Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Unsure. Please help.


  • Please log in to reply

#1
LindaGee

LindaGee

    Member

  • Member
  • PipPip
  • 13 posts
OTL logfile created on: 4/8/2010 11:45:51 AM - Run 2
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Documents and Settings\Linda Goodson\My Documents\Downloads
Windows XP Tablet PC Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 50.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 72.00% Paging File free
Paging file location(s): C:\pagefile.sys 744 1488 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 39.74 Gb Free Space | 53.33% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 1.89 Gb Total Space | 1.42 Gb Free Space | 75.26% Space Free | Partition Type: FAT
Drive I: | 955.72 Mb Total Space | 952.81 Mb Free Space | 99.70% Space Free | Partition Type: FAT

Computer Name: TOSHIBA-USER120
Current User Name: Linda Goodson
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/08 11:43:05 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Linda Goodson\My Documents\Downloads\OTL(2).exe
PRC - [2010/04/02 19:22:06 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/03/19 11:00:46 | 000,202,256 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2010/03/19 08:54:58 | 002,046,816 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2010/02/26 13:46:32 | 012,526,424 | ---- | M] (magicJack L.P.) -- C:\Documents and Settings\Linda Goodson\Application Data\mjusbsp\magicJack.exe
PRC - [2009/12/15 11:24:48 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Linda Goodson\Desktop\gmer.exe
PRC - [2009/08/17 15:20:06 | 000,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/08/17 15:20:04 | 000,693,016 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2009/08/17 15:19:58 | 000,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2009/08/17 15:19:49 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2009/05/27 03:27:04 | 029,262,680 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
PRC - [2009/01/14 10:32:19 | 000,066,864 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
PRC - [2008/12/20 07:50:34 | 002,656,528 | ---- | M] () -- C:\Program Files\Logitech\QuickCam\Quickcam.exe
PRC - [2008/12/20 07:46:58 | 000,558,864 | ---- | M] () -- C:\Program Files\Common Files\logishrd\LQCVFX\COCIManager.exe
PRC - [2008/12/16 21:59:50 | 000,150,040 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
PRC - [2008/11/24 22:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2008/11/24 22:31:08 | 000,239,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PRC - [2008/07/21 16:54:34 | 000,169,312 | ---- | M] (Maxtor Corporation) -- C:\Program Files\Maxtor\OneTouch Status\MaxMenuMgr.exe
PRC - [2008/07/21 16:53:04 | 000,193,888 | ---- | M] (Seagate Technology LLC) -- C:\Program Files\Maxtor\Sync\SyncServices.exe
PRC - [2008/04/13 14:12:40 | 000,293,888 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wisptis.exe
PRC - [2008/04/13 14:12:37 | 000,043,520 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Ink\tcserver.exe
PRC - [2008/04/13 14:12:23 | 000,029,696 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Ink\keyboardsurrogate.exe
PRC - [2008/04/13 14:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/08/31 08:58:50 | 000,357,800 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
PRC - [2005/01/18 12:18:40 | 000,126,976 | ---- | M] (TOSHIBA) -- C:\Program Files\Toshiba\TME3\TMESRV31.exe
PRC - [2004/12/24 22:51:02 | 000,172,032 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\ThpSrv.exe
PRC - [2004/11/10 09:14:08 | 000,036,864 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
PRC - [2004/10/15 09:27:38 | 000,389,120 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
PRC - [2004/10/15 09:24:48 | 000,360,521 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PRC - [2004/10/15 09:23:12 | 000,245,760 | ---- | M] (Intel) -- C:\Program Files\Intel\Wireless\Bin\1XConfig.exe
PRC - [2004/10/15 09:22:14 | 000,086,016 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2004/10/15 09:21:38 | 000,139,264 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2004/10/14 06:11:10 | 001,388,544 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
PRC - [2004/08/10 15:21:38 | 000,258,048 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\00THotkey.exe
PRC - [2004/05/13 11:46:02 | 000,053,248 | ---- | M] () -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
PRC - [2004/02/24 13:57:32 | 000,077,824 | ---- | M] (TOSHIBA) -- C:\Program Files\Toshiba\TME3\TMETEMnu.exe
PRC - [2003/08/01 12:56:02 | 000,086,016 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\TME3\tmesbs32.exe
PRC - [2003/05/23 11:38:26 | 000,106,496 | ---- | M] (Matsushita Electric Industrial Co., Ltd.) -- C:\WINDOWS\system32\DVDRAMSV.exe
PRC - [2003/01/21 16:00:06 | 000,126,976 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\TouchED\TouchED.exe
PRC - [2002/10/30 16:59:12 | 000,364,544 | ---- | M] (FinePrint Software, LLC) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\fppdis1.exe
PRC - [2002/09/20 11:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
PRC - [2002/08/29 01:41:28 | 000,035,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\tabbtnu.exe


