Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

What Keeps Bringing Up Autoexec.nt?


  • Please log in to reply
5 replies to this topic

#1 fezzikjr

fezzikjr

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:Tyler, TX
  • Local time:04:44 PM

Posted 18 February 2007 - 12:24 PM

Greetings!

I am a lo-tech PC tech, looking for some assistance with a customer's problem. The only way that *I* know how to fix it is with a re-image of Windoze. Unfortunately, she has a number of programs installed which are irrecoverable at this time, and needs to keep them going as much as possible, since she uses these programs while working from home.

Her problem started a while back (exact date unknown, but I think about a month ago), where when she would boot into windows, she would get an error about something not able to load. Google searching led me to the C:\Windows\System32\autoexec.nt file, where a couple of lines needed to be REM'd. A reboot of the computer, and her *first* computer problem was fixed.

However, she continues to get a DOS window that pops up EVERY SIXTY SECONDS and only goes away when closed. It's a csrss.exe window, called by ntvdm.exe, which refers to all of the lines in the autoexec.nt file. I modified the autoexec.nt file by removing the "@ECHO OFF" line, so that I could verify that is what was going on. Below is an example of what shows up in the DOS window now. Before the removal of the "@ECHO OFF" line, the DOS window only had a blinking cursor that would seemingly randomly flash around inside the black DOS window. I also REM'd all the other lines not told to REM from the google post I had found.

As a band-aid to the problem, I have installed a program called "Process Audit - Free Edition", which has been configured to kill the ntvdm.exe process as soon as it comes up. This will only work for so long, and is slightly buggy but, it reduces the headache of the typing cursor misplacement considerably.

Additionally, I have run/installed SpyBotS&D, Ad-Aware SE Personal, and Avast! Anti-Virus. All three of those did find problems, and fixed all the ones they found, but have not been able to fix it.

Here's the file information I have thus far.

****autoexec.nt****
REM AUTOEXEC.BAT is not used to initialize the MS-DOS environment.
REM AUTOEXEC.NT is used to initialize the MS-DOS environment unless a
REM different startup file is specified in an application's PIF.

REM Install CD ROM extensions
REM lh %SystemRoot%\system32\mscdexnt.exe

REM Install network redirector (load before dosx.exe)
REM lh %SystemRoot%\system32\redir

REM Install DPMI support
REM lh %SystemRoot%\system32\dosx

REM The following line enables Sound Blaster 2.0 support on NTVDM.
REM The command for setting the BLASTER environment is as follows:
REM SET BLASTER=A220 I5 D1 P330
REM where:
REM A specifies the sound blaster's base I/O port
REM I specifies the interrupt request line
REM D specifies the 8-bit DMA channel
REM P specifies the MPU-401 base I/O port
REM T specifies the type of sound blaster card
REM 1 - Sound Blaster 1.5
REM 2 - Sound Blaster Pro I
REM 3 - Sound Blaster 2.0
REM 4 - Sound Blaster Pro II
REM 6 - SOund Blaster 16/AWE 32/32/64
REM
REM The default value is A220 I5 D1 T3 and P330. If any of the switches is
REM left unspecified, the default value will be used. (NOTE, since all the
REM ports are virtualized, the information provided here does not have to
REM match the real hardware setting.) NTVDM supports Sound Blaster 2.0 only.
REM The T switch must be set to 3, if specified.
REM SET BLASTER=A220 I5 D1 P330 T3

REM To disable the sound blaster 2.0 support on NTVDM, specify an invalid
REM SB base I/O port address. For example:
REM SET BLASTER=A0
REM Install network redirector

REM lh %SystemRoot%\system32\nw16

REM lh %SystemRoot%\system32\vwipxspx
****/autoexec.nt****

****hijackthis02-18-07.txt**** -- The HiJack This log from this morning, with the error DOS window running.
Logfile of HijackThis v1.99.1
Scan saved at 10:50:54 AM, on 18/02/07
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\RemotelyAnywhere\ragui.exe
C:\WINDOWS\System32\CTFMON.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\RemotelyAnywhere\RaMaint.exe
C:\Program Files\RemotelyAnywhere\RemotelyAnywhere.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\DirectX\Dinput\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Security\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: (no name) - {0381A807-1D54-9824-FF00-008F295D7482} - C:\WINDOWS\System32\nyvhvjf.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: EyeOnIE Class - {316AEF8D-3C37-423E-9E6E-13820A9DC37A} - C:\PROGRA~1\PCSECU~1\THESHI~1\IrlOnIE.dll (file missing)
O2 - BHO: (no name) - {4D1F4935-8774-8482-4FB6-013A9143DDF1} - C:\WINDOWS\System32\ncoyykf.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RemotelyAnywhere GUI] "C:\Program Files\RemotelyAnywhere\ragui.exe"
O4 - HKLM\..\Run: [ProcessAudit] C:\Program Files\Adaptive Technology\Process Audit FREE Edition\ProcessAudit.exe -autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Task Manager.lnk = C:\WINDOWS\system32\taskmgr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O20 - AppInit_DLLs: RAinit.dll "",
O20 - Winlogon Notify: Winmsc - C:\WINDOWS\SYSTEM32\ms3d2a43d1.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RemotelyAnywhere Maintenance Service (RAMaint) - 3am Labs Ltd. - C:\Program Files\RemotelyAnywhere\RaMaint.exe
O23 - Service: RemotelyAnywhere - 3am Labs Ltd. - C:\Program Files\RemotelyAnywhere\RemotelyAnywhere.exe
****/hijackthis02-18-07.txt****

Any help or suggestions is appriciated. I'm sure it's something easy, but I just can't see it.

Robert
Owner - Rob's Help Desk
Tyler, TX

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:44 PM

Posted 28 February 2007 - 08:51 PM

Hello fezzikjr and welcome to the BC HijackThis forum. It looks like we have a vundo infection here. Let's see if we can remove it.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

OK. Start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with the log file from VundoFix (c:\vundofix.txt) and details of any problems you encountered performing the above steps and I will review the information when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 fezzikjr

fezzikjr
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:Tyler, TX
  • Local time:04:44 PM

Posted 03 April 2007 - 11:33 PM

Sorry for the late response,

Four weeks after (specifically, yesterday) my failed attempts to contact my customer, she called me, and we arranged a time I could remotely access her computer.

1. I disabled the Anti-Virus program completely.

2. I killed the "Process Auditor Free Edition" program (a.k.a., Band-Aidİ fix), then let the pop-up occur (unaltered, aside from the afore-mentioned changes to the file, turning on the "ECHO" function). The VundoFix.exe program did not find problems, and then closed when I pressed the "Fix" button.

2b. I tried the same problem keeping the pop-up closed manually by ending its process. Same result.

2c. A third time, by letting the "Process Auditor" program kill the process; again, to no avail.

The frustration of only being able to do the ol' reimage of her computer to fix the problem has caused some frustration, to say the least....

Where do I go from here?

Thanks again

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:44 PM

Posted 04 April 2007 - 04:28 AM

Hi fezzikjr. Let's try a different scanner and see what it shows us.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - Desktop Components
      Reg - Disabled MS Config Items
      Reg - Policy Settings
      Reg - Security Settings
      File - Additional Folder Scans
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 fezzikjr

fezzikjr
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:Tyler, TX
  • Local time:04:44 PM

Posted 06 April 2007 - 01:08 AM

Greetings -

Thanks for the fast reply. Included is the log you requested.

Thanks again

----------------------------------------------------------

WinPFind3 logfile created on: 06/04/07 12:28:42 AM
WinPFind3U by OldTimer - Version 1.0.33 Folder = C:\Documents and Settings\Tonya\Desktop\WinPFind3u\
Microsoft Windows XP (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2600.0000)

479.49 Mb Total Physical Memory | 198.38 Mb Available Physical Memory | 41.37% Memory free
1.39 Gb Paging File | 1.18 Gb Available in Paging File | 84.84% Paging File free
Paging file location(s): C:\pagefile.sys 1024 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 76.68 Gb Total Space | 57.82 Gb Free Space | 75.41% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: SHERYL
Current User Name: Tonya
Logged in as Administrator.
Current Boot Mode: Normal


