVV
PQh
Whn
SVV
PWVh
PVh
AAf
PWh$
SVW
Htp-
t+Pj@
SSSSSSSj
|UhH\
SSSSSSh
SSSSSSh#
SSSSSSSSj
PSj
PSSj
t&SSj
PhT
PSSS
HSV3
FSh
QPf
SSP
tuF
@QVQ
WSh
HHt
uaS
PVj
PVV
QPj
gur
uBj
uOj
SVH
SSWh
VSS
VWj
tcd
t$ hT
QSVW
SSj
WWW
PPP
t$(hZ
PWWW
t$$hW#m
Whx"
PWhD"
SVW
PSh
SSQP
uEh<#
t$4hy
SSS
SVW
uI9s
VhH
PVh
GGf
VVh
uH9s
tPj
XPS
PVhL$
PVhL$
jLW
jdW
GWVP
PVj
PVj
VVVj
VVPj
DQMB
RQW
CdP
CdP
CdP
CdP
jLW
VVVVVVh
PPPPPW
QQh
QQh
teV
AAQP
PWhL$
PWhx%
PWh`%
PWhD%
PWhD%
PWhL$
PWhx%
PWhD%
PWhD%
=jBh
SVW
tZSSh
SSh
SSSh
PSj
PSj
bWj
t5Vj
SSSSSSSSj
SSSSSSh
SSSSSSSj
SSSSSSSSj
SSSSSSSj
SSSSSSSSj
QQV
SVW
QPS
t+WV
VWj
VWu>
QQSV
QPj
PWj
t!WV
QVj
PjF
PjL
t!WV
SVW3
QQS
ShH
YYt
YYuU
tqf
YYu
VWj
QVjW^
Vhd'
Vhd'
PVh
tdh
SSj
PSj
SSj
WjG
WhH
uPVWWWW
PVVVh
PVh
VVVV
VhH
tE9u
t;Wh
VVVV
ShH
PSh
PShX(
uBh
SVW
Phd'
PVVh,*
RSSSh
SVW3
VVVWV
QQSW
Phx*
SPh
VWSSh
QPPh
SVW
PSh
WRP
~UNNS
WRP
vNV
uZV
SSh
uCV
BBNu
TSWj
PSSSWS
tgj
tXW
PVW
VhH
PVh
VVP
VVj
VVh
PVh
VhP-
VVVVh$-
VVVVh
uuVh
t6VVV
VhP,
VVj
VVhd&
tch
CCf
YYt
VVV
YYu
u&VW
SSSSSSSj
PhPZ
QVR
CSj
QSVW3
VVj
tOSP
jCWWWWj
PSj
PSSj
zuB
tUf
u$9=XZ
Vul9
SVjW
f9:u5f9z
jWX;
PGh
HHSt
IIt&
t4Ht
WjG
WjF
SVWjGYj
VhH
PVh,1
SVWj*
SVVS
u$Sh
VVV
zukjB
PWh
GWVV
XVV
tkHuzh
FHf
FLf
VWj&
tqVW
SShx3
SSj
Yt-d
Qhh
YYuP
@~ WWu
tVh
tAd
PWu
3WPWV
HHt
jfXPQ
jxX
jfV
uGV
s*Wj
[uEV
FhPh
Nlu
SVW
PSh
SSh
FFf
FFf9
FPF
HHf
FFf
FFf9
HHf
FFf9
Shx3
tqhL3
ujV
WWWWWWh"
SShG
SPhP
ShC
SPhQ
ShC
SPhQ
Y@Y@f9
ShC
WhQ
SWhN
u9f9H
u3f9H
FFf
FFf9>u
Pj WW
PSh<4
WhH
PWh
PWh
PWj
WWWW
t)WP
VWj
Yjh
VhH
PVhx6
PVhx6
SVh
rJVVVh
PSW
VVVSVVj
PShD7
tIh
PWW
QhF
tJh
Wht8
ShH
PSh
PShH8
PSh
PShH8
F<Pj
PSj
SSSS
FHt
FLP
FDt
tej
tHP
WShH
PWj
PWh
PShx6
SSj
WSht
PhP9
SSj
SWj
VhH
PVVh$:
VWj
Hti3
PPP
ZSW
SVW
PFj
tKSSSP
SVW
PSh
PSh
PShl;
PShl;
PSh
PSh
jVW
SSSj2SSS
t7Sj
VVS
Phd<
SSS
PSSSSSSSj
tDj
PPVj
SVVS
PSSSSSS
tRh
t>Wh
VPh
VVV
SPV
t[f9;uVf
mret
CdP
FpP
PWPPPh
PWPPPh
jGYj
RPj@
jjjj
FpP
CdP
VVPV
PVhp>
t?hz
PPShM
ShP:
PSh
tfj
tSj0S
PSS
j h0u
PSSh
9X0WVt
PVW
PVW
SSj
SSj
ShP?
t6It)It
SWu`
VVS
QSVW
RQPj
HuL
QSVjx^Vj@
6jBPS
tFS
QQSWjx_Wj@
thV
u1jB
SVW
QQhl@
QSV
SWj
t$(hY
PSh
QQV
VVVV
PWV
hSS
hLA
Qh<Q
QSV
PSSj
QVW
PWVhC-
jxV
SSj
SSj
u0SV
QQSV
PCS
uBWV
PPPPP
VVVV
SWV
tPh
t$ hi
t$4hb
j Wh0u
PWh
WWj
jxS
WWj
Pj j
AHu
AHu
AHu
AHu
AHu
AHu
WhhA
j h0u
VVS
zsj
x#hw
tkK
m7Jr
bv90R)
P/ns
UELw
Krc#z
eHa;
Qba
bKV
quN,Cm
=un@^p
I"S"B"
'ZaA
txJx
mE|EtEAE
f=f1f
g,g!g
gXg
{+y$y<y4y
ynyfy#{
yTy
xsx
QSV3
HHt
u89~4uAj
t'Ht
XPV
jxS
WWj
WWj
Htd
SVW
u-SV
SShX
SSSS
SPh|
uiV
hN$g
q$PjTP
WWWWWWWWW
WWWWWWWWW
WWWWWWWWW
WWWWWWWWW
FBB
QQSV
WWh
FVS
WjHj@Vh
WPhp
tDHu
PjHj@j
Php
uMh
VWv
PVhTC
PVVh?
SVW
PShHD
PSh8D
uXh
VjTj@
hlD
FD_t
VjTj@
VjTj@
SVW
PWWW
YYt 9=
YYt1
PWWW
j0h`E
JtaJt
JtsJtP
HHu
u"WV
ShV
SWh<F
hlE
jlhXF
PSh?
SSShx
8SjBP
hdF
j~hY
PWW
tJj
j~hY
YYt
j~hY
8jBP
j~hY
jDh
9XXt
PSSj
9HXu
VVh
PhxG
QVVV3
PVVV
Ph(G
PVV
t#Ph
hpH
Ph,H
YtOV
QQS3
VWj
QQV
tZS
QQV
tZS
tsS
QQV
tZS
PhY
SVWu,
HHt
HHt
jfXP
HHt
HHu
jfXP
WtMP
tQV
SVhY
-mret
t%It
IIt
-mret
mret3
PSSj
mret
mret
aWV
PhY
mret
TVW
PhY
mret
mret
mret
mret
-mret
-mret
Wtaj
YYWh
WWW
-mret
mret@
JVW
tEJt%Jt
q,Qt
mret
HVW
Ht#Ht
CdP
mret
tGh
YYt
=SVW
PSj
tqWh
tS9u
VVW
SVW
VhH
PVhXI
VWj
hpJ
hxI
SVW3
WhH
PWhXI
Vht8
jhh
PVVVWV
PVW
mret
RQW
Phh
QVW
hSVW3
PVVV
PVV
VVV
SVW
SSSS
CSV
SVW
QPh
PVh
PVh
SVW
uOj
VWj
PWWh
VWj0j@
PGj
(SVWh
u*SS
tYV
uMV
jph8M
8MZu
XPVSS
SVW
hXM
PWWj
tXj
WWj
QSV
QRPh
QRPh
QRPh
QRPh
B dP
B8PP
BLxN
BP8P
PWWWh|O
QPj
VWh
zuRV
QPPPPPPPj
QQS
VWj
tLj
PVh?
hxN
Ph\Q
hLQ
hxN
Ph\Q
VhLQ
~,WQPR
VPV
wAtp=
PWh
toWW
hLV
dSV3
PSj
QPj
PSj
QPj
PSj
PSj
SVWr|
wUf9|V
wGf9|N
w<f9|F
v'Pj@
SPj
upSVW
t/SWh
SVP
YSj
PVVh
Pj W
PVVVj
QPVVj
VVW
PVVh
tTV
SVW
PSj
PSj
SVW
PSS
Pj W
u SSj
PSS
\SVWj
Pj V
@SVW
Pj W
WSj
PWj
SVW3
PWj
QPj
QQS
t!j j@
tKVj W
QPj
Wt!P
HuqSW
HHuoSW
SSSSj
t.@Pj@
t'SS
QRPh8
QQV
Ph4X
PSj
PSj
QRPhX
mjq
rjB
Nmc
K9X9t9
gAd3
NGHcq
dqZ
puk
Mv]vov
xNG)
>nNu
SVW
Kjf
Pj S
aWy
AAX?
rki
tgyq
*OZx
`Qhh
$urQ
`Qhh
gkvI
Yrh}
kWJ
cHWI*
xsU)g
`fQz
adwHD
&1fAk
UMA
`QhP
vZu
rQp
Jv$w/
Cgpu
>ljk,XWa"
DkUJ
qQDq
WV@x
K|dS?
fmic
QFzQ8
IJ]J~J
"-QIr
LkR
l+k-(p
SAq
AbE
r{YJ
a&U4ZC.
WxO
Cit
8uIK
NdW
jSI
I/ko
MTtC1
cmm
=hHq
clF
HEc
ca]T7
3OzF
Ll5n
_gLM
SAd
A[VSB
DWUJ
ItLv-=
2ar}VSF
YTD
Pvk
qGQ
[nn"j
T&EL
sDo
ELNf
ZOg
Yv~ux
wZv!v
Dtn
`QYQ
ORhR
c$MH
ouZ
OXV
YBjj=
cik
`Qhh5
xl*!+D
XOMVI
e_Zpw
{kxL
r3Fh{
HKi
VSq
ijI<
RV:\.pv
ADY>
|~jYV1
TWJ
vBK
,SYC`U'
\GYF
uRz
NKijT>
B!3x2h5
NwNPN
xPC
K4Ff
i{Sd
uJq
c{cxE
6BbB
BWC
BIB
C5CQC
Sde
QTSI`[
ydU
DaIb
OyR
aFu:
PVK
QIIQ
DrMrQr
rls
VJjH
DzJ{
lK>^S
a-(&McTQ-Q
WWG\
R#aPY <3
,*"Hi@y
dZM
c?Cz
Iqn
qY]d
mTL
JEr
CWtEu
T@Zb|E
buV
gZB
YyQ
"caz
Zx8Dl0t
fLx
M'zI
;FC|K9
EOq
DyH
XYO
{wUCU3
J;JFJWJ
`QhhO
BJf
WFf
BJf
WFf
Pj S
Vj/hX$
Vj/hX$
;aS`Ulk
9uUx
aCP
y<nUh?
yE2Bc-+
F?mg-
dSVW
t-PV
Phni
Ujo
5sOr
|ZAey
~_yWbj
VWS
Vj5h0%
`Qhp
VcIqX#
t)Dn
g"%ze
XE~Ce
G~Cz7
HHg
nc&b,
Npuz
eH=o^
SVW3
cTf
LRf
CYf
Vj9h
PSh?
SSS
bJX
j$r^Dq{
RDP
1xRT
KwG
ooin
NdM
`Qhx
eVY
Inw
jLO
MVuG
ter4
t3cA
bwtS
wbP'
ddX7
iq1g
daJ
if=m8%p
DZ-Y
{rpx
|ejeqe
Dgb
vNcNx
"-Vs6C
Hhs
m.Er
Pe$Hv
WhIT1
"eZD
HoHR
YnJnRn
Mny
DVU
x_pK
Vfg
wED
EX~W`
N{Ql
bOi\jd
Tbo
~Sh{v
yBM
BJ?D
FB/p
VbAwE
Rnw
geA
Udc
PnR