========== Modules (SafeList) ==========

MOD - [2010/04/08 11:43:05 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Linda Goodson\My Documents\Downloads\OTL(2).exe
MOD - [2008/04/13 14:12:07 | 000,210,944 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Ink\tiptsf.dll
MOD - [2008/04/13 14:12:07 | 000,038,912 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Ink\tipcomponentsps.dll
MOD - [2008/04/13 14:12:01 | 000,413,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcp60.dll
MOD - [2008/04/13 14:11:58 | 000,068,608 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msctfp.dll
MOD - [2008/04/13 07:39:24 | 002,897,920 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\xpsp2res.dll
MOD - [2002/08/29 01:41:08 | 000,023,552 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Journal\nbmaptip.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/08/17 15:19:49 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2009/05/27 03:27:04 | 029,262,680 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$XACTWARE) SQL Server (XACTWARE)
SRV - [2008/12/16 21:59:50 | 000,150,040 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2008/11/24 22:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2008/11/24 22:31:08 | 000,239,968 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2008/11/24 22:31:08 | 000,045,408 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2008/07/21 16:53:04 | 000,193,888 | ---- | M] (Seagate Technology LLC) [Auto | Running] -- C:\Program Files\Maxtor\Sync\SyncServices.exe -- (Maxtor Sync Service)
SRV - [2008/03/06 16:10:52 | 000,106,496 | ---- | M] (PCTEL) [On_Demand | Stopped] -- C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe -- (ATTRcAppSvc)
SRV - [2007/10/25 15:27:54 | 000,266,240 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)
SRV - [2005/01/18 12:18:40 | 000,126,976 | ---- | M] (TOSHIBA) [Auto | Running] -- C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe -- (Tmesrv)
SRV - [2004/12/24 22:51:02 | 000,172,032 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\WINDOWS\system32\ThpSrv.exe -- (Thpsrv)
SRV - [2004/11/10 09:14:08 | 000,036,864 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe -- (CFSvcs)
SRV - [2004/10/15 09:24:48 | 000,360,521 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor)
SRV - [2004/10/15 09:22:14 | 000,086,016 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng)
SRV - [2004/10/15 09:21:38 | 000,139,264 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc)
SRV - [2004/05/13 11:46:02 | 000,053,248 | ---- | M] () [Auto | Running] -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe -- (Swupdtmr)
SRV - [2003/08/01 12:56:02 | 000,086,016 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe -- (Tmesbs)
SRV - [2003/05/23 11:38:26 | 000,106,496 | ---- | M] (Matsushita Electric Industrial Co., Ltd.) [Auto | Running] -- C:\WINDOWS\system32\DVDRAMSV.exe -- (DVD-RAM_Service)
SRV - [2002/09/20 11:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "search"
FF - prefs.js..browser.startup.homepage: "http://msnbc.com/htt...://foxnews.com"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:8.5.0.429
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..network.proxy.type: 4


FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG8\Firefox [2009/12/22 09:04:59 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/07 20:50:15 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/02 19:22:13 | 000,000,000 | ---D | M]

[2008/09/12 07:40:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Linda Goodson\Application Data\Mozilla\Extensions
[2010/04/07 16:12:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Linda Goodson\Application Data\Mozilla\Firefox\Profiles\1vqtqqhu.default\extensions
[2009/09/02 22:03:08 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Linda Goodson\Application Data\Mozilla\Firefox\Profiles\1vqtqqhu.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/03/29 09:14:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Linda Goodson\Application Data\Mozilla\Firefox\Profiles\1vqtqqhu.default\extensions\[email protected]
[2010/04/07 16:12:51 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/03/24 17:53:25 | 000,036,864 | ---- | M] (Homestead Technologies, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nphssb.dll
[2008/09/15 11:52:06 | 000,376,832 | ---- | M] ( ) -- C:\Program Files\Mozilla Firefox\plugins\npsnapfish.dll

O1 HOSTS File: ([2009/08/13 17:46:24 | 000,006,696 | RHS- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 74.125.45.100 privateseoogle.bs
O1 - Hosts: 64.86.17.32 google.com.gh
O1 - Hosts: 64.86.17.32 google.com.hk
O1 - Hosts: 64.86.17.32 google.com.jm
O1 - Hosts: 64.86.17.32 google.com.my
O1 - Hosts: 64.86.17.32 google.com.na
O1 - Hosts: 64.86.17.32 google.com.nf
O1 - Hosts: 64.86.17.32 google.com.ng
O1 - Hosts: 64.86.17.32 google.com.np
O1 - Hosts: 64.86.17.32 google.com.pr
O1 - Hosts: 64.86.17.32 google.com.qa
O1 - Hosts: 64.86.17.32 google.com.sg
O1 - Hosts: 64.86.17.32 google.com.tj
O1 - Hosts: 64.86.17.32 google.com.tw
O1 - Hosts: 64.86.17.32 google.dm
O1 - Hosts: 64.86.17.32 google.ee
O1 - Hosts: 64.86.17.32 google.ge
O1 - Hosts: 64.86.17.32 google.ht
O1 - Hosts: 64.86.17.32 google.im
O1 - Hosts: 64.86.17.32 google.in
O1 - Hosts: 64.86.17.32 google.ki
O1 - Hosts: 64.86.17.32 google.la
O1 - Hosts: 64.86.17.32 google.ma
O1 - Hosts: 64.86.17.32 google.nr
O1 - Hosts: 82 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [LogitechQuickCamRibbon] C:\Program Files\Logitech\QuickCam\Quickcam.exe ()
O4 - HKLM..\Run: [mxomssmenu] C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe (Maxtor Corporation)
O4 - HKLM..\Run: [pdfFactory Dispatcher v1] C:\WINDOWS\system32\spool\drivers\w32x86\3\fppdis1.exe (FinePrint Software, LLC)
O4 - HKLM..\Run: [pdfFactory Pro Dispatcher v3] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe (FinePrint Software, LLC)
O4 - HKLM..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [TabletWizard] C:\WINDOWS\Help\splshwrp.exe (Microsoft Corporation)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [TouchED] C:\Program Files\Toshiba\TouchED\TouchED.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe File not found
O4 - HKCU..\Run: [cdloader] C:\Documents and Settings\Linda Goodson\Application Data\mjusbsp\cdloader2.exe (magicJack L.P.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe (Logitech Inc.)
O4 - Startup: C:\Documents and Settings\Linda Goodson\Start Menu\Programs\Startup\Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O15 - HKCU\..Trusted Domains: doccentral.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: fnismls.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: getmedianow.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: magicjack.com ([my] https in Trusted sites)
O15 - HKCU\..Trusted Domains: pilotcat.com ([www] http in Trusted sites)
O15 - HKCU\..Trusted Domains: rdesk.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: rexplorer.net ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: sg1 ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: showingtime.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: sitexdata.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: spellchecker.net ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: talk4free.com ([reg] https in Trusted sites)
O15 - HKCU\..Trusted Domains: transactionpoint.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: trpoint.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: virtualearth.net ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: xmlsweb.com ([]* in Trusted sites)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} http://www.kaspersky...can_unicode.cab (CKAVWebScan Object)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.ma...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://www2.snapfish...fishActivia.cab (Snapfish Activia)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace....ploader1005.cab (MySpace Uploader Control)
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} http://upload.facebo...toUploader3.cab (Facebook Photo Uploader 4 Control)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx...owserPlugin.cab (Reg Error: Key error.)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2....re/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} http://www.kodakgall..._2/axofupld.cab (Kodak Gallery Easy Upload Manager Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: Microsoft XML Parser for Java file:///C:/WINDOWS/Java/classes/xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 76.85.229.110 76.85.229.111
O18 - Protocol\Handler\bwfile-8876480 {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll (Logitech Inc.)
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\IntelWireless: DllName - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll (Intel Corporation)
O20 - Winlogon\Notify\loginkey: DllName - C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll - C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll (Microsoft Corporation)
O20 - Winlogon\Notify\TabBtnWL: DllName - TabBtnWL.dll - C:\WINDOWS\System32\tabbtnwl.dll (Microsoft Corporation)
O20 - Winlogon\Notify\tpgwlnotify: DllName - tpgwlnot.dll - C:\WINDOWS\System32\tpgwlnot.dll (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Linda Goodson\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Linda Goodson\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/01/07 10:39:16 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{2b6a7750-30bd-11dd-8f7a-00166f0b6cc7}\Shell - "" = AutoRun
O33 - MountPoints2\{2b6a7750-30bd-11dd-8f7a-00166f0b6cc7}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{2b6a7750-30bd-11dd-8f7a-00166f0b6cc7}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O33 - MountPoints2\{2d9b5000-2e93-11dd-8f71-00166f0b6cc7}\Shell\AutoRun\command - "" = .\Encryption Tool\MaxtorEncryption.exe
O33 - MountPoints2\{fc8097ef-3196-11dd-8f7f-00166f0b6cc7}\Shell - "" = AutoRun
O33 - MountPoints2\{fc8097ef-3196-11dd-8f7f-00166f0b6cc7}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{fc8097ef-3196-11dd-8f7f-00166f0b6cc7}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2005/01/07 10:38:36 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: helpsvc - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17183528496136192)