[Processes - Non-Microsoft Only]
ashdisp.exe -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> [Ver = 4, 7, 936, 0 | Size = 108160 bytes | Modified Date = 15/01/07 12:28:58 PM | Attr = ]
ashmaisv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 936, 0 | Size = 255616 bytes | Modified Date = 15/01/07 12:28:32 PM | Attr = ]
ashserv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> [Ver = 4, 7, 936, 0 | Size = 132736 bytes | Modified Date = 15/01/07 12:28:52 PM | Attr = ]
ashwebsv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 936, 0 | Size = 370304 bytes | Modified Date = 15/01/07 12:27:52 PM | Attr = ]
aswupdsv.exe -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> [Ver = | Size = 59008 bytes | Modified Date = 15/01/07 12:18:24 PM | Attr = ]
brmfrmps.exe -> %System32%\Brmfrmps.exe -> Brother Industries, Ltd. [Ver = 1.10.10.144 | Size = 65536 bytes | Modified Date = 19/03/03 5:43:00 PM | Attr = ]
brss01a.exe -> %System32%\brss01a.exe -> brother Industries Ltd [Ver = 1.004 | Size = 45056 bytes | Modified Date = 12/12/01 7:01:00 PM | Attr = ]
brsvc01a.exe -> %System32%\brsvc01a.exe -> brother Industries Ltd [Ver = 1, 0, 0, 3 | Size = 57344 bytes | Modified Date = 11/04/02 7:00:00 PM | Attr = ]
hpzipm12.exe -> %System32%\HPZipm12.exe -> HP [Ver = 9, 0, 0, 0 | Size = 69632 bytes | Modified Date = 29/09/04 12:14:36 PM | Attr = ]
ra_rc.exe -> %ProgramFiles%\RemotelyAnywhere\RA_RC.exe -> 3am Labs Ltd. [Ver = 5.33.435 | Size = 303104 bytes | Modified Date = 14/07/04 8:10:50 PM | Attr = ]
ragui.exe -> %ProgramFiles%\RemotelyAnywhere\ragui.exe -> 3am Labs Ltd. [Ver = 5.33.435 | Size = 417792 bytes | Modified Date = 14/07/04 8:09:10 PM | Attr = ]
ramaint.exe -> %ProgramFiles%\RemotelyAnywhere\ramaint.exe -> 3am Labs Ltd. [Ver = 5.33.435 | Size = 53248 bytes | Modified Date = 14/07/04 8:09:54 PM | Attr = ]
remotelyanywhere.exe -> %ProgramFiles%\RemotelyAnywhere\RemotelyAnywhere.exe -> 3am Labs Ltd. [Ver = 5.33.435 | Size = 1158992 bytes | Modified Date = 14/07/04 8:18:24 PM | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.33.0 | Size = 318464 bytes | Modified Date = 02/04/07 10:01:54 PM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> [Ver = | Size = 59008 bytes | Modified Date = 15/01/07 12:18:24 PM | Attr = ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> [Ver = 4, 7, 936, 0 | Size = 132736 bytes | Modified Date = 15/01/07 12:28:52 PM | Attr = ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 936, 0 | Size = 255616 bytes | Modified Date = 15/01/07 12:28:32 PM | Attr = ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 936, 0 | Size = 370304 bytes | Modified Date = 15/01/07 12:27:52 PM | Attr = ]
(brmfrmps) Brother Popup Suspend service for Resource manager [Win32_Own | Auto | Running] -> %System32%\Brmfrmps.exe -> Brother Industries, Ltd. [Ver = 1.10.10.144 | Size = 65536 bytes | Modified Date = 19/03/03 5:43:00 PM | Attr = ]
(Brother XP spl Service) BrSplService [Win32_Own | Auto | Running] -> %System32%\brsvc01a.exe -> brother Industries Ltd [Ver = 1, 0, 0, 3 | Size = 57344 bytes | Modified Date = 11/04/02 7:00:00 PM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.0.503.0 | Size = 204800 bytes | Modified Date = 23/08/01 10:00:00 AM | Attr = ]
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 11.00.28844 | Size = 69632 bytes | Modified Date = 04/04/05 12:41:10 AM | Attr = ]
(iPodService) iPod Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Computer, Inc. [Ver = 4.9.0.17 | Size = 331776 bytes | Modified Date = 24/06/05 3:16:26 PM | Attr = ]
(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | Auto | Running] -> %System32%\HPZipm12.exe -> HP [Ver = 9, 0, 0, 0 | Size = 69632 bytes | Modified Date = 29/09/04 12:14:36 PM | Attr = ]
(RAMaint) RemotelyAnywhere Maintenance Service [Win32_Own | Auto | Running] -> %ProgramFiles%\RemotelyAnywhere\ramaint.exe -> 3am Labs Ltd. [Ver = 5.33.435 | Size = 53248 bytes | Modified Date = 14/07/04 8:09:54 PM | Attr = ]
(RemotelyAnywhere) RemotelyAnywhere [Win32_Own | Auto | Running] -> %ProgramFiles%\RemotelyAnywhere\RemotelyAnywhere.exe -> 3am Labs Ltd. [Ver = 5.33.435 | Size = 1158992 bytes | Modified Date = 14/07/04 8:18:24 PM | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
avast! -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> [Ver = 4, 7, 936, 0 | Size = 108160 bytes | Modified Date = 15/01/07 12:28:58 PM | Attr = ]
ProcessAudit -> %ProgramFiles%\Adaptive Technology\Process Audit FREE Edition\ProcessAudit.exe -> Adaptive Technology [Ver = 1.0.0.0 | Size = 188416 bytes | Modified Date = 03/11/06 11:20:42 PM | Attr = ]
RemotelyAnywhere GUI -> %ProgramFiles%\RemotelyAnywhere\ragui.exe -> 3am Labs Ltd. [Ver = 5.33.435 | Size = 417792 bytes | Modified Date = 14/07/04 8:09:10 PM | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< AppInit_DLLs [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls ->
RAinit.dll -> %System32%\RAinit.dll -> 3am Labs Ltd. [Ver = 5.33.435 | Size = 9552 bytes | Modified Date = 14/07/04 8:18:44 PM | Attr = ]
"" -> -> File not found
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
Winmsc -> %System32%\ms3d2a43d1.dll -> [Ver = | Size = 200786 bytes | Modified Date = 22/12/06 5:04:38 AM | Attr = ]
< HOSTS File > (8470 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts
< Internet Explorer Settings > ->
HKLM: Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome ->
HKLM: Main\\Default_Search_URL -> http://www.google.com/ie ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Bar -> ->
HKLM: Search Page -> ->
HKLM: Start Page -> http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
HKLM: Search\\Default_Search_URL -> http://www.google.com/ie ->
HKLM: SearchAssistant -> http://www.google.com/ie ->
HKCU: Default_Search_URL -> http://search.msn.com ->
HKCU: Local Page -> C:\WINDOWS\System32\blank.htm ->
HKCU: Search Bar -> http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html ->
HKCU: Search Page -> http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com ->
HKCU: Start Page -> http://www.google.com/ ->
HKCU: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKCU: SearchAssistant -> http://www.google.com/ie ->
HKCU: URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> Reg Data - Key not found [Yahoo! Toolbar] -> File not found
HKCU: ProxyEnable -> 0 ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{0381A807-1D54-9824-FF00-008F295D7482} [HKLM] -> %System32%\nyvhvjf.dll [Reg Data - Value does not exist] -> [Ver = | Size = 71168 bytes | Modified Date = 18/05/02 9:26:34 AM | Attr = ]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 7.0.7.2006011200 | Size = 63128 bytes | Modified Date = 12/01/06 9:38:22 PM | Attr = ]
{316AEF8D-3C37-423E-9E6E-13820A9DC37A} [HKLM] -> %SystemDrive%\PROGRA~1\PCSECU~1\THESHI~1\IrlOnIE.dll [EyeOnIE Class] -> File not found
{4D1F4935-8774-8482-4FB6-013A9143DDF1} [HKLM] -> %System32%\ncoyykf.dll [Reg Data - Value does not exist] -> [Ver = | Size = 71680 bytes | Modified Date = 31/01/07 9:26:42 AM | Attr = ]
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [] -> Safer Networking Limited [Ver = 1, 4, 0, 0 | Size = 853672 bytes | Modified Date = 31/05/05 2:04:00 AM | Attr = ]
{65D886A2-7CA7-479B-BB95-14D1EFB7946A} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKLM] -> %ProgramFiles%\Google\googletoolbar1.dll [Google Toolbar Helper] -> Google Inc. [Ver = 4, 0, 513, 2948 | Size = 1349240 bytes | Modified Date = 17/02/07 3:51:38 PM | Attr = R ]
< Internet Explorer Bars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer Bars [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar1.dll [&Google] -> Google Inc. [Ver = 4, 0, 513, 2948 | Size = 1349240 bytes | Modified Date = 17/02/07 3:51:38 PM | Attr = R ]
{8E718888-423F-11D2-876E-00A0C9082467} [HKLM] -> %System32%\msdxm.ocx [&Radio] -> [Ver = | Size = 843804 bytes | Modified Date = 23/08/01 10:00:00 AM | Attr = ]
{BA52B914-B692-46c4-B683-905236F6F655} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar1.dll [&Google] -> Google Inc. [Ver = 4, 0, 513, 2948 | Size = 1349240 bytes | Modified Date = 17/02/07 3:51:38 PM | Attr = R ]
WebBrowser\\{40D41A8B-D79B-43D7-99A7-9EE0F344C385} [HKLM] -> %ProgramFiles%\AIM Toolbar\AIMBar.dll [AIM Search] -> America Online, Inc [Ver = 2004.00.003 | Size = 172032 bytes | Modified Date = 07/05/05 1:57:46 AM | Attr = ]
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> Reg Data - Key not found [Yahoo! Toolbar] -> File not found
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_02\bin\npjpi150_02.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 5.0.20.9 | Size = 69746 bytes | Modified Date = 04/03/05 5:54:18 AM | Attr = ]
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -> Reg Data - Value does not exist [ButtonText: Research] -> File not found
{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} -> %ProgramFiles%\PartyPoker\PartyPoker.exe [ButtonText: PartyPoker.com] -> File not found
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
&AIM Search -> %ProgramFiles%\AIM Toolbar\AIMBar.dll\aimsearch.htm -> File not found
411 Ferret Toolbar search -> Reg Data - Value does not exist -> File not found
Add to Windows &Live Favorites -> http:\favorites.live.com\quickadd.asp -> File not found
E&xport to Microsoft Excel -> -> File not found
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\
{9BA82830-96C7-49F1-83BB-ACD79CD896D8} -> (VIA Compatable Fast Ethernet Adapter) ->
< Default Protocols [HKLM] - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults
shell -> shell protocol not assigned ->
< Default Protocols [HKCU] - Select to Repair > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults
shell -> shell protocol not assigned ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
vnd.ms.radio -> %System32%\msdxm.ocx -> [Ver = | Size = 843804 bytes | Modified Date = 23/08/01 10:00:00 AM | Attr = ]