FgH
\vG@I
qJo
tXKn
ntf
\l+r:ms
ekc
a?SQ
sPY
]WC,B
;dSH+
UzY'r0`
R(9$DX5
RSS
ugRt
2xFs&
o<Rk
eGbG#
`Qhh
5InW
Ga{N
uB*G
(I+ft
nqw
"Q#y#F"R"r"'"
SSh
SSh
u*SSSSSS
jGYj
RPh
SSSSSj
jGYj
RPj@
SSSSSj
Sjx
w0SSji
PWV
SSSSh
u5SSSSh
SSji
SSSSh
SSh
SSSSh
SSh
SSh
arU
ClKJ
THH]6|
SFF
#JLr
nU8k
M1Ed
Zl2Y
`QhX
iCnaL
~UC\=Ec
\QxU
%qbs
VN$n)a
R:R{w
ONO4
&avu
noDL
`QhX
ih:KUYCp
N0lSY
Db@Y
R%7XX
NeN
>~sue
XKo
`Qhx
rHq
XSuT
ozVn
Ct:x
GBaBLB
j$,cn7d
yiR
WNVS
SVW
`QhP
/YQ~Vub0&
3v'=UIN9
nyB
JH>Y
?PCZW
x0Ik
NkXSz
NDL
YYn#(
udQK
~?o_xP
`QhX
RAm
nqco_
fxA
havn
AqML
BpT
Z:GG
|vbX
TgJ=
Wkx
ofo
nnn
o,oFo
cbA
jS^t
wHS&
WBQ{
)ZMb
jO)O
tLQ
g?Fm
#CUo
n1ZUc
RwH
fi?Fm?{%
4PAg
i?Fm
nb)j5
",l9Jz(0
N%OM
iEg
n1ZU
Wj9Juk
QC(Uy
8HOB
YFa
a/f-'KEK
c''KE{
$pSz
0XQm
SGc
c'/[eT
ECo
RwP
/n=Ba
Pb-b%
#CUy
EY!r
r7*d)j6
+f-bLD
Psz
c'v_b
d-b%A
Xc<Di
l=Be
=h5RE
e+nz(0
KwK
AHu
r7RE
Kw,]ii
od-b%
i7VM
k7Vb
uQG
j1ZUH
'e/f-s
JDm
L.Ya
ERA
,d)jg
Iss
k7VM%OM
LYS
h1ZU_
>Di&IAP
KJH
UKT
^o5RE
Tj5REk
EY)j5R$
SRV
sfr
X-KK
Cnk
teF
y#j#r#
tYv
rpd
RP"V
sOY
`Qhh
JtD
IaU
yq[q
RkR`
PzaW=
r1:6s3O
Phta
hpa
WPhda
hpa
VhXa
hDa
SSSj
VSj
eLf
SPj
hA]J
AZk
1w#S\!3s#
BDQ3
ty-x
Qx~r
q_aS%
tYmK
v,tYmK
see
vfOYry-
9qWqse
j4kc
qSyc
nME1
fB{g
tyB
fB{g
Ndd
VswmnQ
u[uGu
sLs
qgqBq
}i}b}I}B}
u(uUu
trt
s<sus
p ~x~o~
mje
FgqZN
JI*Gs
(za&w
BYK
SPO
AGC2
Vav
grW
'QLe]
Nvi
xQx
y,yHy
zozFz
UpPu
Ude
?uLN
ab4in
`-WmD
guR
-VKUM
wvf
WVB@
`QhP&
)WLeP&
Q8L8p8
tlC
`QhX,
wtJ
scm
RpF
r<rYr
s'sz
y Kg
jdO
h<J4C(
LzW
`QhX/
69G+F`W
n#rHW
kNRMLi
vrKr
`QhH1
bxr[4
e&kW
jT3T
T]ULUZT
TlU
tSVW
SSSSj
rKt
jBi
Z7F7p7
hTb
tDP
vP?g
UpMr
Lk1[K
g?w\h
qjN[
dep
cb|bTb
Khl
`gFgJg
zW+m
lfh
1wkI;
`QhH=
NiQy
uQhQTQ
EAo
`QhP?
pOw
YJ=l'
T1tU
`QhP@
tOVOBO
`Qh8A
SQkiZ8A
`Qh(B
LXxdz7X}bRM
UJ,9x$
lJnl
4TdCO
RZCZ}Z
Phpb
PSj
jWX_^]
E@DNc
[Avb
`QhXI
jXf
A=R=n=
IPX
COY
EHIw
S#SUS
heE
hxG
O`k#3i
LTQTcT
WHNb
,5WJb
PAPhP
P#P-P
QSQaQ
3X%X8X
`QhhT
FBs(
;yUd.
ALjVNbwy
AXX
$ohF)
rhj
kpV|K
IBH
ZXx
GNL
;TehT
wE{^O&
MbMCM9M
\7Oyn
FXF}F
+'for
[Q7=IA
@QQQ}Q
`QhPY
7a a,a
JVU
)U>U2U
&w-w3w
fbK
+n"n4n
qqZY
`Qhh\
WYd,?<
(dtCq
f;,sL
Bks
`QhX]
'Asf
B,J'L;
Iie
`Qhx`
vn5s
{s#~Kx`
'HmH
`Qhpa
b>pa
`Qh(b
hRt
_gGgPg
wYD
ZywU
*S"S?S
oTp
'<qpyi#=
>aQW
PWVh
hxb
`Qh k
dOk
m'KS8
Cy!Mv
cQa-
xjv
dI,E
#D*Ci
NF!D
EpESE
DmD
EaE
D}DRD
a?M5Y
bJi
WSE
lFq
p4p8p
`QhXp
i@Hln
KGd,
`Qh r
m-E r
`QhHs
ywhYb
oCUaS
rHs
sCI
`Qh8t
`Qh`u
eO}D#1
nq'7K
VM@MLM
lBt
luh
Fgh
X$n&x
SVv
`QhXz
]V$p2z
LyR`
KwJq
UhXrqF
NXz
OvO=O
UEd
nGH*
BPmp
mEe4
mV6G
;?sBM
ubSW
jT^W
toPh
PPh
jAY3
t#jV^
PSSSSSSh
PSSSSSSh#
PSSSSSSSj
0SVW3
PVS
PWj
PWj
VSj
YqR
hfeS=
aRs
RgRMR
uLh
hxg
)TBB
"ipX
sOrU
6jGS
ANESB
BA%xY
`f|fHf
dmy
yCj
`Qhh
HRyT
CM\s,
eGEHMn
qN`Mb
oSZ
uoo
DJg
NWh
EWu
Xr[3eK
aKTW-
lCy
cst
kMlh
CzN
Eos
W2C2O2
m?@JS
FjB
OhR
gUn@
fbD
lKs
mmm
OIns
D#oy
Psh
FcMq`t/
iXk
]#JT0z
bEz
C<X<x<
kgU
zAff
YBP
bjF
wil
sMJ
+A Ue
wBv
e<q<C<
EEi
B(ah
dwb
XCJ
Jzh>
nBYFR4
mFb
mJJ
XNQ2
fY_.#E
hVO
AaL
CDcHso
^tAK
fb'b
`Qhp
MeI
sYE+42
d1nN
H7JPJ
~VqHA(
uDc
cLC
nlz
rIVI
,g?A3As
Nm+Q
~nHe
Joj)
BII
WHE
pJ@u
<_py[id
k`)o;G
Rej
Hqj
fdr'
`QhX
XXa
yFO7q
rEwRSGTJ
CHmH`H
`Qhp
e$a)O
oZj|{
BoLv
GIv
OYR
NId
)gGE
cyk
OlO~OMOZO
Wx&8y
FKP
Gym
KlRqU
`QhH
5bOo
TTEz
&o>.ABE
;W}mx31:
lf\f
>Irz&
UDx
rk&L
QR\6E7b<
WHa
|VMb%
&z*e:J
rrD
`Qhx
3#zB-?B2
NM(O7
`Qhp
fB)l
!aya?
juP
uJ2y
ZtvL>
Mjn
hPP
OpM
?EUv
Vg-l)G
D^CC
%:+t/Nj
yVxW
\p@pup
pUp~p
aA~AHA
HyJ
FWLTj
R&RaRuRDR
:ska
vov
EDEv
qM>M
FlZ
SZ>v
ybN
u4NWtj
Mmock5
XdUn=
{wQw
`QhX
zob
XQk
uOe
fZhFP\
RXd
ejIH
lUv
*GmE
p"p4p
XlJlml
/fAm+
iwC
UJux
OyB
frf
tum
9TLrx
B!Ix
c5Lvp
Y;S"mU
XwH
E4SV
wxj
olxC
bsV
ikf
sN~uD)
dqT
ojg~: i)3
gRm
w]sE
kl{F?
J@+VP
r7./j%V
zR]Y
GsG
FhF
x;q;m;
[xvx
L=lm
2pMR
{AMdY
n]Tr
`Db2R
hPi
FQQVW
<8hyG
qKM
BbL
U~tA
WGA
LaG
nk2`a
Bzw
mAO[{mH
DwF
UZ1z
[BMBPB
iW,B
wOZ'V?
T3x3A3
tq\qyq
`Qhp
O-fY
R=Jb
JaDZ
wsQ;
IWE
RrNJG
aHg#
ssQ;
$bEZ=
CPmk
nov
iT%K
tSRWQP
`Qhx
d0Ae
/I;ud
u^hGS
sOf
Fve
Ow@{&j,
JniZ
SjN!
VFe7
0jgQL
djdyd
`QhH
M~rW|
luU!
Rmt@>
~bPT
{tkM#
L`|NjJ
rGrrr
UUc'
TWx
y4Ys
BfBGB
BzBPB0B
vIv
RVK
HjI
+X0jTnN
nlA
r.xA
sze)
OpS[
m<jog
dqj
rqG
GMu
Exj
EHP
EHP
SVW
VPVP
C0PV
C4PV
vQP
C0WPj
vQPj
C Pj
C$Pj
s@Vj
C@PV
t*Wj
PVP
QPP
K@QP
wvC
F$Vj
F$Vj
F$Vj
C$SW
E4Pj
tUS
ELPP
tBS
ELP
E@PPP
E4PP
tJS
ELPj
E4Pj
ELP
tKS
ELP
ELP
NPt#SVW
PVj
EL9GP
MlS
ETP
ETP
ETP
ETPP
ETP
ETP
ETP
ETPj
tpW
ETP
tZW
ETPj
tBW
ETP
E4PPS
]`A;M0v1S
ETPj
ETP
ETP
E4PP
ETP
ETP
tgS
ETP
M09MHr
E4PP
CPtH
E(SVP
SVW
PSPP
MPu
EDP
E8Pj
EDP
uhS
EPPj
H$Pj
9udu
utP
G@PS
uhS
Mtu
uxj
F$Vj
MDQQ
EDPP
twj
E8PP
F$Vj
M`QS
EPPj
EPP
9Mxw
E\tw
EhP
tc9]ht^
EDP
EDP
9Uxt#
B;Uxu
tCSV
uEH
VW~b;
VWv
SQP
SVW
~Tt!W
H$Pj
SVW
Cks
QVj
F$Vj
QVj
F$Vj
SVW
ud;ul
uDw
uPtx;
M0;Mlr
+ED+EH9E
ULu
E@)EH
+EP+E@9E
EH)E@
PVSW
u0QP
}lWP
upP
udW
uTV
uxP
G$Wj
XQP
t-Wj
QVW
GWQ
K$SP
FVQ
G$WR
SVW
SVW
SVW
PVV
tyWVj
teW
tRWVj
WVj
uDQ
uGQ
w4VV
QPj
VSV
QPW
dRP
QSVW
PWS
PRQ
WV!T
PSP
SPV
PWP
WSW
WSW
PVW
PVS
QPS
PVW
VWWS
GVW
SWV
QQV
Su0W
PVQ
VRS
QPP
VWS
PVWWW
PVW
VWS
WWW
@w=VW
VSP
QQSVW
l$$uY
Y]IX
PUQ
vQRP
u'VW
tb9u
SVW
PVW
QVP
WSV
PWSS
WSSS
VSW
uyV
QSVW
SPP
WSV
VWPu6
VPP
VWW
WSV
QSVW
PSV
SVWV
SVVV
SVWV
SVj
SVV
SVWV
SVj
PWP
t4SV
t%j X+E
SVW
PQj
tJV
w7wB
l{fl+
TRH
D|\hYO
yJo
CnRkd-