========== Files/Folders - Created Within 14 Days ==========

[2010/04/08 11:03:39 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/08 11:03:37 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/08 11:03:37 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/08 11:01:22 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/04/03 08:30:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\IObit
[2010/04/03 08:30:09 | 000,000,000 | ---D | C] -- C:\Program Files\IObit
[2010/03/19 11:18:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/03/19 11:16:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2010/03/19 10:58:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/03/19 10:58:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/12/13 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\TuneUp Software
[2009/12/13 11:00:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\TuneUp Software
[2009/02/06 08:15:48 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/02/06 08:15:48 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2008/09/28 10:05:03 | 001,445,888 | ---- | C] (Option^Explicit Software Solutions) -- C:\Documents and Settings\Linda Goodson\DesktopWinsockxpFix.exe
[2008/09/28 10:04:59 | 000,186,368 | ---- | C] (CEXX.ORG) -- C:\Documents and Settings\Linda Goodson\DesktopLSPFix.exe
[2008/09/28 10:04:57 | 000,036,864 | ---- | C] (Rock Systems & Development) -- C:\Documents and Settings\Linda Goodson\DesktopSafeMSI.exe
[2008/06/14 13:17:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2008/05/30 17:50:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Bytemobile
[2008/05/06 05:45:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Roxio
[2007/12/31 05:56:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Symantec
[2005/01/07 11:30:07 | 000,049,152 | ---- | C] ( ) -- C:\WINDOWS\System32\BrigthDL.dll
[2004/01/04 21:30:10 | 000,184,386 | ---- | C] (HP) -- C:\Documents and Settings\Linda Goodson\hpdj01

========== Files - Modified Within 14 Days ==========

[2010/04/08 11:45:00 | 000,000,438 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{F73D8017-CFCB-4548-A6CF-DCB9523F935D}.job
[2010/04/08 11:23:11 | 000,001,056 | ---- | M] () -- C:\Documents and Settings\Linda Goodson\Desktop\magicJack.lnk
[2010/04/08 11:22:59 | 000,000,294 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-341395016-982499043-1227174845-1005.job
[2010/04/08 11:22:55 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/04/08 11:22:50 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/08 11:22:46 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/08 11:22:44 | 1592,709,120 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/08 11:21:27 | 007,340,032 | ---- | M] () -- C:\Documents and Settings\Linda Goodson\ntuser.dat
[2010/04/08 11:21:27 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Linda Goodson\ntuser.ini
[2010/04/08 11:03:42 | 000,000,704 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/08 10:43:16 | 000,131,072 | ---- | M] () -- C:\Documents and Settings\Linda Goodson\Desktop\GEEK.doc
[2010/04/08 10:28:01 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/04/08 10:22:04 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/08 08:10:08 | 000,033,326 | ---- | M] () -- C:\Documents and Settings\Linda Goodson\Desktop\MS image.aspx
[2010/04/08 04:54:55 | 058,679,563 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/04/07 21:32:29 | 000,016,688 | ---- | M] () -- C:\Documents and Settings\Linda Goodson\Desktop\6324_Connery-Sean-007.jpg
[2010/04/07 18:00:00 | 000,000,458 | ---- | M] () -- C:\WINDOWS\tasks\ParetoLogic Registration.job
[2010/04/07 17:29:56 | 000,096,951 | ---- | M] () -- C:\Documents and Settings\Linda Goodson\Desktop\clock.jpg
[2010/04/07 12:06:34 | 000,326,817 | ---- | M] () -- C:\Documents and Settings\Linda Goodson\Desktop\securedownload.gif
[2010/04/06 21:04:02 | 000,000,302 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-341395016-982499043-1227174845-1005.job
[2010/04/04 16:27:31 | 000,133,984 | ---- | M] () -- C:\Documents and Settings\Linda Goodson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/04/04 13:17:51 | 000,183,951 | ---- | M] () -- C:\Documents and Settings\Linda Goodson\Desktop\ss-100401-cagle-easter-06.ss_full.jpg
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