[Registry - Additional Scans - Non-Microsoft Only]
< Desktop Components > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\
0 -> [Key] ->
0 -> FriendlyName = My Current Home Page ->
0 -> Source = About:Home ->
0 -> SubscribedURL = About:Home ->
< Disabled MSConfig Folder Items[HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\
C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk -> %SystemDrive%\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE -> File not found
C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 29696 bytes | Modified Date = 24/09/05 1:05:26 AM | Attr = ]
C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk -> %ProgramFiles%\HP\Digital Imaging\bin\hpqtra08.exe -> Hewlett-Packard Co. [Ver = 53.0.13.000 | Size = 282624 bytes | Modified Date = 11/05/05 11:23:26 PM | Attr = ]
C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Palo Alto Software Update Manager 8.0.lnk -> %CommonProgramFiles%\Palo Alto Software\8.0\PAS8_Update.exe -> Palo Alto Software [Ver = 1.211.0.0 | Size = 122880 bytes | Modified Date = 01/09/05 3:56:24 PM | Attr = ]
C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SmartUI.lnk -> %SystemDrive%\PROGRA~1\Scansoft\PAPERP~1\SmartUI\SmartUI.exe -> File not found
C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk -> %SystemDrive%\PROGRA~1\MSNTOO~1\DS\020500~1.111\en-us\bin\WINDOW~3.EXE -> File not found
C:^Documents and Settings^Tonya^Start Menu^Programs^Startup^LimeWire On Startup.lnk -> %UserDocuments%\LimeWire\LimeWire.exe -> Lime Wire, LLC [Ver = 1, 0, 0, 2 | Size = 81920 bytes | Modified Date = 20/07/05 6:03:22 PM | Attr = ]
C:^Documents and Settings^Tonya^Start Menu^Programs^Startup^Morpheus.lnk -> %SystemDrive%\PROGRA~1\Morpheus\Morpheus.exe -> File not found
C:^Documents and Settings^Tonya^Start Menu^Programs^Startup^Think-Adz.lnk -> %System32%\qwinkoea.exe -> [Ver = | Size = 184389 bytes | Modified Date = 31/01/07 9:32:56 AM | Attr = ]
C:^Documents and Settings^Tonya^Start Menu^Programs^Startup^Z_Start.lnk -> %System32%\dwdsregt.exe -> File not found
< Disabled MSConfig Registry Items [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\
{5087A9CB-05DB-1033-0228-030122020001} -> %CommonProgramFiles%\{5087A9CB-05DB-1033-0228-030122020001}\Update.exe -> File not found
{5087A9CB-05DC-1033-0228-030122020001} -> %CommonProgramFiles%\{5087A9CB-05DC-1033-0228-030122020001}\Update.exe -> [Ver = | Size = 14336 bytes | Modified Date = 31/01/07 3:55:04 PM | Attr = ]
{7A-A9-9C-CB-ZN} -> %System32%\njdsregl.exe -> File not found
4Ec2eHmR -> %SystemRoot%\kovainfk.exe -> File not found
AIM -> %SystemDrive%\PROGRA~1\AIM\aim.exe -cnetwait.odl -> File not found
Aim6 -> %CommonProgramFiles%\AOL\Launch\AOLLaunch.exe -> File not found
bukoj -> %System32%\bukoj.exe -> File not found
byejl -> %System32%\byejl.exe -> File not found
cfl -> %System32%\cfl.exe -> File not found
ChkDisk -> %System32%\chk_disk.exe -> File not found
Ckeb -> %SystemRoot%\dllwqjfh.exe -> File not found
CleanUp -> %SystemDrive%\PROGRA~1\McAfee.com\Shared\mcappins.exe -> File not found
csrss -> %SystemRoot%\system\csrss.exe -> [Ver = | Size = 214 bytes | Modified Date = 15/02/07 11:14:30 AM | Attr = ]
DC6_check -> %CommonProgramFiles%\WinAntiVirus Pro 2006\dc6_startupmon.exe -> File not found
Dinst -> %SystemRoot%\dinst.exe -> File not found
dwStart -> -> File not found
dydwerg.dll -> %System32%\dydwerg.dll -> [Ver = | Size = 58880 bytes | Modified Date = 31/01/07 9:26:40 AM | Attr = ]
ERS_check -> %CommonProgramFiles%\WinAntiVirus Pro 2006\ers_startupmon.exe -> File not found
ExploreUpdSched -> %System32%\qwinkoea.exe -> [Ver = | Size = 184389 bytes | Modified Date = 31/01/07 9:32:56 AM | Attr = ]
gcasServ -> %ProgramFiles%\Microsoft AntiSpyware\gcasServ.exe -> File not found
GSILoAXS -> %SystemRoot%\iurwc.exe -> File not found
HostManager -> %CommonProgramFiles%\AOL\1138330597\ee\AOLSoftware.exe -> File not found
HP Software Update -> %ProgramFiles%\HP\HP Software Update\HPWuSchd2.exe -> File not found
HPDJ Taskbar Utility -> %System32%\spool\drivers\w32x86\3\hpztsb12.exe -> File not found
hreuis -> %System32%\euydeg.exe -> File not found
IE Redir -> %SystemRoot%\ieredir.exe -> File not found
IndexSearch -> %ProgramFiles%\Scansoft\PaperPort\IndexSearch.exe -> File not found
Internet Optimizer -> %ProgramFiles%\Internet Optimizer\optimize.exe -> File not found
IpWins -> %ProgramFiles%\ipwins\ipwins.exe -> File not found
IST Service -> %ProgramFiles%\ISTsvc\istsvc.exe -> File not found
iTunesHelper -> %ProgramFiles%\iTunes\iTunesHelper.exe -> Apple Computer, Inc. [Ver = 4.9.0.17 | Size = 278528 bytes | Modified Date = 24/06/05 3:16:42 PM | Attr = ]
jclgfbl.dll -> %System32%\jclgfbl.dll -> [Ver = | Size = 59392 bytes | Modified Date = 18/05/02 9:26:32 AM | Attr = ]
KernelFaultCheck -> -> File not found
Lexmark_X79-55 -> %System32%\lsasss.exe -> File not found
MCAgentExe -> %SystemDrive%\PROGRA~1\mcafee.com\agent\mcagent.exe -> File not found
MCUpdateExe -> %SystemDrive%\PROGRA~1\mcafee.com\agent\McUpdate.exe -> File not found
mgktkoc -> %System32%\lvjjde.exe -> File not found
Microsoft Windows Logon Process -> %SystemRoot%\winlogon.exe -> File not found
Microsoft Windows Session Manager Subsystem -> %SystemRoot%\smss.exe -> File not found
MsnMsgr -> %ProgramFiles%\MSN Messenger\msnmsgr.exe -> File not found
My Web Search Bar -> %SystemDrive%\PROGRA~1\MYWEBS~1\bar\3.bin\MWSBAR.DLL -> File not found
My Web Search Community Tools -> %ProgramFiles%\MyWebSearch\bar\2.bin\m3IMPipe.exe -> File not found
MyWebSearch Email Plugin -> %SystemDrive%\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe -> File not found
NaviSearch -> %ProgramFiles%\NaviSearch\bin\nls.exe -> File not found
New.net Startup -> %SystemDrive%\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL -> File not found
PaperPort PTD -> %ProgramFiles%\Scansoft\PaperPort\pptd40nt.exe -> File not found
PP8 SE Reminder -> %ProgramFiles%\Scansoft\PaperPort\WebEreg\NAVBrowser.exe -> File not found
QuickTime Task -> %ProgramFiles%\QuickTime\qttask.exe -> File not found
Run -> -> File not found
SetDefPrt -> %ProgramFiles%\Brother\Brmfl03a\BrStDvPt.exe -> [Ver = | Size = 45056 bytes | Modified Date = 03/07/03 3:31:52 PM | Attr = ]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.5.0_02\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 5.0.20.9 | Size = 36975 bytes | Modified Date = 04/03/05 5:36:46 AM | Attr = ]
swg -> %ProgramFiles%\Google\GoogleToolbarNotifier\1.0.720.4156\GoogleToolbarNotifier.exe -> File not found
TheMonitor -> %SystemRoot%\Duce6.exe -> File not found
TkBellExe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> File not found
updateMgr -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe -> Adobe Systems Incorporated [Ver = 3.1.0.10 | Size = 313472 bytes | Modified Date = 30/03/06 4:45:08 PM | Attr = ]
ViewMgr -> %ProgramFiles%\Viewpoint\Viewpoint Manager\ViewMgr.exe -> File not found
VirusScan Online -> %SystemDrive%\PROGRA~1\mcafee.com\vso\mcvsshld.exe -> File not found
Vrmon -> %ProgramFiles%\PCSecurityShield\ShieldAntivirus\vrmonnt.exe -> File not found
VrSchedule -> %ProgramFiles%\PCSecurityShield\ShieldAntivirus\Vrres.exe -> File not found
VSOCheckTask -> %SystemDrive%\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe -> File not found
VTPreset -> %System32%\VTPreset.exe -> S3 Graphics, Inc. [Ver = 1.01.00.0102 | Size = 45056 bytes | Modified Date = 24/02/04 8:17:18 PM | Attr = ]
Weather -> %SystemDrive%\PROGRA~1\AWS\WEATHE~1\Weather.exe -> File not found
WildTangent CDA -> Files\WildTangent\Apps\CDA\cdaEngine0400.DLL -> File not found
win32071071351068 -> %SystemRoot%\win32071071351068.exe -> File not found
WinFixer 2005 -> %ProgramFiles%\WinFixer 2005\wfx5.exe -> File not found
WinSysModule -> %SystemRoot%\dsrss.exe -> [Ver = | Size = 28160 bytes | Modified Date = 31/01/07 9:28:34 AM | Attr = ]
Yahoo! Pager -> %ProgramFiles%\Yahoo!\Messenger\ypager.exe -> File not found
< Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktop -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\bukoj -> C:\WINDOWS\System32\bukoj.exe ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
< Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\ -> ->
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ -> ->
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\\FormSuggest Passwords -> 1 ->
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\\FormSuggest -> 1 ->
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\restrictions\ -> ->
< Security Settings > ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntivirusOverride -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallOverride -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\Type -> 32 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\Start -> 2 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\ErrorControl -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\ImagePath -> %SystemRoot%\System32\svchost.exe -k netsvcs ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\DisplayName -> Background Intelligent Transfer Service ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\DependOnService -> Rpcss; ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\DependOnGroup -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\ObjectName -> LocalSystem ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\Description -> Uses idle network bandwidth to transfer data. ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Parameters\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Parameters\\ServiceDll -> %SystemRoot%\System32\qmgr.dll ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Security\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Security\\Security -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Enum\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Enum\\0 -> Root\LEGACY_BITS\0000 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Enum\\Count -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Enum\\NextInstance -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess not found. -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Type -> 32 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Start -> 2 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ErrorControl -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ImagePath -> %SystemRoot%\system32\svchost.exe -k netsvcs ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\DisplayName -> Automatic Updates ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ObjectName -> LocalSystem ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Description -> Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site. ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\\ServiceDll -> C:\WINDOWS\System32\wuauserv.dll ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\\Security -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\0 -> Root\LEGACY_WUAUSERV\0000 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\Count -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\NextInstance -> 1 ->