Hf~MH
Tag
Y<hkJ_
dxqE.
B2sB'
rnX
1dq#R!0E
6,iLX
"hCV66MW
}2t)n|Sw
LD^q
~E9aX
G6\xq+w
<4=d}wb
XrrG
2Jrw
DJD
Pp(H
Ei&:q
Qa=M
:vkJ(
6Dgw4
NETAPI32.dll
WINMM.dll
ole32.dll
MSGINA.dll
RASAPI32.dll
MPR.dll
WNetClearConnections
WNetCloseEnum
WNetEnumResourceW
WNetOpenEnumW
WNetRestoreConnection2W
NetGetJoinInformation
NetEnumerateTrustedDomains
DsGetDcNameW
NetUserGetInfo
NetUserModalsGet
NetApiBufferFree
DsRoleGetPrimaryDomainInformation
DsRoleFreeMemory
CoCreateGuid
CoUninitialize
CoCreateInstance
StringFromGUID2
CoInitialize
RasHangUpW
RasEnumConnectionsW
DwRasUninitialize
RasQuerySharedConnection
WinmmLogon
MigrateSoundEvents
WinmmLogoff
PlaySoundW
ADVAPI32.dll
AUTHZ.dll
CRYPT32.dll
GDI32.dll
KERNEL32.dll
msvcrt.dll
NDdeApi.dll
ntdll.dll
PROFMAP.dll
PSAPI.DLL
REGAPI.dll
RPCRT4.dll
Secur32.dll
SETUPAPI.dll
USER32.dll
USERENV.dll
VERSION.dll
WINSTA.dll
WINTRUST.dll
WS2_32.dll
ConvertStringSecurityDescriptorToSecurityDescriptorA
A_SHAInit
A_SHAUpdate
A_SHAFinal
LsaStorePrivateData
LsaRetrievePrivateData
LsaNtStatusToWinError
CryptGetUserKey
CryptGetKeyParam
CryptEncrypt
CryptSetProvParam
CryptSignHashW
CryptDeriveKey
CryptGetProvParam
RegOpenCurrentUser
RegDeleteKeyW
AddAccessAllowedAceEx
RegSetKeySecurity
I_ScSendTSMessage
MD5Init
MD5Update
MD5Final
SetFileSecurityA
AllocateLocallyUniqueId
LsaOpenPolicy
LsaQueryInformationPolicy
LsaFreeMemory
LsaClose
RegNotifyChangeKeyValue
QueryServiceConfigW
SetKernelObjectSecurity
ConvertStringSecurityDescriptorToSecurityDescriptorW
RegEnumKeyExW
GetCurrentHwProfileW
RegCloseKey
RegQueryValueExW
RegOpenKeyW
FreeSid
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
AddAccessAllowedAce
InitializeAcl
GetLengthSid
AllocateAndInitializeSid
RegOpenKeyExW
CreateProcessAsUserW
DuplicateTokenEx
CloseServiceHandle
ControlService
StartServiceW
QueryServiceStatus
OpenServiceW
OpenSCManagerW
EqualSid
GetTokenInformation
RegSetValueExW
RegCreateKeyExW
CryptGenRandom
CryptDestroyHash
CryptVerifySignatureW
CryptSetHashParam
CryptGetHashParam
CryptHashData
CryptCreateHash
CryptDecrypt
ReportEventW
RegisterEventSourceW
CryptImportKey
CryptAcquireContextW
CryptReleaseContext
CryptDestroyKey
RegEnumValueW
RegQueryInfoKeyW
RegDeleteValueW
CredFree
CredDeleteW
CredEnumerateW
CopySid
GetSidLengthRequired
GetSidSubAuthority
GetSidSubAuthorityCount
GetUserNameW
OpenThreadToken
EnumServicesStatusW
ImpersonateLoggedOnUser
RegQueryValueExA
CheckTokenMembership
DeregisterEventSource
LsaGetUserName
RevertToSelf
LookupAccountSidW
IsValidSid
SetTokenInformation
LogonUserW
LookupAccountNameW
OpenProcessToken
SynchronizeWindows31FilesAndWindowsNTRegistry
QueryWindows31FilesMigration
AdjustTokenPrivileges
RegQueryInfoKeyA
AuthzInitializeResourceManager
AuthzAccessCheck
AuthziFreeAuditEventType
AuthziInitializeAuditEvent
AuthziInitializeAuditParams
AuthziInitializeAuditEventType
AuthziLogAuditEvent
AuthzFreeAuditEvent
AuthzFreeResourceManager
AuthzFreeHandle
CryptImportPublicKeyInfo
CryptVerifyMessageSignature
CertCreateCertificateContext
CertSetCertificateContextProperty
CertVerifyCertificateChainPolicy
CryptSignMessage
CertCloseStore
CertComparePublicKeyInfo
CryptExportPublicKeyInfo
CertFindExtension
CryptDecryptMessage
CertGetCertificateContextProperty
CertAddCertificateContextToStore
CertOpenStore
CertVerifySubjectCertificateContext
CertGetIssuerCertificateFromStore
CertDuplicateCertificateContext
CertFreeCertificateContext
CertEnumCertificatesInStore
CryptImportPublicKeyInfoEx
RemoveFontResourceW
AddFontResourceW
WTSGetActiveConsoleSessionId
GetTimeFormatW
GetUserDefaultLCID
FileTimeToSystemTime
FileTimeToLocalFileTime
GetProcAddress
LoadLibraryW
GetModuleHandleW
SystemTimeToFileTime
GetSystemTime
SetLastError
TerminateProcess
GetCurrentProcess
CreateTimerQueueTimer
CreateThread
lstrcpynW
GetShortPathNameW
GetProfileStringW
FreeLibrary
ReleaseSemaphore
CreateSemaphoreW
GetSystemInfo
GetComputerNameW
GetEnvironmentVariableW
WaitForSingleObjectEx
LoadResource
FindResourceW
SetThreadExecutionState
DeleteTimerQueueTimer
ResetEvent
GetSystemDirectoryW
TransactNamedPipe
SetNamedPipeHandleState
GetTickCount
CreateFileW
GlobalGetAtomNameW
VirtualLock
VirtualQuery
GetDriveTypeW
Beep
OpenMutexW
QueueUserWorkItem
LeaveCriticalSection
EnterCriticalSection
DisconnectNamedPipe
SearchPathW
lstrcatW
LocalReAlloc
ExpandEnvironmentStringsW
TerminateThread
ResumeThread
GetDiskFreeSpaceExW
GlobalMemoryStatusEx
DeleteFileW
WriteProfileStringW
ReadFile
FindVolumeClose
FindNextVolumeW
FindFirstVolumeW
FormatMessageW
SetPriorityClass
MoveFileExW
WaitForMultipleObjectsEx
GetExitCodeProcess
SleepEx
InterlockedExchange
FindClose
FindFirstFileW
GetWindowsDirectoryW
SetTimerQueueTimer
GetComputerNameA
GetVersionExW
VerSetConditionMask
WriteFile
WaitNamedPipeW
WaitForMultipleObjects
ConnectNamedPipe
DuplicateHandle
OpenProcess
GetOverlappedResult
GetVersionExA
lstrcmpW
SetEnvironmentVariableW
UnregisterWait
CreateNamedPipeW
CreateRemoteThread
CreateActCtxW
GetModuleFileNameW
ExitProcess
LoadLibraryExW
SetErrorMode