========== Files Created - No Company Name ==========

[2010/04/08 11:26:50 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Linda Goodson\Desktop\gmer.exe
[2010/04/08 11:03:42 | 000,000,704 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/08 10:43:15 | 000,131,072 | ---- | C] () -- C:\Documents and Settings\Linda Goodson\Desktop\GEEK.doc
[2010/04/08 08:10:00 | 000,033,326 | ---- | C] () -- C:\Documents and Settings\Linda Goodson\Desktop\MS image.aspx
[2010/04/07 21:32:21 | 000,016,688 | ---- | C] () -- C:\Documents and Settings\Linda Goodson\Desktop\6324_Connery-Sean-007.jpg
[2010/04/07 17:15:19 | 000,096,951 | ---- | C] () -- C:\Documents and Settings\Linda Goodson\Desktop\clock.jpg
[2010/04/07 12:06:33 | 000,326,817 | ---- | C] () -- C:\Documents and Settings\Linda Goodson\Desktop\securedownload.gif
[2010/04/04 13:17:50 | 000,183,951 | ---- | C] () -- C:\Documents and Settings\Linda Goodson\Desktop\ss-100401-cagle-easter-06.ss_full.jpg
[2009/12/15 12:31:19 | 007,340,032 | ---- | C] () -- C:\Documents and Settings\Linda Goodson\ntuser.dat
[2009/10/12 17:45:28 | 000,374,784 | ---- | C] () -- C:\WINDOWS\3dg32.dll
[2009/10/12 17:45:23 | 000,000,250 | ---- | C] () -- C:\WINDOWS\3dr.ini
[2009/10/11 15:17:22 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\clauth2.dll
[2009/10/11 15:17:22 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\clauth1.dll
[2009/10/11 15:17:22 | 000,000,339 | ---- | C] () -- C:\WINDOWS\System32\lsprst7.dll
[2009/10/11 15:17:22 | 000,000,073 | ---- | C] () -- C:\WINDOWS\System32\ssprs.dll
[2009/08/17 15:47:13 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\ESGAppInfo.dll
[2009/03/14 08:55:39 | 000,000,059 | ---- | C] () -- C:\WINDOWS\dcmvwr.INI
[2008/12/16 21:58:54 | 000,025,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
[2008/12/16 21:50:56 | 000,013,584 | ---- | C] () -- C:\WINDOWS\System32\drivers\iKeyLgFT.dll
[2008/09/18 14:20:05 | 000,000,102 | ---- | C] () -- C:\WINDOWS\VSWizard.ini
[2008/09/06 16:15:43 | 000,061,224 | ---- | C] () -- C:\Documents and Settings\Linda Goodson\GoToAssistDownloadHelper.exe
[2008/08/16 04:50:40 | 000,000,932 | ---- | C] () -- C:\WINDOWS\Epsonem.ini
[2008/07/26 14:42:52 | 000,081,110 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2008/07/24 06:26:16 | 000,000,120 | ---- | C] () -- C:\WINDOWS\DDSSetup.ini
[2008/07/14 05:36:11 | 000,000,068 | ---- | C] () -- C:\WINDOWS\iltwain.ini
[2008/05/30 17:43:42 | 000,026,504 | ---- | C] () -- C:\WINDOWS\System32\drivers\swmsflt.sys
[2008/05/13 15:36:33 | 000,000,503 | ---- | C] () -- C:\WINDOWS\3DHOME.INI
[2008/05/13 08:41:00 | 000,000,132 | ---- | C] () -- C:\Documents and Settings\Linda Goodson\Application Data\wklnhst.dat
[2008/04/17 01:03:26 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\Linda Goodson\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/03/08 09:03:07 | 000,000,000 | ---- | C] () -- C:\WINDOWS\pestpatrol5.INI
[2008/03/01 04:19:48 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2008/03/01 04:18:39 | 000,000,058 | ---- | C] () -- C:\WINDOWS\System32\EAL32.INI
[2008/03/01 04:18:23 | 000,000,057 | ---- | C] () -- C:\WINDOWS\EPSPR260.ini
[2008/02/22 06:12:49 | 000,000,905 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2008/01/08 14:50:22 | 000,000,096 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/01/02 14:33:54 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2008/01/01 08:43:11 | 000,014,164 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2007/12/30 15:37:52 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Linda Goodson\Local Settings\Application Data\fusioncache.dat
[2007/12/30 15:37:49 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\Linda Goodson\NTUSER.DAT.LOG
[2007/12/30 15:37:49 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\Linda Goodson\ntuser.ini
[2007/12/30 15:36:43 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT
[2007/12/30 15:36:43 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT.LOG
[2007/12/30 15:26:08 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007/12/30 15:25:34 | 000,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/04/01 23:58:06 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2006/05/18 11:33:18 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\PdfIntf.dll
[2005/08/18 08:12:09 | 000,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
[2005/08/18 08:12:09 | 000,010,165 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini
[2005/08/18 08:12:09 | 000,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini
[2005/08/18 08:12:08 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
[2005/05/23 14:15:28 | 000,000,012 | ---- | C] () -- C:\WINDOWS\dirsaver.ini
[2005/01/21 09:05:14 | 000,029,184 | ---- | C] () -- C:\WINDOWS\System32\drivers\TSXT_kern_i386.sys
[2005/01/21 09:05:14 | 000,028,032 | ---- | C] () -- C:\WINDOWS\System32\drivers\WOWXT_kern_i386.sys
[2005/01/07 13:52:40 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2005/01/07 13:52:40 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2005/01/07 13:52:40 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2005/01/07 13:52:40 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2005/01/07 13:52:40 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2005/01/07 13:52:40 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2005/01/07 13:47:42 | 000,000,180 | ---- | C] () -- C:\WINDOWS\Quicken.ini
[2005/01/07 12:26:44 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI
[2005/01/07 11:58:08 | 000,006,867 | ---- | C] () -- C:\WINDOWS\System32\drivers\tbiosdrv.sys
[2005/01/07 11:41:13 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2005/01/07 10:46:21 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/01/07 10:33:38 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/01/07 08:06:50 | 000,000,384 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/11/04 18:30:12 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\ptool.dll
[2004/08/12 06:44:10 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\iwca.dll