[Files/Folders - Created Within 30 days]
03eba755e3cf06d7954bfa67 -> %SystemDrive%\03eba755e3cf06d7954bfa67 -> [Folder | Created Date = 04/04/07 8:17:57 AM | Attr = ]
0d9b5c6db29616e4ee7865687652 -> %SystemDrive%\0d9b5c6db29616e4ee7865687652 -> [Folder | Created Date = 04/04/07 8:16:11 AM | Attr = ]
186f018a840d444b1c -> %SystemDrive%\186f018a840d444b1c -> [Folder | Created Date = 04/04/07 8:18:49 AM | Attr = ]
1915ef09ace704e3d0c5 -> %SystemDrive%\1915ef09ace704e3d0c5 -> [Folder | Created Date = 05/04/07 7:25:29 AM | Attr = ]
1dac41dd30f881e33d7ecc37fbde -> %SystemDrive%\1dac41dd30f881e33d7ecc37fbde -> [Folder | Created Date = 05/04/07 7:25:18 AM | Attr = ]
248f6b53777577c2810e222d34 -> %SystemDrive%\248f6b53777577c2810e222d34 -> [Folder | Created Date = 05/04/07 7:25:01 AM | Attr = ]
28f59cfa4a47db6a915fc51cf8c05 -> %SystemDrive%\28f59cfa4a47db6a915fc51cf8c05 -> [Folder | Created Date = 05/04/07 7:25:24 AM | Attr = ]
2c2c659327562 -> %SystemDrive%\2c2c659327562 -> [Folder | Created Date = 05/04/07 7:24:47 AM | Attr = ]
2f88a0737b95a19e4b01105e11e9476d -> %SystemDrive%\2f88a0737b95a19e4b01105e11e9476d -> [Folder | Created Date = 04/04/07 8:18:00 AM | Attr = ]
358 -> %SystemDrive%\358 -> [Folder | Created Date = 04/04/07 8:13:03 AM | Attr = ]
364c0af8388db0cbf271e4dbaacc89 -> %SystemDrive%\364c0af8388db0cbf271e4dbaacc89 -> [Folder | Created Date = 05/04/07 7:24:54 AM | Attr = ]
4 -> %SystemDrive%\4 -> [Folder | Created Date = 04/04/07 8:14:29 AM | Attr = ]
45d8fa8ad98c4b4e467e4c70607c -> %SystemDrive%\45d8fa8ad98c4b4e467e4c70607c -> [Folder | Created Date = 05/04/07 7:24:44 AM | Attr = ]
4a9fe88c10cb8 -> %SystemDrive%\4a9fe88c10cb8 -> [Folder | Created Date = 04/04/07 8:16:06 AM | Attr = ]
5e6cbe6c822923ecbc33662163d3de -> %SystemDrive%\5e6cbe6c822923ecbc33662163d3de -> [Folder | Created Date = 05/04/07 7:25:10 AM | Attr = ]
5ff6662b9e3abeaa951eb9678759cc5b -> %SystemDrive%\5ff6662b9e3abeaa951eb9678759cc5b -> [Folder | Created Date = 04/04/07 8:13:13 AM | Attr = ]
601949fa0a970e9879 -> %SystemDrive%\601949fa0a970e9879 -> [Folder | Created Date = 05/04/07 7:24:40 AM | Attr = ]
648ac3f170c8f5ab985ea -> %SystemDrive%\648ac3f170c8f5ab985ea -> [Folder | Created Date = 04/04/07 8:12:20 AM | Attr = ]
666f2147d9b2d7c -> %SystemDrive%\666f2147d9b2d7c -> [Folder | Created Date = 05/04/07 7:24:26 AM | Attr = ]
6c21c0c15a26f5988bd -> %SystemDrive%\6c21c0c15a26f5988bd -> [Folder | Created Date = 05/04/07 7:25:33 AM | Attr = ]
70fa1dd0277dcaba29 -> %SystemDrive%\70fa1dd0277dcaba29 -> [Folder | Created Date = 05/04/07 7:25:16 AM | Attr = ]
7ad3bc4ec8b8d114d07283 -> %SystemDrive%\7ad3bc4ec8b8d114d07283 -> [Folder | Created Date = 04/04/07 8:15:10 AM | Attr = ]
7e3ead1b7fc2a28 -> %SystemDrive%\7e3ead1b7fc2a28 -> [Folder | Created Date = 05/04/07 7:24:30 AM | Attr = ]
92e6e23fc9dbeb298991ecca11986673 -> %SystemDrive%\92e6e23fc9dbeb298991ecca11986673 -> [Folder | Created Date = 05/04/07 7:24:37 AM | Attr = ]
93fec5b94f17465b409a2ad572185741 -> %SystemDrive%\93fec5b94f17465b409a2ad572185741 -> [Folder | Created Date = 04/04/07 8:16:59 AM | Attr = ]
96b7a2a70a5611ea960989e2ec4496 -> %SystemDrive%\96b7a2a70a5611ea960989e2ec4496 -> [Folder | Created Date = 04/04/07 8:18:02 AM | Attr = ]
a7814771293b10cb51e49e3f1f49633e -> %SystemDrive%\a7814771293b10cb51e49e3f1f49633e -> [Folder | Created Date = 04/04/07 8:18:54 AM | Attr = ]
b1e4564002c2579da3d6 -> %SystemDrive%\b1e4564002c2579da3d6 -> [Folder | Created Date = 05/04/07 7:24:59 AM | Attr = ]
b3153aef2 -> %SystemDrive%\b3153aef2 -> [Folder | Created Date = 04/04/07 8:13:10 AM | Attr = ]
bee95e9066caeb504654d239ddf1a4 -> %SystemDrive%\bee95e9066caeb504654d239ddf1a4 -> [Folder | Created Date = 05/04/07 7:25:23 AM | Attr = ]
c44061301bcceecf37c2b17b87 -> %SystemDrive%\c44061301bcceecf37c2b17b87 -> [Folder | Created Date = 04/04/07 8:17:04 AM | Attr = ]
d13aa1112648c9bcbd25 -> %SystemDrive%\d13aa1112648c9bcbd25 -> [Folder | Created Date = 04/04/07 8:14:27 AM | Attr = ]
d4c48efd67282b0 -> %SystemDrive%\d4c48efd67282b0 -> [Folder | Created Date = 05/04/07 7:24:24 AM | Attr = ]
e07a6e2cd89d3a0bf0 -> %SystemDrive%\e07a6e2cd89d3a0bf0 -> [Folder | Created Date = 05/04/07 7:25:21 AM | Attr = ]
e6d1cbec0b5e8fbf15c4954c54b745 -> %SystemDrive%\e6d1cbec0b5e8fbf15c4954c54b745 -> [Folder | Created Date = 05/04/07 7:25:14 AM | Attr = ]
e87ad9f55c31e87abd -> %SystemDrive%\e87ad9f55c31e87abd -> [Folder | Created Date = 19/03/07 11:06:14 AM | Attr = ]
ec416a2 -> %SystemDrive%\ec416a2 -> [Folder | Created Date = 05/04/07 7:25:02 AM | Attr = ]
ed2bbb4d2a16b39cf48e82e2e660be7 -> %SystemDrive%\ed2bbb4d2a16b39cf48e82e2e660be7 -> [Folder | Created Date = 04/04/07 8:18:46 AM | Attr = ]