SetUnhandledExceptionFilter
GetPrivateProfileStringW
LocalSize
VirtualAlloc
VirtualQueryEx
DebugBreak
CreateFileA
InitializeCriticalSection
ProcessIdToSessionId
SetInformationJobObject
AssignProcessToJobObject
TerminateJobObject
PostQueuedCompletionStatus
PulseEvent
GetQueuedCompletionStatus
CreateIoCompletionPort
CreateJobObjectW
ActivateActCtx
DeactivateActCtx
InterlockedCompareExchange
LoadLibraryA
QueryPerformanceCounter
GetSystemTimeAsFileTime
UnhandledExceptionFilter
GetModuleHandleA
GetStartupInfoA
GetCurrentProcessId
SetThreadPriority
GetCurrentThreadId
lstrcmpiW
GetProfileIntW
LoadLibraryExA
lstrcpyW
lstrlenW
Sleep
LocalAlloc
CreateEventW
GetExitCodeThread
SetThreadAffinityMask
GetProcessAffinityMask
CreateWaitableTimerW
CreateMutexW
OpenEventW
RegisterWaitForSingleObject
WaitForSingleObject
CreateProcessW
SetWaitableTimer
ReleaseMutex
SetEvent
UnregisterWaitEx
CloseHandle
lstrlenA
lstrcpyA
MultiByteToWideChar
GetACP
WideCharToMultiByte
HeapAlloc
GetProcessHeap
HeapFree
lstrcpynA
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
lstrcmpiA
GetFileSize
SetFilePointer
GlobalAlloc
GlobalFree
GetLastError
LocalFree
lstrcatA
lstrcmpA
GetLogicalDriveStringsA
GetDriveTypeA
GetVolumeInformationW
GlobalMemoryStatus
CreateMutexA
FindResourceExW
LockResource
SizeofResource
VerifyVersionInfoW
GetSystemDirectoryA
GetCurrentThread
DelayLoadFailureHook
BaseInitAppcompatCacheSupport
OpenProfileUserMapping
CloseProfileUserMapping
BaseCleanupAppcompatCacheSupport
InitializeCriticalSectionAndSpinCount
VirtualProtect
CreateEventA
TlsSetValue
DeleteCriticalSection
TlsGetValue
TlsAlloc
VirtualFree
TlsFree
_vsnwprintf
wcslen
wcsncpy
wcsstr
atoi
wcstok
memmove
wcschr
swprintf
swscanf
_local_unwind2
_wcslwr
wcscmp
_snwprintf
malloc
_c_exit
_exit
_XcptFilter
_cexit
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
??3@YAXPAX@Z
??2@YAPAXI@Z
__CxxFrameHandler
_itow
_snprintf
_wtol
_strnicmp
sscanf
wcstombs
sprintf
strchr
strncmp
atof
_ftol
isspace
__set_app_type
wcscpy
_controlfp
wcsncmp
_wcsupr
ceil
wcscat
_except_handler3
free
_wcsicmp
RtlAllocateHeap
NtPowerInformation
NtSetSystemPowerState
NtRaiseHardError
RtlDeleteCriticalSection
NtOpenSymbolicLinkObject
NtReplyPort
NtCompleteConnectPort
NtReplyWaitReceivePort
NtAcceptConnectPort
NtCreatePort
RtlConvertSidToUnicodeString
RtlFreeUnicodeString
NtLockProductActivationKeys
RtlTimeToTimeFields
NtUnmapViewOfSection
NtMapViewOfSection
NtOpenSection
NtQuerySymbolicLinkObject
NtQueryVolumeInformationFile
NtSetSecurityObject
RtlAdjustPrivilege
NtOpenFile
NtFsControlFile
RtlAllocateAndInitializeSid
RtlDestroyEnvironment
RtlFreeHeap
NtQueryInformationToken
NtShutdownSystem
RtlEnterCriticalSection
RtlLeaveCriticalSection
RtlInitializeCriticalSection
RtlCreateEnvironment
RtlQueryEnvironmentVariable_U
RtlSetEnvironmentVariable
RtlInitUnicodeString
NtOpenKey
NtQueryValueKey
RtlSubAuthoritySid
RtlInitializeSid
RtlLengthRequiredSid
NtAllocateLocallyUniqueId
RtlGetDaclSecurityDescriptor
RtlCopySid
RtlLengthSid
NtSetInformationThread
NtDuplicateToken
NtDuplicateObject
RtlEqualSid
RtlSetDaclSecurityDescriptor
NtClose
RtlOpenCurrentUser
RtlCreateSecurityDescriptor
RtlAddAce
RtlCreateAcl
RtlNtStatusToDosError
NtOpenDirectoryObject
NtQuerySystemInformation
NtCreateEvent
NtCreatePagingFile
RtlDosPathNameToNtPathName_U
RtlRegisterWait
NtSetValueKey
NtCreateKey
RtlTimeToSecondsSince1980
NtQuerySystemTime
NtPrivilegeObjectAuditAlarm
NtPrivilegeCheck
NtOpenThreadToken
NtOpenProcessToken
RtlUnhandledExceptionFilter
NtQueryInformationProcess
DbgBreakPoint
RtlCheckProcessParameters
RtlSetThreadIsCritical
RtlSetProcessIsCritical
RtlInitString
NtInitiatePowerAction
DbgPrint
NtFilterToken
NtQueryInformationJobObject
NtOpenEvent
RtlGetAce
RtlQueryInformationAcl
NtQuerySecurityObject
RtlCompareUnicodeString
NtSetInformationProcess
InitializeProfileMappingApi
RemapAndMoveUserW
EnumProcesses
EnumProcessModules
GetModuleBaseNameW
RegDefaultUserConfigQueryW
RegUserConfigQuery
RpcServerRegisterIfEx
RpcServerUseProtseqEpW
RpcImpersonateClient
I_RpcMapWin32Status
RpcServerRegisterIf
RpcGetAuthorizationContextForClient
RpcFreeAuthorizationContext
RpcServerListen
RpcRevertToSelf
NdrServerCall2
UuidCreate
GetUserNameExW
LsaLookupAuthenticationPackage
LsaRegisterLogonProcess
LsaCallAuthenticationPackage
SetupDiDestroyDeviceInfoList
SetupDiEnumDeviceInfo
SetupDiGetClassDevsW
SetupDiGetDeviceRegistryPropertyW
SetFocus
EnumWindows
CreateWindowStationW
RegisterLogonProcess
RecordShutdownReason
LoadLocalFonts
UnhookWindowsHook
SetWindowsHookW
GetWindowTextW
CallNextHookEx
DialogBoxParamW
GetWindowPlacement
GetSystemMenu
DeleteMenu
SetWindowPlacement
SetUserObjectInformationW
GetAsyncKeyState
PostThreadMessageW
SetUserObjectSecurity
CreateDesktopW
KillTimer
GetMessageTime
SetLogonNotifyWindow
UnlockWindowStation
SetTimer
ReplyMessage
UnregisterHotKey
RegisterHotKey
OpenInputDesktop
GetUserObjectInformationW
CloseDesktop
RegisterDeviceNotificationW
SetThreadDesktop
CreateWindowExW
GetMessageW
TranslateMessage