========== LOP Check ==========

[2009/08/13 10:53:42 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\ac73cf9
[2009/12/09 15:36:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Agilix
[2008/07/10 10:33:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AliasWavefront
[2008/05/30 17:38:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AT&T
[2008/02/29 09:17:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CA
[2009/01/14 10:00:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Cingular
[2008/01/05 21:39:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
[2008/03/01 04:20:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON
[2009/08/16 23:50:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GARMIN
[2010/04/03 08:30:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IObit
[2008/05/30 13:36:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Maxtor
[2005/08/18 07:47:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2008/02/28 04:49:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Road Runner
[2008/01/03 09:40:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Simple Star
[2008/01/03 09:50:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Simple Star Shared
[2009/08/13 10:51:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/12/30 17:37:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TuneUp Software
[2005/01/07 13:42:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/09/08 18:21:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2009/11/19 21:34:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Xactware
[2008/01/16 08:40:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Yahoo
[2009/09/27 14:10:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/04/24 18:10:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/12/13 10:49:14 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
[2008/05/30 17:53:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Linda Goodson\Application Data\AT&T
[2008/10/10 05:02:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Linda Goodson\Application Data\Cingular
[2008/09/25 09:48:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Linda Goodson\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2008/05/30 17:46:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Linda Goodson\Application Data\DBUpdater
[2009/08/16 23:30:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Linda Goodson\Application Data\GARMIN
[2008/06/01 15:25:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Linda Goodson\Application Data\ICAClient
[2009/09/08 18:44:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Linda Goodson\Application Data\ImgBurn
[2005/01/07 13:23:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Linda Goodson\Application Data\InterTrust
[2005/01/10 11:24:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Linda Goodson\Application Data\InterVideo
[2008/09/18 14:20:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Linda Goodson\Application Data\Leadertech
[2010/04/08 11:23:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Linda Goodson\Application Data\mjusbsp
[2009/01/03 10:27:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Linda Goodson\Application Data\ooVoo Details
[2009/08/17 17:56:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Linda Goodson\Application Data\Opera
[2008/01/05 22:36:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Linda Goodson\Application Data\picajet.com
[2009/04/21 15:12:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Linda Goodson\Application Data\Pogo Games
[2008/02/28 04:49:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Linda Goodson\Application Data\Road Runner
[2008/05/30 17:43:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Linda Goodson\Application Data\Sierra Wireless
[2008/01/03 09:40:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Linda Goodson\Application Data\Simple Star
[2009/10/12 18:17:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Linda Goodson\Application Data\SmartDraw
[2009/12/30 19:11:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Linda Goodson\Application Data\Snapfish
[2005/01/07 12:54:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Linda Goodson\Application Data\toshiba
[2009/12/13 10:49:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Linda Goodson\Application Data\TuneUp Software
[2010/04/07 18:00:00 | 000,000,458 | ---- | M] () -- C:\WINDOWS\Tasks\ParetoLogic Registration.job
[2010/03/21 13:33:00 | 000,000,548 | ---- | M] () -- C:\WINDOWS\Tasks\Rescue Reminder for 2HAPPLGC.job
[2010/04/08 11:45:00 | 000,000,438 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{F73D8017-CFCB-4548-A6CF-DCB9523F935D}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/04 02:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/09/05 17:39:56 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2004/08/04 02:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:AGP440.sys
[2008/09/05 17:39:56 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 08:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 08:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 02:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/09/05 17:39:56 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2004/08/04 02:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:atapi.sys
[2008/09/05 17:39:56 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 08:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 08:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 02:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 14:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 14:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 14:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 14:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/13 14:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 14:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2005/01/07 02:27:15 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2005/01/07 02:27:15 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2005/01/07 02:27:15 | 000,884,736 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

========== Alternate Data Streams ==========

@Alternate Data Stream - 150 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C895616B
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:07348C09
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0CE7F3C9
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >


ERUNT - The Emergency Recovery Utility NT
=========================================

Registry Backup and Restore for Windows NT/2000/2003/XP

v1.1j, 10/20/2005, Freeware
Written by Lars Hederer
e-mail: [email protected]

Look for the latest version here:
http://www.larsheder...online.de/erunt

To find out what's new in this version, please see the "Version
history" section later in this file.



Introduction
------------

With the invention of Windows 95 Microsoft made the wise decision to
organize all computer- and application-specific data which was spread
over countless INI files before in a centralized Windows database,
called the system "registry". The registry is one of the most
important parts in every Windows system today, without which the OS
would not even boot. And since the registry is quite sensitive to
corruption, it is very advisable to backup its according files from
time to time.

In MS-DOS based Windows versions (95, 98, Me) the registry consists of
the files SYSTEM.DAT and USER.DAT (and CLASSES.DAT in Windows Me). To
backup these files, one can easily go to the Windows folder in
Explorer and copy the files to a safe location, for example another
folder on the hard disk. Microsoft even supplies a utility called ERU
which can be used to backup these and a few other critical system
files to a safe location.

Also, Windows 9x*LindaGee automatically create backups of the registry at
startup, with Windows 95 always backing up the registry from the
previous Windows session, and Windows 98*LindaGee maintaining up to five
registry copies from the last five days where Windows was running.