fde2bac0fdd5ef611250fbc -> %SystemDrive%\fde2bac0fdd5ef611250fbc -> [Folder | Created Date = 05/04/07 7:25:12 AM | Attr = ]
winpfind3u.exe -> %SystemDrive%\winpfind3u.exe -> [Ver = | Size = 352396 bytes | Created Date = 05/04/07 10:50:32 PM | Attr = ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ -> [Folder | Created Date = 03/04/07 6:05:14 PM | Attr = H ]
$NtUninstallKB825119$ -> %SystemRoot%\$NtUninstallKB825119$ -> [Folder | Created Date = 04/04/07 8:07:00 AM | Attr = H ]
$NtUninstallKB841873$ -> %SystemRoot%\$NtUninstallKB841873$ -> [Folder | Created Date = 04/04/07 8:02:43 AM | Attr = H ]
$NtUninstallQ326830$ -> %SystemRoot%\$NtUninstallQ326830$ -> [Folder | Created Date = 04/04/07 8:03:40 AM | Attr = H ]
ipconfig.dat -> %SystemRoot%\ipconfig.dat -> [Ver = | Size = 547 bytes | Created Date = 04/04/07 7:15:19 PM | Attr = ]
LastGood -> %SystemRoot%\LastGood -> [Folder | Created Date = 03/04/07 6:05:11 PM | Attr = ]
dm.ini -> %UserAppData%\dm.ini -> [Ver = | Size = 514 bytes | Created Date = 05/04/07 10:16:05 AM | Attr = ]
Chloe.doc -> %UserDocuments%\Chloe.doc -> [Ver = | Size = 71680 bytes | Created Date = 16/03/07 1:47:00 AM | Attr = ]
Patricia Sheffield.Collection Specialist.doc -> %UserDocuments%\Patricia Sheffield.Collection Specialist.doc -> [Ver = | Size = 29184 bytes | Created Date = 13/03/07 4:42:53 PM | Attr = ]
Robert Rodriguez.Contract Mgr.doc -> %UserDocuments%\Robert Rodriguez.Contract Mgr.doc -> [Ver = | Size = 38912 bytes | Created Date = 13/03/07 10:27:21 AM | Attr = ]
Anna Zaner.Cash App.Spec.doc -> %UserDesktop%\Anna Zaner.Cash App.Spec.doc -> [Ver = | Size = 33280 bytes | Created Date = 21/03/07 2:31:32 PM | Attr = ]
Collection Specialist.job descp.doc -> %UserDesktop%\Collection Specialist.job descp.doc -> [Ver = | Size = 26624 bytes | Created Date = 15/03/07 5:22:50 PM | Attr = ]
Corp interviews email.doc -> %UserDesktop%\Corp interviews email.doc -> [Ver = | Size = 24064 bytes | Created Date = 08/03/07 12:07:02 PM | Attr = ]
Enterprise Rent-A-Car Rental cars for your every need_.htm -> %UserDesktop%\Enterprise Rent-A-Car Rental cars for your every need_.htm -> [Ver = | Size = 8003 bytes | Created Date = 23/03/07 1:18:29 PM | Attr = ]
John Baker's Resume 2007.rtf -> %UserDesktop%\John Baker's Resume 2007.rtf -> [Ver = | Size = 3162 bytes | Created Date = 28/03/07 12:14:51 PM | Attr = ]
John Yawney.PA.doc -> %UserDesktop%\John Yawney.PA.doc -> [Ver = | Size = 29184 bytes | Created Date = 04/04/07 10:32:26 AM | Attr = ]
Lewis Levine.Orlando.FL.doc -> %UserDesktop%\Lewis Levine.Orlando.FL.doc -> [Ver = | Size = 54272 bytes | Created Date = 05/04/07 11:06:18 AM | Attr = ]
Lori Kester.PA.doc -> %UserDesktop%\Lori Kester.PA.doc -> [Ver = | Size = 38912 bytes | Created Date = 03/04/07 1:40:31 PM | Attr = ]
Metromedia fax.doc -> %UserDesktop%\Metromedia fax.doc -> [Ver = | Size = 28672 bytes | Created Date = 14/03/07 9:47:08 AM | Attr = ]
MetroPCS.crystal.htm -> %UserDesktop%\MetroPCS.crystal.htm -> [Ver = | Size = 14205 bytes | Created Date = 03/04/07 11:20:15 AM | Attr = ]
MetroPCS.crystal_files -> %UserDesktop%\MetroPCS.crystal_files -> [Folder | Created Date = 03/04/07 11:20:15 AM | Attr = ]
Michael Eliott Viehweger.Trevose.PA.doc -> %UserDesktop%\Michael Eliott Viehweger.Trevose.PA.doc -> [Ver = | Size = 26624 bytes | Created Date = 03/04/07 12:29:47 PM | Attr = ]
MICHELLE RENFROE.Audit Analy..doc -> %UserDesktop%\MICHELLE RENFROE.Audit Analy..doc -> [Ver = | Size = 35328 bytes | Created Date = 13/03/07 1:40:44 PM | Attr = ]
Ms.Pollard.dress.UPS.doc -> %UserDesktop%\Ms.Pollard.dress.UPS.doc -> [Ver = | Size = 106496 bytes | Created Date = 05/04/07 2:38:15 PM | Attr = ]
New Hire fax cvr.doc -> %UserDesktop%\New Hire fax cvr.doc -> [Ver = | Size = 483328 bytes | Created Date = 14/03/07 10:02:05 AM | Attr = ]
Richard JAMES Goldsmith.Trevose.Cherry Hill, NJ.doc -> %UserDesktop%\Richard JAMES Goldsmith.Trevose.Cherry Hill, NJ.doc -> [Ver = | Size = 25088 bytes | Created Date = 30/03/07 11:59:47 AM | Attr = ]
Steak.openigs.3.2007.xls -> %UserDesktop%\Steak.openigs.3.2007.xls -> [Ver = | Size = 29696 bytes | Created Date = 05/04/07 8:45:04 AM | Attr = ]
Stuart Brown.Ft.Lauderdale.FL.offer.2.doc -> %UserDesktop%\Stuart Brown.Ft.Lauderdale.FL.offer.2.doc -> [Ver = | Size = 27136 bytes | Created Date = 23/03/07 12:10:44 PM | Attr = ]
T019.jpg -> %UserDesktop%\T019.jpg -> [Ver = | Size = 61658 bytes | Created Date = 30/03/07 1:13:25 PM | Attr = ]
Todd Flashner.Cherry Hill.NJ.doc -> %UserDesktop%\Todd Flashner.Cherry Hill.NJ.doc -> [Ver = | Size = 26112 bytes | Created Date = 02/04/07 3:12:13 PM | Attr = ]
WinPFind3u -> %UserDesktop%\WinPFind3u -> [Folder | Created Date = 05/04/07 11:26:45 PM | Attr = ]