RegisterWindowMessageW
SetCursor
DefWindowProcW
FindWindowW
MessageBoxW
SendNotifyMessageW
PostQuitMessage
MsgWaitForMultipleObjects
GetWindowRect
GetSystemMetrics
PeekMessageW
DispatchMessageW
SetProcessWindowStation
UpdateWindow
ShowWindow
SetWindowPos
PostMessageW
ExitWindowsEx
EnumDisplayMonitors
SystemParametersInfoW
GetDlgItem
SendMessageW
CreateDialogParamW
DestroyWindow
GetWindowLongW
GetDlgItemTextW
EndDialog
SetWindowLongW
LoadStringW
SetWindowTextW
SetDlgItemTextW
wsprintfW
wsprintfA
LockWindowStation
MBToWCSEx
SetWindowStationUser
UpdatePerUserSystemParameters
DialogBoxIndirectParamW
wvsprintfW
SetLastErrorEx
LoadCursorW
CheckDlgButton
IsDlgButtonChecked
RegisterClassW
CloseWindowStation
LoadImageW
GetParent
GetKeyState
GetDesktopWindow
SetForegroundWindow
SwitchDesktop
OpenDesktopW
WaitForUserPolicyForegroundProcessing
GetAllUsersProfileDirectoryW
WaitForMachinePolicyForegroundProcessing
UnloadUserProfile
LoadUserProfileW
GetUserProfileDirectoryW
RegisterGPNotification
CreateEnvironmentBlock
DestroyEnvironmentBlock
UnregisterGPNotification
GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW
WinStationRequestSessionsList
WinStationQueryLogonCredentialsW
WinStationIsHelpAssistantSession
WinStationAutoReconnect
_WinStationWaitForConnect
WinStationDisconnect
_WinStationCallback
WinStationNameFromLogonIdW
_WinStationFUSCanRemoteUserDisconnect
WinStationEnumerate_IndexedW
WinStationGetMachinePolicy
WinStationQueryInformationW
WinStationFreeMemory
WinStationReset
_WinStationNotifyDisconnectPipe
WinStationConnectW
WinStationSetInformationW
WinStationShutdownSystem
WinStationCheckLoopBack
_WinStationNotifyLogon
_WinStationNotifyLogoff
CryptCATCatalogInfoFromContext
CryptCATAdminCalcHashFromFileHandle
CryptCATAdminAcquireContext
CryptCATAdminEnumCatalogFromHash
CryptCATAdminReleaseCatalogContext
WTHelperProvDataFromStateData
WinVerifyTrust
WTHelperGetProvSignerFromChain
CryptCATAdminReleaseContext
getaddrinfo
RSDS
winlogon.PDB
NDDEAgnt
NetDDE Agent
[none]
NetDDE
NetDDEDSDM
ClipSrv
NetDDEMainWdw
Start NetDDE Services
NetddeAgentExecRtn
NetddeAgentWakeUp
NetddeAgentAlive
NetddeAgentDying
System\CurrentControlSet\Control\Session Manager\Memory Management
TempPageFile
DontWatchSysProcs
Software\Microsoft\Windows NT\CurrentVersion\WPAReminders
DisableReminder
System Shutdown
MS Shell Dlg
This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by %s\%s.
Time before shutdown :
Message
Text
Winlogon generic control dialog
MS Shell Dlg
Shutdown Computer
MS Shell Dlg
It is now safe to turn off your computer.
&Restart
Shutdown in Progress
MS Shell Dlg
Workstation Locked
MS Shell Dlg
Please wait while the current user is logged off.
User Interface Failure
MS Shell Dlg
The Logon User Interface DLL msgina.dll Failed to load
Contact your system administrator to replace the DLL, or restore the original DLL.
&Restart
NetDDE Agent
MS Shell Dlg
Starting NetDDE related services...
System Standing By
MS Shell Dlg
Please wait while the system prepares to stand by.
System Hibernating
MS Shell Dlg
Please wait while the system prepares to hibernate.
Logon Message
MS Shell Dlg
Please authorize this action by entering the password of an account with Administrator privileges.
&User:
&Password:
&Domain:
RC{O
&Cancel
User Interface Failure
MS Shell Dlg
The Logon User Interface DLL msgina.dll Failed to load
To correct this problem, please have the administrator of the remote computer contact the program vendor for a version that is compatible with Windows.
PKD
&End Connection
Windows 3.x Migration
MS Shell Dlg
You have installed Windows NT into an existing Windows 3.x directory.  You have the option of migrating portions of your Windows 3.x environment into the Windows NT environment.
Migrate Windows 3.x &WIN.INI and CONTROL.INI
Migrate Windows 3.x &Program Manager group files
Cancel
Please select below the parts you wish to migrate into the Windows NT environment.
The shell stopped unexpectedly and %1 was restarted.
The automatically enrolled certificate of type %1 is being renewed for the following reason(s):
The automatically enrolled certificate of type %1 is being re-enrolled for the following reason(s):
Subject Name:%1
Alternate Subject Name:%1
Automatic enrollment against the certification authority %4 for a certificate of type %3 has
failed.  (%1) %2.   Another certification authority will be tried.
The certificate returned from an auto-enrollment is incorrect.  Subsequent auto-enrollment cycles
will ignore reasons for failure.  Please contact your system administrator.  The reasons for failure are
listed below:
The certificate does not fulfill the intended usage requirements specified by the certificate template:
Certificate: %1
Certificate Template: %2
The certificate does not fulfill the key usage requirements specified by the certificate template:
Certificate: %1
Certificate Template: %2
The certificate does not fulfill the basic constraints requirements specified by the certificate template:
Certificate: %1