Unfortunately, this is not the case with Windows versions based on the
NT kernel. In Windows NT and 2000, the registry is never backed up
automatically, and in XP it is backed up only as part of the bloated
and resource hogging System Restore program which cannot even be used
for a "restore" should a corrupted registry prevent Windows from
booting. It has also become impossible to copy the necessary files,
now called "hives" and usually named DEFAULT, SAM, SECURITY, SOFTWARE,
SYSTEM in the SYSTEM32\CONFIG folder, to another location because they
are all in use by the OS. And though the registry in an NT-based
Windows is less likely to become corrupted than in other versions, it
can still happen, and for these cases NT is simply missing an option
for easy registry backup and restore as there is in Windows 9x/Me, to
get the system up and running again in no time.

In 2001, as Windows XP began to come pre-installed on many new home
user PCs and was likely to become the new Windows standard over the
next years, I decided to write a program which offers the ease-of-use
of Windows 9x*LindaGee ERU by Microsoft (hence the name ERUNT) to backup the
registry, as well as providing an auto-backup capability, for example
at Windows startup.

Or, before installing a new program for testing purposes one could
save the registry with ERUNT, install and test the program, uninstall
it and restore the registry to be 100% sure that no debris is left.

Note: The "Export registry" function in Regedit is USELESS (!) for
making a complete backup of the registry. Neither does it export the
whole registry (for example, no information from the "SECURITY" hive
is saved), nor can the exported file be used later to replace the
current registry with the old one. Instead, if you re-import the file,
it is merged with the current registry without deleting anything that
has been added since the export, leaving you with an absolute mess of
old and new entries.



Features
--------

- Backup the Windows NT/2000/2003/XP registry to a folder of your
choice

- System and current user registries selectable

- Command line switches for automated registry backup and restoration

- Restore the registry in Windows 9x/Me/NT/2000/2003/XP and MS-DOS
(all-in-one restore program) or the Windows Recovery Console

- Included in this package:
NTREGOPT program for optimizing the registry

- All programs in this package are completely localizable
(translate them into your language), German version included



Supported operating systems
---------------------------

- Windows NT 3.51
- Windows NT 4.0
- Windows 2000
- Windows 2003
- Windows XP
- most likely, all future Windows versions based on the NT kernel

Additionally supported by the ERDNT restore program:
- MS-DOS
- Windows 95
- Windows 98
- Windows Me



Installation
------------

Use the Setup program to install ERUNT on your computer.

Or, if you downloaded the zipped version: Unzip all files into a
folder of your choice, and if you want, create shortcuts on your
desktop to the ERUNT.EXE and NTREGOPT.EXE files.



Uninstallation
--------------

Use "Add/Remove Programs" in Windows' control panel to remove ERUNT
from your computer.

Or, if you downloaded the zipped version: Delete the ERUNT folder,
delete the appropriate desktop icons.

(You may also want to delete all restore folders you have previously
created with the program.)



Backing up the registry with ERUNT
----------------------------------

Note: To ensure proper operation of ERUNT, you should be logged in as
a system administrator.

Start ERUNT, confirm the Welcome message.

Type in the name of a restore folder where the backed up registry
files should be saved, or click "..." to browse your computer's drives
and select a folder. You can also simply leave the default, which is a
folder named ERDNT inside your Windows folder, the advantage being
that you have access to this folder from the Windows Recovery Console
in case Windows does not boot anymore.

Note that in the folder edit field, ERUNT by default appends a folder
named the current date to the restore folder, which allows you to keep
as many registry backups as you wish in the same restore folder,
separated into the different creation dates. This feature, as well as
the appearance of the date string, can be configured via the ERUNT.INI
file, described later in this document. If you want the registry backup
to be created directly in the folder you select, you can also simply
remove the date from the folder edit field before clicking "OK".

Next, select the backup options:

- System registry: The current system registry, usually consisting of
the files DEFAULT, SAM, SECURITY, SOFTWARE, and SYSTEM.

- Current user registy: The registry files for the currently logged-on
user, usually NTUSER.DAT and USRCLASS.DAT.

- Other open user registries: Sometimes Windows has a few other user
registries in memory. Examples for this are "generic" registries,
e.g. for user "EVERYONE", or registries of other users if you use
Fast Task Switching in Windows XP. Check this option to backup all
these additional user registries (if found) as well.

Click "OK" and wait until the backup process is complete. (Note that
depending on your system configuration this may take some time, and
that the first bar is NOT a progress bar, just an indicator that the
program is still running.) The ERDNT program for later restoration of
the registry is automatically copied to the restore folder.

(Technical information: ERUNT saves only registry files which are in
use by the system. It obtains information about these files from
registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
hivelist. Registry hives not listed there, for example those
of other users of the computer, cannot be saved by ERUNT.)



ERUNT command line switches
---------------------------

ERUNT supports command line switches with which you can perform an
automated registry backup, without user interaction. The syntax for
the ERUNT command line is as follows:

ERUNT DestinationFolder [sysreg] [curuser] [otherusers]
[/noconfirmdelete] [/noprogresswindow]

DestinationFolder is required for command line operation of ERUNT,
all other switches are optional.

If you specify a destination folder on the command line, ERUNT
automatically runs in "silent" mode and with default backup options
(system and current user registry). No user interaction is required,
EXCEPT the confirmation of the restore folder deletion if it exists,
or any error messages. The confirmation question can be suppressed
by using /noconfirmdelete (see below).

Description of the command line switches:

DestinationFolder
The name of the folder where the registry backup should be saved.
Example: C:\WINDOWS\ERDNT
You can use the strings #Date# and #Time# anywhere in the folder
name to have ERUNT insert the current date/time at that position.
Example: C:\WINDOWS\ERDNT\#Date#
Windows' %SystemRoot% environment variable can be used on the
command line as a substitute for the name of the Windows folder.
Example: %SystemRoot%\ERDNT\#Date#

sysreg
Backup the system registry

curuser
Backup the current user registry

otherusers
Backup other open user registries

(Note: If none of the three above options is given on the command
line, ERUNT automatically uses the default backup options, system
and current user registry.)

/noconfirmdelete
Automatically deletes the contents of the destination folder if it
exists, without asking the user. BE CAREFUL and only use this option
if you are sure that the contents of that folder may really be
deleted!