[Files/Folders - Modified Within 30 days]
03eba755e3cf06d7954bfa67 -> %SystemDrive%\03eba755e3cf06d7954bfa67 -> [Folder | Modified Date = 04/04/07 9:18:00 AM | Attr = ]
0d9b5c6db29616e4ee7865687652 -> %SystemDrive%\0d9b5c6db29616e4ee7865687652 -> [Folder | Modified Date = 04/04/07 9:16:14 AM | Attr = ]
186f018a840d444b1c -> %SystemDrive%\186f018a840d444b1c -> [Folder | Modified Date = 04/04/07 9:18:52 AM | Attr = ]
1915ef09ace704e3d0c5 -> %SystemDrive%\1915ef09ace704e3d0c5 -> [Folder | Modified Date = 05/04/07 8:25:32 AM | Attr = ]
1dac41dd30f881e33d7ecc37fbde -> %SystemDrive%\1dac41dd30f881e33d7ecc37fbde -> [Folder | Modified Date = 05/04/07 8:25:20 AM | Attr = ]
248f6b53777577c2810e222d34 -> %SystemDrive%\248f6b53777577c2810e222d34 -> [Folder | Modified Date = 05/04/07 8:25:04 AM | Attr = ]
28f59cfa4a47db6a915fc51cf8c05 -> %SystemDrive%\28f59cfa4a47db6a915fc51cf8c05 -> [Folder | Modified Date = 05/04/07 8:25:26 AM | Attr = ]
2c2c659327562 -> %SystemDrive%\2c2c659327562 -> [Folder | Modified Date = 05/04/07 8:24:50 AM | Attr = ]
2f88a0737b95a19e4b01105e11e9476d -> %SystemDrive%\2f88a0737b95a19e4b01105e11e9476d -> [Folder | Modified Date = 04/04/07 9:18:02 AM | Attr = ]
358 -> %SystemDrive%\358 -> [Folder | Modified Date = 04/04/07 9:13:06 AM | Attr = ]
364c0af8388db0cbf271e4dbaacc89 -> %SystemDrive%\364c0af8388db0cbf271e4dbaacc89 -> [Folder | Modified Date = 05/04/07 8:24:58 AM | Attr = ]
4 -> %SystemDrive%\4 -> [Folder | Modified Date = 04/04/07 9:14:32 AM | Attr = ]
45d8fa8ad98c4b4e467e4c70607c -> %SystemDrive%\45d8fa8ad98c4b4e467e4c70607c -> [Folder | Modified Date = 05/04/07 8:24:46 AM | Attr = ]
4a9fe88c10cb8 -> %SystemDrive%\4a9fe88c10cb8 -> [Folder | Modified Date = 04/04/07 9:16:08 AM | Attr = ]
5e6cbe6c822923ecbc33662163d3de -> %SystemDrive%\5e6cbe6c822923ecbc33662163d3de -> [Folder | Modified Date = 05/04/07 8:25:12 AM | Attr = ]
5ff6662b9e3abeaa951eb9678759cc5b -> %SystemDrive%\5ff6662b9e3abeaa951eb9678759cc5b -> [Folder | Modified Date = 04/04/07 9:13:16 AM | Attr = ]
601949fa0a970e9879 -> %SystemDrive%\601949fa0a970e9879 -> [Folder | Modified Date = 05/04/07 8:24:42 AM | Attr = ]
648ac3f170c8f5ab985ea -> %SystemDrive%\648ac3f170c8f5ab985ea -> [Folder | Modified Date = 04/04/07 9:12:22 AM | Attr = ]
666f2147d9b2d7c -> %SystemDrive%\666f2147d9b2d7c -> [Folder | Modified Date = 05/04/07 8:24:30 AM | Attr = ]
6c21c0c15a26f5988bd -> %SystemDrive%\6c21c0c15a26f5988bd -> [Folder | Modified Date = 05/04/07 8:25:36 AM | Attr = ]
70fa1dd0277dcaba29 -> %SystemDrive%\70fa1dd0277dcaba29 -> [Folder | Modified Date = 05/04/07 8:25:18 AM | Attr = ]
7ad3bc4ec8b8d114d07283 -> %SystemDrive%\7ad3bc4ec8b8d114d07283 -> [Folder | Modified Date = 04/04/07 9:15:12 AM | Attr = ]
7e3ead1b7fc2a28 -> %SystemDrive%\7e3ead1b7fc2a28 -> [Folder | Modified Date = 05/04/07 8:24:32 AM | Attr = ]
92e6e23fc9dbeb298991ecca11986673 -> %SystemDrive%\92e6e23fc9dbeb298991ecca11986673 -> [Folder | Modified Date = 05/04/07 8:24:38 AM | Attr = ]
93fec5b94f17465b409a2ad572185741 -> %SystemDrive%\93fec5b94f17465b409a2ad572185741 -> [Folder | Modified Date = 04/04/07 9:17:02 AM | Attr = ]
96b7a2a70a5611ea960989e2ec4496 -> %SystemDrive%\96b7a2a70a5611ea960989e2ec4496 -> [Folder | Modified Date = 04/04/07 9:18:04 AM | Attr = ]
a7814771293b10cb51e49e3f1f49633e -> %SystemDrive%\a7814771293b10cb51e49e3f1f49633e -> [Folder | Modified Date = 04/04/07 9:18:56 AM | Attr = ]
b1e4564002c2579da3d6 -> %SystemDrive%\b1e4564002c2579da3d6 -> [Folder | Modified Date = 05/04/07 8:25:00 AM | Attr = ]
b3153aef2 -> %SystemDrive%\b3153aef2 -> [Folder | Modified Date = 04/04/07 9:13:12 AM | Attr = ]
bee95e9066caeb504654d239ddf1a4 -> %SystemDrive%\bee95e9066caeb504654d239ddf1a4 -> [Folder | Modified Date = 05/04/07 8:25:24 AM | Attr = ]
c44061301bcceecf37c2b17b87 -> %SystemDrive%\c44061301bcceecf37c2b17b87 -> [Folder | Modified Date = 04/04/07 9:17:06 AM | Attr = ]
Config.Msi -> %SystemDrive%\Config.Msi -> [Folder | Modified Date = 04/04/07 9:20:00 AM | Attr = H ]
d13aa1112648c9bcbd25 -> %SystemDrive%\d13aa1112648c9bcbd25 -> [Folder | Modified Date = 04/04/07 9:14:30 AM | Attr = ]
d4c48efd67282b0 -> %SystemDrive%\d4c48efd67282b0 -> [Folder | Modified Date = 05/04/07 8:24:26 AM | Attr = ]
e07a6e2cd89d3a0bf0 -> %SystemDrive%\e07a6e2cd89d3a0bf0 -> [Folder | Modified Date = 05/04/07 8:25:22 AM | Attr = ]
e6d1cbec0b5e8fbf15c4954c54b745 -> %SystemDrive%\e6d1cbec0b5e8fbf15c4954c54b745 -> [Folder | Modified Date = 05/04/07 8:25:16 AM | Attr = ]
e87ad9f55c31e87abd -> %SystemDrive%\e87ad9f55c31e87abd -> [Folder | Modified Date = 19/03/07 12:06:28 PM | Attr = ]
ec416a2 -> %SystemDrive%\ec416a2 -> [Folder | Modified Date = 05/04/07 8:25:04 AM | Attr = ]
ed2bbb4d2a16b39cf48e82e2e660be7 -> %SystemDrive%\ed2bbb4d2a16b39cf48e82e2e660be7 -> [Folder | Modified Date = 04/04/07 9:18:48 AM | Attr = ]
fde2bac0fdd5ef611250fbc -> %SystemDrive%\fde2bac0fdd5ef611250fbc -> [Folder | Modified Date = 05/04/07 8:25:14 AM | Attr = ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 502849536 bytes | Modified Date = 05/04/07 11:48:18 PM | Attr = HS]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 04/04/07 9:07:58 AM | Attr = ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 05/04/07 11:23:38 AM | Attr = ]
winpfind3u.exe -> %SystemDrive%\winpfind3u.exe -> [Ver = | Size = 352396 bytes | Modified Date = 05/04/07 11:50:36 PM | Attr = ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ -> [Folder | Modified Date = 04/04/07 9:03:46 AM | Attr = H ]
$NtUninstallKB825119$ -> %SystemRoot%\$NtUninstallKB825119$ -> [Folder | Modified Date = 04/04/07 9:07:02 AM | Attr = H ]
$NtUninstallKB841873$ -> %SystemRoot%\$NtUninstallKB841873$ -> [Folder | Modified Date = 04/04/07 9:02:46 AM | Attr = H ]
$NtUninstallQ326830$ -> %SystemRoot%\$NtUninstallQ326830$ -> [Folder | Modified Date = 04/04/07 9:03:42 AM | Attr = H ]
assembly -> %SystemRoot%\assembly -> [Folder | Modified Date = 02/04/07 8:38:26 AM | Attr = R S]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 05/04/07 11:48:18 PM | Attr = S]
CSC -> %SystemRoot%\CSC -> [Folder | Modified Date = 05/04/07 11:48:20 PM | Attr = HS]
Debug -> %SystemRoot%\Debug -> [Folder | Modified Date = 05/04/07 11:48:30 PM | Attr = ]
imsins.BAK -> %SystemRoot%\imsins.BAK -> [Ver = | Size = 1355 bytes | Modified Date = 04/04/07 9:03:52 AM | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 05/04/07 11:27:36 PM | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 04/04/07 9:19:58 AM | Attr = HS]
ipconfig.dat -> %SystemRoot%\ipconfig.dat -> [Ver = | Size = 547 bytes | Modified Date = 04/04/07 8:18:02 PM | Attr = ]
LastGood -> %SystemRoot%\LastGood -> [Folder | Modified Date = 05/04/07 8:30:04 AM | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 06/04/07 12:27:20 AM | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 04/04/07 9:36:50 AM | Attr = ]
Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 05/04/07 11:54:38 PM | Attr = ]
win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 1395 bytes | Modified Date = 04/04/07 9:15:58 AM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 05/04/07 11:48:20 PM | Attr = H ]
CatRoot -> %System32%\CatRoot -> [Folder | Modified Date = 05/04/07 8:25:28 AM | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 05/04/07 11:27:34 PM | Attr = ]
comspap.dat -> %System32%\comspap.dat -> [Ver = | Size = 8147 bytes | Modified Date = 06/04/07 12:24:10 AM | Attr = ]