Certificate Template: %2
The certificate does not contain the template name specified by the certificate template:\n
Certificate: %1\n
Certificate Template: %2
The certificate does not contain the any of the principal names specified for this user:
Principal Name(s): %1
The subject name of this certificate does not contain the e-mail name for this user:
User e-mail name(s): %1
The alternate subject name of this certificate does not contain the e-mail name for this user:
User e-mail name(s): %1
This certificate does not contain the e-mail name for this user:
User e-mail name(s): %1
The certificate does not contain the DNS name of the machine:
DNS Name(s): %1
This certificate does not contain the Directory Name of the user or machine:
Directory Name(s): %1
This certificate does not contain the Active Directory object identifier of the user or machine.
This certificate contains an Active Directory object identifier, but should not.
The certificate is no longer trusted for the following reason (0x%1!lx!) %2.
The certificate's issuer is no longer allowed by the autoenrollment object.
The certificate will expire soon.
Execution of GPO scripts has timed out and have been terminated.
Failed to set the user's home directory %1.
Initialization of automatic certificate enrollment has failed.  There is possible corruption
of system DLL's required for auto-enrollment.  (%1) %2
Verification of an automatically enrolled certificate has failed. (%1) %2
Unknown or unavailable cert type, %3, requested for automatic certificate enrollment.
This enrollment will not be performed. (%1) %2
The enterprise root certificate store could not be updated.
The NT Smartcard authentication certificate store could not be updated.
The automatic certificate enrollment subsystem could not access local resources needed for enrollment.  
Enrollment will not be performed. (%1) %2
The automatic certificate enrollment subsystem could not access network resources needed for enrollment.  
Enrollment will not be performed. (%1) %2
A security failure is preventing automatic certificate enrollment.  
Enrollment will not be performed. (%1) %2
A critical system process, %1, failed with status code %2.  The machine
must now be restarted.
Welcome back to the %1 domain.  While you were offline, your settings were stored in a local account. Do you want to move them to your %1 account?%0
Your settings cannot be moved because of an error.  (Error code %1!u!)%0
%1 (this computer)%0
The system could not validate %1. Check your account name, and type your password again. Letters in passwords must be typed using the correct case. Make sure that Caps Lock is not accidentially on.%0
The system could not validate %1 on %2. Check your account name, and type your password again. Letters in passwords must be typed using the correct case. Make sure that Caps Lock is not accidentially on.%0
The user account you just entered does not have the authority to move settings. Please try another account, such as Administrator.%0
Windows XP Startup Password
MS Shell Dlg
This computer is configured to require a password in order to start up.  Please enter the Startup Password below.
&Password:
&Restart
Windows XP Startup Key Disk
MS Shell Dlg
This computer has been configured to require a disk to be present during startup.  Please insert the disk and press OK.
If you do not have the disk, contact your administrator or select the Restart button to restart the computer.
&Restart
Connect to existing Remote Desktop
MS Shell Dlg
You already have active Remote Desktop connections on this computer.  Please select one of the following:
Mode/Color
Connect Time
Disconnect Time
MS Shell Dlg
Phone number:
Cancel
Callback in Progress
MS Shell Dlg
Please wait for callback.
Terminal Server Sessions Disabled
MS Shell Dlg
Remote logins are currently disabled.
VS_VERSION_INFO
StringFileInfo
CompanyName
Microsoft Corporation
FileDescription
Windows NT Logon Application
FileVersion
5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
InternalName
winlogon
LegalCopyright
Microsoft Corporation. All rights reserved.
OriginalFilename
WINLOGON.EXE
ProductName
Microsoft
Windows
Operating System
ProductVersion
VarFileInfo
Translation
Restart system
[The system can not log you on (%X).  Please try again or consult your system administrator.
Windows Message
(It is now safe to turn off the computer.
Shutdown Message/The Logon User Interface DLL %s failed to load.pThe system process '%s' terminated unexpectedly with status code %d.  The system will now shut down and restart.EThe account specified does not have permission to move user profiles.XYour settings have been transferred, and you need to log on again to use those settings.;Windows setup has completed, and the computer must restart.dThe dial-up networking connection '%s' is currently active. Would you like to close this connection?hMultiple dial-up networking connections are currently active. Would you like to close these connections?
WINMM