/noprogresswindow
Hides the progress window during backup.

So, to backup the system registry to folder C:\ERDNT each day of the
week using subfolders with the name of the current day you could use
the integrated scheduler in Windows to schedule seven different ERUNT
calls for each day:

For Monday you would use the command line
C:\ERUNT\ERUNT.EXE C:\ERDNT\Monday sysreg /noconfirmdelete

For Tuesday you would use the command line
C:\ERUNT\ERUNT.EXE C:\ERDNT\Tuesday sysreg /noconfirmdelete

... well, you get the idea.

Or, to have ERUNT automatically backup the registry on each Windows
startup to a folder named "ERDNT" inside the Windows folder, including
a folder named the current date, you could place a shortcut like the
following in your Start Menu/Programs/Startup folder:

C:\ERUNT\ERUNT.EXE %SystemRoot%\ERDNT\#Date# /noconfirmdelete

If you want old restore folders created this way to be deleted
automatically from time to time, you can use AUTOBACK.EXE instead of
ERUNT.EXE. The AUTOBACK tool is described later in this document.
Also, ERUNT Setup offers the choice to add an AutoBackup shortcut to
the Startup folder automatically during the installation process.



The ERUNT.INI file
------------------

You can configure various ERUNT settings with this file, for example
change the default destination folder displayed in ERUNT's folder edit
field, or disable automatic appendation of the current date there.

Use Notepad to create a file named ERUNT.INI in your ERUNT folder, and
add the following line:

[ERUNT]

Below this line, enter one or more of the following configuration
options:

DefaultDestinationFolder
The name of the default folder displayed in ERUNT's folder edit
field. You may also use environment variables here, for example
%SystemRoot% as a substitute for the name of the Windows folder.
Default: %SystemRoot%\ERDNT
Example:
DefaultDestinationFolder=C:\ERDNT

AppendDateToFolderEditField
Enable or disable automatic appendation of the current date to
ERUNT's folder edit field.
0=disable, 1=enable, default: 1
Example:
AppendDateToFolderEditField=0

AppendTimeToFolderEditField
Enable or disable automatic appendation of the current time to
ERUNT's folder edit field. This function can only be enabled in
conjunction with AppendDateToFolderEditField also set to 1.
0=disable, 1=enable, default: 0
Example:
AppendTimeToFolderEditField=1

DateFormat
DateSeparator
These settings configure the appearance of the date string in
ERUNT's folder edit field, or when #Date# is used on the command
line. By default, ERUNT uses Windows' regional settings for the
short date format. Note that only "." and "-" are allowed as date
separators.
Example:
DateFormat=mm/dd/yyyy
DateSeparator=-

TimeFormat
TimeSeparator
These settings configure the appearance of the time string in
ERUNT's folder edit field, or when #Time# is used on the command
line. By default, ERUNT uses Windows' regional settings for the
short time format. Note that only "." and "-" are allowed as time
separators.
Example:
TimeFormat=hh:mm:ss
TimeSeparator=.

DisableFastBackup
On supported operating systems (including Windows XP and Server
2003) ERUNT by default uses a very fast backup algorithm. If you
experience any problems during registry backup, you can try to
disable this function and revert back to the conventional (but slow)
method. This setting has no effect on unsupported operating systems,
where the conventional algorithm is always used.
0=fast method, 1=conventional method, default: 0
Example:
DisableFastBackup=1



The AUTOBACK.EXE tool
---------------------

The command line tool AUTOBACK.EXE uses the same syntax as ERUNT but
performs the additional task of deleting old restore folders after the
new backup has been created.

For this to work properly, the name of the last folder in the command
line option DestinationFolder must begin with the current date, or the
#Date# string, respectively. If this is the case AUTOBACK
automatically searches the parent folder of the newly created backup
for folder names of the same date format and deletes all folders
except from the last 30 days where backups have been created.

The number of restore folders to keep can be changed using the /days:n
command line switch, e.g. /days:7 would only keep the folders from the
last 7 backup days.

By default AUTOBACK does not create a new backup if one already exists
for the current day. Use the /alwayscreate switch to change this
behavior and have the program always create a new backup.

AUTOBACK is dependent on ERUNT and therefore needs to be executed from
the same folder. It uses the same settings for the date format as
ERUNT does, so if you specified a new format in ERUNT.INI it will also
be used automatically by AUTOBACK.



Restoring the registry with ERDNT
---------------------------------

Situation: Windows is running normally.

To restore a previous registry backup, open Windows Explorer, navigate
to the folder where you saved the backup to, and double-click the
ERDNT.EXE file to start the restoration program. (Each restore folder
has its own copy of ERDNT.EXE in it.) Select which registry components
to restore, then click "OK" to start restoration. When the process is
complete, click "OK" to restart the computer and activate the restored
registry.

Note: If you experience any problems restoring the registry, please
read "ERDNT technical information" later in this document to learn
what ERDNT is actually doing during the process, or simply read on
through the following emergency scenarios for other ways of restoring
the registry.



What to do if Windows does not boot anymore?
--------------------------------------------

If Windows refuses to boot normally it can be for a variety of
reasons, not the least of which is that the registry is damaged, or
you installed a program or driver which is somewhat incompatible with
the system or buggy, in which case restoring a registry backup from a
point where everything was running smoothly should also help.

The first thing to try is to reboot and press the F8 key immediately
before the first Windows screen appears, then select the "Last Known
Good" option from the menu and see if Windows boots up with this
option. If it does, you're all set.

If it does not, reboot again with F8, and select the option "Safe
Mode". If Windows boots up in safe mode, you can restore a registry
backup just as you would in normal mode, as described above.

If safe mode also fails, read on...



Restoring the registry with ERDNT - Emergency Scenario I
--------------------------------------------------------

Situation: Windows fails to boot up in normal and safe mode, but you
have a DOS boot disk or another (working) operating system installed
on your PC which is supported by the ERDNT restoration program, and
from which you have full access to the drive(s) containing the corrupt
Windows installation and the registry backup.