dllcache -> %System32%\dllcache -> [Folder | Modified Date = 04/04/07 9:08:00 AM | Attr = RHS]
ieakswed.dat -> %System32%\ieakswed.dat -> [Ver = | Size = 0 bytes | Modified Date = 06/04/07 12:24:10 AM | Attr = ]
ixssavri.dat -> %System32%\ixssavri.dat -> [Ver = | Size = 2214 bytes | Modified Date = 06/04/07 12:27:26 AM | Attr = ]
kbdazek.dat -> %System32%\kbdazek.dat -> [Ver = | Size = 0 bytes | Modified Date = 06/04/07 12:27:26 AM | Attr = ]
MFC71ENZ.dat -> %System32%\MFC71ENZ.dat -> [Ver = | Size = 45087 bytes | Modified Date = 06/04/07 12:27:26 AM | Attr = ]
MSJtErO5.dat -> %System32%\MSJtErO5.dat -> [Ver = | Size = 17901 bytes | Modified Date = 06/04/07 12:27:26 AM | Attr = ]
narrhood.dat -> %System32%\narrhood.dat -> [Ver = | Size = 50575 bytes | Modified Date = 06/04/07 12:24:10 AM | Attr = ]
perfc009.dat -> %System32%\perfc009.dat -> [Ver = | Size = 59440 bytes | Modified Date = 02/04/07 8:24:26 AM | Attr = ]
perfh009.dat -> %System32%\perfh009.dat -> [Ver = | Size = 395200 bytes | Modified Date = 02/04/07 8:24:28 AM | Attr = ]
PerfStringBackup.INI -> %System32%\PerfStringBackup.INI -> [Ver = | Size = 462344 bytes | Modified Date = 02/04/07 8:24:26 AM | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 2184 bytes | Modified Date = 03/04/07 11:27:52 AM | Attr = ]
wpdmtuus.dat -> %System32%\wpdmtuus.dat -> [Ver = | Size = 40799 bytes | Modified Date = 06/04/07 12:27:26 AM | Attr = ]
dm.ini -> %UserAppData%\dm.ini -> [Ver = | Size = 514 bytes | Modified Date = 05/04/07 11:16:06 AM | Attr = ]
Chloe.doc -> %UserDocuments%\Chloe.doc -> [Ver = | Size = 71680 bytes | Modified Date = 16/03/07 2:47:02 AM | Attr = ]
Corporate Resumes -> %UserDocuments%\Corporate Resumes -> [Folder | Modified Date = 03/04/07 1:45:30 PM | Attr = ]
Handbags -> %UserDocuments%\Handbags -> [Folder | Modified Date = 19/03/07 4:55:06 PM | Attr = ]
Job Descriptions -> %UserDocuments%\Job Descriptions -> [Folder | Modified Date = 27/03/07 2:21:16 PM | Attr = ]
Letters -> %UserDocuments%\Letters -> [Folder | Modified Date = 13/03/07 10:04:58 AM | Attr = ]
Patricia Sheffield.Collection Specialist.doc -> %UserDocuments%\Patricia Sheffield.Collection Specialist.doc -> [Ver = | Size = 29184 bytes | Modified Date = 13/03/07 5:42:54 PM | Attr = ]
Ponderosa-resumes -> %UserDocuments%\Ponderosa-resumes -> [Folder | Modified Date = 14/03/07 10:45:44 AM | Attr = ]
Robert Rodriguez.Contract Mgr.doc -> %UserDocuments%\Robert Rodriguez.Contract Mgr.doc -> [Ver = | Size = 38912 bytes | Modified Date = 13/03/07 11:27:22 AM | Attr = ]
Steak n Ale -resumes -> %UserDocuments%\Steak n Ale -resumes -> [Folder | Modified Date = 05/04/07 5:49:12 PM | Attr = ]
Steak n Ale- Offers -> %UserDocuments%\Steak n Ale- Offers -> [Folder | Modified Date = 05/04/07 5:54:42 PM | Attr = ]
The Tavern-resumes -> %UserDocuments%\The Tavern-resumes -> [Folder | Modified Date = 13/03/07 3:38:32 PM | Attr = ]
Anna Zaner.Cash App.Spec.doc -> %UserDesktop%\Anna Zaner.Cash App.Spec.doc -> [Ver = | Size = 33280 bytes | Modified Date = 21/03/07 3:31:30 PM | Attr = ]
Benn.Steak.intro oft ltr.doc -> %UserDesktop%\Benn.Steak.intro oft ltr.doc -> [Ver = | Size = 28160 bytes | Modified Date = 20/03/07 4:30:30 PM | Attr = ]
Bennigans.xls -> %UserDesktop%\Bennigans.xls -> [Ver = | Size = 74752 bytes | Modified Date = 05/04/07 11:42:14 AM | Attr = ]
Collection Specialist.job descp.doc -> %UserDesktop%\Collection Specialist.job descp.doc -> [Ver = | Size = 26624 bytes | Modified Date = 15/03/07 6:22:52 PM | Attr = ]
Corp interviews email.doc -> %UserDesktop%\Corp interviews email.doc -> [Ver = | Size = 24064 bytes | Modified Date = 08/03/07 1:07:04 PM | Attr = ]
Corp.1.xls -> %UserDesktop%\Corp.1.xls -> [Ver = | Size = 26624 bytes | Modified Date = 03/04/07 1:48:22 PM | Attr = ]
Corporate.xls -> %UserDesktop%\Corporate.xls -> [Ver = | Size = 29696 bytes | Modified Date = 27/03/07 5:36:44 PM | Attr = ]
dental.doc -> %UserDesktop%\dental.doc -> [Ver = | Size = 24064 bytes | Modified Date = 19/03/07 5:00:22 PM | Attr = ]
Enterprise Rent-A-Car Rental cars for your every need_.htm -> %UserDesktop%\Enterprise Rent-A-Car Rental cars for your every need_.htm -> [Ver = | Size = 8003 bytes | Modified Date = 23/03/07 2:18:30 PM | Attr = ]
John Baker's Resume 2007.rtf -> %UserDesktop%\John Baker's Resume 2007.rtf -> [Ver = | Size = 3162 bytes | Modified Date = 28/03/07 1:14:48 PM | Attr = ]
John Yawney.PA.doc -> %UserDesktop%\John Yawney.PA.doc -> [Ver = | Size = 29184 bytes | Modified Date = 04/04/07 11:32:28 AM | Attr = ]
Lewis Levine.Orlando.FL.doc -> %UserDesktop%\Lewis Levine.Orlando.FL.doc -> [Ver = | Size = 54272 bytes | Modified Date = 05/04/07 12:06:20 PM | Attr = ]
Lori Kester.PA.doc -> %UserDesktop%\Lori Kester.PA.doc -> [Ver = | Size = 38912 bytes | Modified Date = 03/04/07 2:40:32 PM | Attr = ]
Metromedia fax.doc -> %UserDesktop%\Metromedia fax.doc -> [Ver = | Size = 28672 bytes | Modified Date = 14/03/07 10:47:10 AM | Attr = ]
MetroPCS.crystal.htm -> %UserDesktop%\MetroPCS.crystal.htm -> [Ver = | Size = 14205 bytes | Modified Date = 03/04/07 12:20:18 PM | Attr = ]
MetroPCS.crystal_files -> %UserDesktop%\MetroPCS.crystal_files -> [Folder | Modified Date = 03/04/07 12:20:18 PM | Attr = ]
Michael Eliott Viehweger.Trevose.PA.doc -> %UserDesktop%\Michael Eliott Viehweger.Trevose.PA.doc -> [Ver = | Size = 26624 bytes | Modified Date = 03/04/07 1:29:48 PM | Attr = ]
MICHELLE RENFROE.Audit Analy..doc -> %UserDesktop%\MICHELLE RENFROE.Audit Analy..doc -> [Ver = | Size = 35328 bytes | Modified Date = 13/03/07 2:40:46 PM | Attr = ]
Microsoft Office Outlook 2003.lnk -> %UserDesktop%\Microsoft Office Outlook 2003.lnk -> [Ver = | Size = 2587 bytes | Modified Date = 04/04/07 9:15:56 AM | Attr = ]
Ms.Pollard.dress.UPS.doc -> %UserDesktop%\Ms.Pollard.dress.UPS.doc -> [Ver = | Size = 106496 bytes | Modified Date = 05/04/07 3:38:18 PM | Attr = ]
New Hire fax cvr.doc -> %UserDesktop%\New Hire fax cvr.doc -> [Ver = | Size = 483328 bytes | Modified Date = 14/03/07 11:02:06 AM | Attr = ]
Ponderosa.xls -> %UserDesktop%\Ponderosa.xls -> [Ver = | Size = 76800 bytes | Modified Date = 04/04/07 9:20:46 AM | Attr = ]
Resume to scrn -> %UserDesktop%\Resume to scrn -> [Folder | Modified Date = 27/03/07 9:44:54 AM | Attr = ]
Richard JAMES Goldsmith.Trevose.Cherry Hill, NJ.doc -> %UserDesktop%\Richard JAMES Goldsmith.Trevose.Cherry Hill, NJ.doc -> [Ver = | Size = 25088 bytes | Modified Date = 30/03/07 12:59:48 PM | Attr = ]
Sheryl -> %UserDesktop%\Sheryl -> [Folder | Modified Date = 04/04/07 3:55:12 PM | Attr = ]
steak n ale directory.XLS -> %UserDesktop%\steak n ale directory.XLS -> [Ver = | Size = 39424 bytes | Modified Date = 22/03/07 11:16:30 AM | Attr = ]
Steak n Ale.xls -> %UserDesktop%\Steak n Ale.xls -> [Ver = | Size = 138240 bytes | Modified Date = 05/04/07 5:45:30 PM | Attr = ]
Steak.openigs.3.2007.xls -> %UserDesktop%\Steak.openigs.3.2007.xls -> [Ver = | Size = 29696 bytes | Modified Date = 05/04/07 9:45:06 AM | Attr = ]
Stuart Brown.Ft.Lauderdale.FL.offer.2.doc -> %UserDesktop%\Stuart Brown.Ft.Lauderdale.FL.offer.2.doc -> [Ver = | Size = 27136 bytes | Modified Date = 23/03/07 1:10:46 PM | Attr = ]
T019.jpg -> %UserDesktop%\T019.jpg -> [Ver = | Size = 61658 bytes | Modified Date = 30/03/07 12:18:24 PM | Attr = ]
The Tavern.xls -> %UserDesktop%\The Tavern.xls -> [Ver = | Size = 19456 bytes | Modified D