waveOutGetNumDevs
PlaySound
MigrateSoundEvents
WINMM
MigrateMidiUser
Your system has no paging file, or the paging file is too small.
To fix this problem, go to System in Control Panel, click the Advanced tab, and under Performance, click Settings. On the Advanced tab, click Change. Click 'Custom size,' and then type an initial or maximum paging file size.
Limited Virtual Memory
Invalid System Time
The time or date on your system is invalid. Please use the date/time applet in the Control Panel to properly set your system time and date.
;The system is not fully installed.  Please run setup again.
aUnable to log you on because your account has been locked out, please contact your administrator.
bYour account does not currently have Administrator privileges. Please specify a different account.
Administrator
!NetDDE Agent unable to initializegCould not start one or more of the NetDDE related services.
Consult your system administrator for help.
You cannot intiate a Remote Desktop Connection because the Windows logon software on the remote computer has been replaced by incompatible software %s.
\The Startup Key File was not found on the disk in drive A:.  Please insert the correct disk.
Key File Not Found
cYou should change your battery or switch to outlet power immediately to keep from losing your work.
Critical Battery
Low Battery
system.scr
Logon Connect Failed
WError connecting to existing session for %s (Id %lu)
A new session will be created.
Logon Disconnect Failed
Error disconnecting Id %lu
Disconnect from Windows NTZThis will disconnect your session.
You can reconnect to this session when you Logon again.
Callback Roving Session
Callback Fixed Session^Your interactive logon privilege has been disabled.  Please contact your system administrator.
Invalid Phone Number
A callback phone number is not configured for this Session.  A callback phone number must be configured for Fixed Callback Sessions.  Please notify the system administrator.0You do not have access to logon to this Session.BYou do not have the proper encryption level to access this Session
&Disconnect...
The user %s\%s is currently logged on to this computer. If you continue this user's Windows Session will end and any un-saved data will be lost. Do you want to continue?
~The user %s\%s is currently logged on to this computer. Only the current user or an administrator can log on to this computer.}The requested operation cannot be completed because the Terminal Connection is currently busy processing a connect operation._You are attempting to connect back to your own computer. The requested operation is not allowedKThe terminal server has exceeded the maximum number of allowed connections.
The user %s\%s is currently logged on to this computer. If you continue, %s has to disconnect from this computer. Do you want to continue?M%s\%s is currently logged on this computer, and did not allow you to connect.7Error connecting to existing session for %s (Id %lu).%s7Unable to log you on because of an account restriction.
Logon Message
Preparing network connections...
Applying computer settings...
Running startup scripts...
Running shutdown scripts..."Applying your personal settings...
Running logoff scripts...
Running logon scripts...!Loading your personal settings...
Closing network connections...
Windows is shutting down...
Preparing to stand by...
Preparing to Hibernate...
Saving your settings...3Preparing to Stand By in order to complete eject...;The Active Directory is rebuilding indices.  Please wait...
Windows is starting up...
Logging off...
User group policies finished./Waiting for machine group policies to finish... Machine group policies finished.#Stopping Windows File Protection...
Remote logoff in progress...
Restoring network connections...
Executing:  %s...
Loading power profile...
Playing logon sound...
Playing logoff sound...
RPCSS is starting...
Active Directory is starting...
MUP is initializing...
Shutting down your computer...,Waiting for user group policies to finish...
&Could not reconnect all network drivesIClick here to open My Computer and see the status of your network drives.
=wxr
eJ,HZc<E
IE*^KVnmM
VEx
Dko
RzZ
rID
GhuY/l
U]Q=S
qf!y^'c
6nN@g%oP*
Z?eV
waO
7LXT4
ykm'
eYM<
ZSP
>xMSWz
oxi
rEt\
fsrJ
jaiR
CUm
="-l_ly*e
h}vn
S?KE
IFs
-ovn
oem
volume
retail
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity
name="Microsoft.Windows.Logon"
version="5.1.0.0"
processorArchitecture="x86"
type="win32"
<description>Microsoft Windows Setup</description>
<dependency>
<dependentAssembly>
<assemblyIdentity
name="Microsoft.Windows.SystemCompatible"
version="5.1.0.0"
processorArchitecture="x86"
type="win32"
publicKeyToken="6595b64144ccf1df"
</dependentAssembly>
</dependency>
</assembly>
DDD8
ODD8
DDD8
DDD8
DDD8
DDD8
DDD8
DDD8
DDD8
DOD8
DDD8
DDD8
DHD8
DKD8
DDD8
DDD8
DDC
DDC
wwwww
wwp
wwwwwwwwwww
wwp
wwwwwwwwww
DDDDDD@
wwp
xww
wwwwwwww
wwwwwwwwww
wwwx
wwwwwww
wwwww
wwp
wwwwwwwwwww
wwp
wwwwwwwwww
DDDDDD@
wwp
xww
wwwwwwww
wwwwwwwwww
0
 