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:44 PM

Posted 06 April 2007 - 06:56 AM

Hi fezzikjr. It looks like we have a few things we need to remove. Please print these directions since se will need to reboot during the fix and this page will not be available to you during that time. when all is said and done we will want to update the operating system since this system has not been kept up-to-date and is extremely vulnerable to most infections out there (which you already know).

Now proceed with the following steps in order:

Step #1

Download AVG anti-spyware from HERE and save that file to your desktop.
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need to run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen, under "How to act" select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

Step #2

Now start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YY -> Winmsc -> %System32%\ms3d2a43d1.dll
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {0381A807-1D54-9824-FF00-008F295D7482} [HKLM] -> %System32%\nyvhvjf.dll [Reg Data - Value does not exist]
YY -> {4D1F4935-8774-8482-4FB6-013A9143DDF1} [HKLM] -> %System32%\ncoyykf.dll [Reg Data - Value does not exist]
YN -> {65D886A2-7CA7-479B-BB95-14D1EFB7946A} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
< Internet Explorer Bars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
< Internet Explorer Bars [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> {BA52B914-B692-46c4-B683-905236F6F655} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> Reg Data - Key not found [Yahoo! Toolbar]
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
YN -> {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} -> %ProgramFiles%\PartyPoker\PartyPoker.exe [ButtonText: PartyPoker.com]
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
YN -> 411 Ferret Toolbar search -> Reg Data - Value does not exist
< Default Protocols [HKLM] - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults
YN -> shell -> shell protocol not assigned
< Default Protocols [HKCU] - Select to Repair > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults
YN -> shell -> shell protocol not assigned
[Registry - Additional Scans - Non-Microsoft Only]
< Disabled MSConfig Folder Items[HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\
YY -> C:^Documents and Settings^Tonya^Start Menu^Programs^Startup^Think-Adz.lnk -> %System32%\qwinkoea.exe
YN -> C:^Documents and Settings^Tonya^Start Menu^Programs^Startup^Z_Start.lnk -> %System32%\dwdsregt.exe
< Disabled MSConfig Registry Items [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\
YN -> {5087A9CB-05DB-1033-0228-030122020001} -> %CommonProgramFiles%\{5087A9CB-05DB-1033-0228-030122020001}\Update.exe
YY -> {5087A9CB-05DC-1033-0228-030122020001} -> %CommonProgramFiles%\{5087A9CB-05DC-1033-0228-030122020001}\Update.exe
YN -> {7A-A9-9C-CB-ZN} -> %System32%\njdsregl.exe
YN -> 4Ec2eHmR -> %SystemRoot%\kovainfk.exe
YN -> AIM -> %SystemDrive%\PROGRA~1\AIM\aim.exe -cnetwait.odl
YN -> Aim6 -> %CommonProgramFiles%\AOL\Launch\AOLLaunch.exe
YN -> bukoj -> %System32%\bukoj.exe
YN -> byejl -> %System32%\byejl.exe
YN -> cfl -> %System32%\cfl.exe
YN -> ChkDisk -> %System32%\chk_disk.exe
YN -> Ckeb -> %SystemRoot%\dllwqjfh.exe
YN -> CleanUp -> %SystemDrive%\PROGRA~1\McAfee.com\Shared\mcappins.exe
YY -> csrss -> %SystemRoot%\system\csrss.exe
YN -> DC6_check -> %CommonProgramFiles%\WinAntiVirus Pro 2006\dc6_startupmon.exe
YN -> Dinst -> %SystemRoot%\dinst.exe
YN -> dwStart ->
YY -> dydwerg.dll -> %System32%\dydwerg.dll
YN -> ERS_check -> %CommonProgramFiles%\WinAntiVirus Pro 2006\ers_startupmon.exe
YY -> ExploreUpdSched -> %System32%\qwinkoea.exe
YN -> gcasServ -> %ProgramFiles%\Microsoft AntiSpyware\gcasServ.exe
YN -> GSILoAXS -> %SystemRoot%\iurwc.exe
YN -> HostManager -> %CommonProgramFiles%\AOL\1138330597\ee\AOLSoftware.exe
YN -> HP Software Update -> %ProgramFiles%\HP\HP Software Update\HPWuSchd2.exe
YN -> HPDJ Taskbar Utility -> %System32%\spool\drivers\w32x86\3\hpztsb12.exe
YN -> hreuis -> %System32%\euydeg.exe
YN -> IE Redir -> %SystemRoot%\ieredir.exe
YN -> IndexSearch -> %ProgramFiles%\Scansoft\PaperPort\IndexSearch.exe
YN -> Internet Optimizer -> %ProgramFiles%\Internet Optimizer\optimize.exe
YN -> IpWins -> %ProgramFiles%\ipwins\ipwins.exe
YN -> IST Service -> %ProgramFiles%\ISTsvc\istsvc.exe
YY -> jclgfbl.dll -> %System32%\jclgfbl.dll
YN -> Lexmark_X79-55 -> %System32%\lsasss.exe
YN -> MCAgentExe -> %SystemDrive%\PROGRA~1\mcafee.com\agent\mcagent.exe
YN -> MCUpdateExe -> %SystemDrive%\PROGRA~1\mcafee.com\agent\McUpdate.exe
YN -> mgktkoc -> %System32%\lvjjde.exe
YN -> Microsoft Windows Logon Process -> %SystemRoot%\winlogon.exe
YN -> Microsoft Windows Session Manager Subsystem -> %SystemRoot%\smss.exe
YN -> MsnMsgr -> %ProgramFiles%\MSN Messenger\msnmsgr.exe
YN -> My Web Search Bar -> %SystemDrive%\PROGRA~1\MYWEBS~1\bar\3.bin\MWSBAR.DLL
YN -> My Web Search Community Tools -> %ProgramFiles%\MyWebSearch\bar\2.bin\m3IMPipe.exe
YN -> MyWebSearch Email Plugin -> %SystemDrive%\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
YN -> NaviSearch -> %ProgramFiles%\NaviSearch\bin\nls.exe
YN -> New.net Startup -> %SystemDrive%\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL
YN -> PaperPort PTD -> %ProgramFiles%\Scansoft\PaperPort\pptd40nt.exe
YN -> PP8 SE Reminder -> %ProgramFiles%\Scansoft\PaperPort\WebEreg\NAVBrowser.exe
YN -> QuickTime Task -> %ProgramFiles%\QuickTime\qttask.exe
YN -> Run ->
YN -> swg -> %ProgramFiles%\Google\GoogleToolbarNotifier\1.0.720.4156\GoogleToolbarNotifier.exe
YN -> TheMonitor -> %SystemRoot%\Duce6.exe
YN -> TkBellExe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe
YN -> ViewMgr -> %ProgramFiles%\Viewpoint\Viewpoint Manager\ViewMgr.exe
YN -> VirusScan Online -> %SystemDrive%\PROGRA~1\mcafee.com\vso\mcvsshld.exe
YN -> Vrmon -> %ProgramFiles%\PCSecurityShield\ShieldAntivirus\vrmonnt.exe
YN -> VrSchedule -> %ProgramFiles%\PCSecurityShield\ShieldAntivirus\Vrres.exe
YN -> VSOCheckTask -> %SystemDrive%\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
YN -> Weather -> %SystemDrive%\PROGRA~1\AWS\WEATHE~1\Weather.exe
YN -> WildTangent CDA -> Files\WildTangent\Apps\CDA\cdaEngine0400.DLL
YN -> win32071071351068 -> %SystemRoot%\win32071071351068.exe
YN -> WinFixer 2005 -> %ProgramFiles%\WinFixer 2005\wfx5.exe
YY -> WinSysModule -> %SystemRoot%\dsrss.exe
YN -> Yahoo! Pager -> %ProgramFiles%\Yahoo!\Messenger\ypager.exe
[Files/Folders - Created Within 30 days]
NY -> 03eba755e3cf06d7954bfa67 -> %SystemDrive%\03eba755e3cf06d7954bfa67
NY -> 0d9b5c6db29616e4ee7865687652 -> %SystemDrive%\0d9b5c6db29616e4ee7865687652
NY -> 186f018a840d444b1c -> %SystemDrive%\186f018a840d444b1c
NY -> 1915ef09ace704e3d0c5 -> %SystemDrive%\1915ef09ace704e3d0c5
NY -> 1dac41dd30f881e33d7ecc37fbde -> %SystemDrive%\1dac41dd30f881e33d7ecc37fbde
NY -> 248f6b53777577c2810e222d34 -> %SystemDrive%\248f6b53777577c2810e222d34
NY -> 28f59cfa4a47db6a915fc51cf8c05 -> %SystemDrive%\28f59cfa4a47db6a915fc51cf8c05
NY -> 2c2c659327562 -> %SystemDrive%\2c2c659327562
NY -> 2f88a0737b95a19e4b01105e11e9476d -> %SystemDrive%\2f88a0737b95a19e4b01105e11e9476d
NY -> 358 -> %SystemDrive%\358
NY -> 364c0af8388db0cbf271e4dbaacc89 -> %SystemDrive%\364c0af8388db0cbf271e4dbaacc89
NY -> 4 -> %SystemDrive%\4
NY -> 45d8fa8ad98c4b4e467e4c70607c -> %SystemDrive%\45d8fa8ad98c4b4e467e4c70607c
NY -> 4a9fe88c10cb8 -> %SystemDrive%\4a9fe88c10cb8
NY -> 5e6cbe6c822923ecbc33662163d3de -> %SystemDrive%\5e6cbe6c822923ecbc33662163d3de
NY -> 5ff6662b9e3abeaa951eb9678759cc5b -> %SystemDrive%\5ff6662b9e3abeaa951eb9678759cc5b
NY -> 601949fa0a970e9879 -> %SystemDrive%\601949fa0a970e9879
NY -> 648ac3f170c8f5ab985ea -> %SystemDrive%\648ac3f170c8f5ab985ea
NY -> 666f2147d9b2d7c -> %SystemDrive%\666f2147d9b2d7c
NY -> 6c21c0c15a26f5988bd -> %SystemDrive%\6c21c0c15a26f5988bd
NY -> 70fa1dd0277dcaba29 -> %SystemDrive%\70fa1dd0277dcaba29
NY -> 7ad3bc4ec8b8d114d07283 -> %SystemDrive%\7ad3bc4ec8b8d114d07283
NY -> 7e3ead1b7fc2a28 -> %SystemDrive%\7e3ead1b7fc2a28
NY -> 92e6e23fc9dbeb298991ecca11986673 -> %SystemDrive%\92e6e23fc9dbeb298991ecca11986673
NY -> 93fec5b94f17465b409a2ad572185741 -> %SystemDrive%\93fec5b94f17465b409a2ad572185741
NY -> 96b7a2a70a5611ea960989e2ec4496 -> %SystemDrive%\96b7a2a70a5611ea960989e2ec4496
NY -> a7814771293b10cb51e49e3f1f49633e -> %SystemDrive%\a7814771293b10cb51e49e3f1f49633e
NY -> b1e4564002c2579da3d6 -> %SystemDrive%\b1e4564002c2579da3d6
NY -> b3153aef2 -> %SystemDrive%\b3153aef2
NY -> bee95e9066caeb504654d239ddf1a4 -> %SystemDrive%\bee95e9066caeb504654d239ddf1a4
NY -> c44061301bcceecf37c2b17b87 -> %SystemDrive%\c44061301bcceecf37c2b17b87
NY -> d13aa1112648c9bcbd25 -> %SystemDrive%\d13aa1112648c9bcbd25
NY -> d4c48efd67282b0 -> %SystemDrive%\d4c48efd67282b0
NY -> e07a6e2cd89d3a0bf0 -> %SystemDrive%\e07a6e2cd89d3a0bf0
NY -> e6d1cbec0b5e8fbf15c4954c54b745 -> %SystemDrive%\e6d1cbec0b5e8fbf15c4954c54b745
NY -> e87ad9f55c31e87abd -> %SystemDrive%\e87ad9f55c31e87abd
NY -> ec416a2 -> %SystemDrive%\ec416a2
NY -> ed2bbb4d2a16b39cf48e82e2e660be7 -> %SystemDrive%\ed2bbb4d2a16b39cf48e82e2e660be7
NY -> fde2bac0fdd5ef611250fbc -> %SystemDrive%\fde2bac0fdd5ef611250fbc
[Reboot]


The fix should only take a very short time You will asked to reboot at the end of the fix. Choose Yes and reboot into Safe Mode as shown below.

Reboot into Safe Mode by doing the following:
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #3

Launch AVG Anti-Spyware by double-clicking the icon on your desktop.

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
    • IMake sure that Set all elements to: shows Quarantine, if not click on the link and choose Quarantine from the popup menu.
    • At the bottom of the window click on the "Apply all actions" button
    Note: Don't save the report before you hit the Apply action button.
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.
Step #4

Post the following back here:
  • a new WinPFind3U report (make sure that <End of report> is the last line of the post. If not, then it is too long to fit into 1 post and you will need to make multiple posts to fit it all in. The last log was cut-off at the end and was not complete)
  • the AVG Anti-Spyware report
  • the latest .log file from the WinPFind3u folder (it will be a .log file and have a date_time name in the format mmddyyyy_hhmmss.log)
I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users