LVL 66

Accepted Solution

by:
johnb6767 earned 500 total points
ID: 24127931
Reinitialize the Offline Files Database, once you have verified that all files are in synch, or extracted....

To make sure that the Offline Files are all in Synch.....

If the Offlines Files folder shows files not synchronized, or only local copy exists, please follow here....

Get the following from the web....

Features and functions in version 1.1 of the Client-Side Caching ...
http://support.microsoft.com/kb/884739

DL it here....Copy it to C:\windows\system32
http://stingr.net/ftp/pub/csccmdv1.1.zip

Then run the following command....

csccmd.exe /extract /target:C:\ExFiles /recurse
or
csccmd.exe /extract /target:C:\ExFiles /recurse /onlymodified

Then once they are extracted, and verified.....

start>run>cmd.exe

paste the following, and reboot.....

reg add "hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache" /v FormatDatabase /t reg_dword /d 00000001
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 24127938
And I know this will take some time to wait for each mouse click, but if there is unsynched data, this will wipe it beyond retrieval......

If you go into the Offline Files folder, and only see a few files marked as "Local copy exists", or modified offline, etc.... If they are system files, and not user created data, just delete them... Sort the columns in the OFF by the Synchronization column...... Makes it easier...
0
 

Author Comment

by:mail2clk
ID: 24127955
Thanks John, I presume formatting the database is different to deleting the contents and re-synchronising?
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 24127973
Same thing as hitting CTRL+SHIFT and clicking the Delete Key in the OFF.....
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Malware seems to be getting smarter and smarter. If you are having trouble being able to launch your malware removal tools such as (and recommended): MalwareBytes, HiJackThis, ComboFix, etc. you can try some of the workarounds listed below. 1. Ma…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now