Boot up to the working OS, and open the folder containing the registry
backup you want to restore.

If the drive letters are different to as they were in the Windows
where you created the registry backup, you need to edit the ERDNT.INF
file now to reflect the new drive letters, before trying to restore
the registry backup. For example, if the drive with the corrupt
Windows installation is now available as D: instead of C:, then you
would change all C:\... references in the INF file to D:\... . Editing
the file can be done in Windows with the Notepad program, and in DOS
with the EDIT command.

Now run the ERDNT.EXE file to start the restoration program. Select
which registry components to restore (just the system registry will do
in most cases), then start restoration. When the process is complete,
reboot the computer and check if the other Windows installation is
repaired now.



Restoring the registry with ERDNT - Emergency Scenario II
---------------------------------------------------------

Situation: Windows fails to boot up in normal and safe mode, and you
have no other working operating system installed on your PC.

The following two rescue methods require that your PC is configured so
that it can boot from CD. See your BIOS documentation for more
information.

1. Bart's PE Builder
Use another computer with Internet access and CD burning capabilities
to download this free program from the Internet (do a Google search
for it), which will create a bootable Windows CD with full access to
all drives (including NTFS). Boot from this CD, open the File
Management Utility and follow the directions in "Emergency Scenario I"
to run ERDNT and restore the registry.

2. The Windows Recovery Console (Windows 2000 and higher)
Note that you can use this method only if you saved the registry
backup inside the Windows folder, and that using this procedure only
the system registry is restored. This should however get you back into
Windows, from where you can run the ERDNT program to restore user
registries, if necessary.
- Boot your system from the Windows 2000/2003/XP CD-ROM.
- At the welcome screen, press "R" (Windows 2000: "R" then "C").
- Type in the number of the Windows installation you want to repair
(usually 1), then press ENTER.
- Type in the Administrator password (leave blank if you are unsure
what it is) and press ENTER.
- At the command prompt type
cd erdnt
or whatever you named your restore folder, then press ENTER.
- If you enabled automatic registry backup on system boot during ERUNT
installation and want to restore one of these backups, type
cd autobackup <ENTER>
- If you created subfolders for different registry backups (for
example, with the different creation dates), type
dir <ENTER>
to see a list of available folders, then type
cd foldername <ENTER>
where foldername is the name of a folder listed by the dir command,
to open that folder.
- Now type
batch erdnt.con <ENTER>
to restore the system registry from that folder.
- Type
exit <ENTER>
and remove the CD from the CD-ROM drive. The system will now reboot
with the restored registry.



ERDNT technical information
---------------------------

ERDNT knows two restoration modes. The right mode is usually auto-
detected each time ERDNT is run, but read on if you are experiencing
problems restoring the registry.

"NT" mode is used if you run the ERDNT program from within the same
system where you made the backup. This is determined by looking at the
[SystemRoot] entry in the ERDNT.INF file and comparing it to the
actual %SystemRoot% environment variable. Using "NT" mode is the only
way to successfully restore the active registry of the currently
running OS.

"File copy" mode is used if the currently running OS is NOT NT-based,
or if the [SystemRoot] entry does not match the %SystemRoot%
environment variable. In this mode the backed up registry files are
simply copied back to their original location.

MS-DOS based ERDNT only supports "File copy" mode.

Note: In restoration mode "NT" backups of the current registry files
are automatically created, so that option is grayed out. In
restoration mode "File copy" all saved user registries are
automatically restored, so you cannot choose between "current user"
and "other user" registries.

The backups of the current registry files are placed in the same
location as the original and are given the extension ".bak".

Experienced users don't even need to use the ERDNT program in other
operating systems to restore a registry backup. Given access to the
appropriate files and folders, the backed up files can simply be
copied back to their original location, as that is all ERDNT does
in "File copy" mode anyway. Have a look at the ERDNT.INF file to
find out what the original file locations are.



ERDNT command line switches
---------------------------

The ERDNT program also supports command line switches for "silent"
operation. The syntax for the ERDNT command line is:

ERDNT silent [sysreg] [curuser] [otherusers]
[/mode:nt|filecopy] [/nobackup] [/noprogresswindow] [/reboot]

(Switches in brackets are optional.)

Description of the command line switches:

silent
Puts ERDNT into "silent" mode and enables all other switches.

sysreg
Restore the system registry

curuser *
Restore the current user registry
(This option is ignored in "File copy" restoration mode.)

otherusers
Restore other saved user registries

(Note: If none of the three above options is given on the command
line, ERDNT automatically uses the default restoration options, system
and current user registry.)

/mode:nt or /mode:filecopy *
Disables automatic detection of the correct restoration mode and
uses mode "NT" or "File copy" instead.

/nobackup
Don't make backups of the current registry files during restoration.
(This switch is ignored in "NT" restoration mode.)

/noprogresswindow
Hides the progress window during restoration.

/reboot *
Automatically reboots the computer when restoration of the registry
is complete.

* = Not supported in the DOS version of ERDNT.



Optimizing the registry with NTREGOPT
-------------------------------------

Similar to Windows 9x/Me, the registry files in an NT-based system
can become fragmented over time, occupying more space on your hard
disk than necessary and decreasing overall performance. You should
use the NTREGOPT utility regularly, but especially after installing
or uninstalling a program, to minimize the size of the registry files
and optimize registry access.

The program works by recreating each registry hive "from scratch",
thus removing any slack space that may be left from previously
modified or deleted keys.

Note that the program does NOT change the contents of the registry in
any way, nor does it physically defrag the registry files on the drive
(as the PageDefrag program from SysInternals does). The optimization
done by NTREGOPT is simply compacting the registry hives to the
minimum size possible.

To optimize your registry, simply run NTREGOPT, click "OK", and when
the process is complete click "OK" to reboot the computer. You should
do so immediately because any changes made to the registry after
NTREGOPT has been run are lost after the reboot.



NTREGOPT command line switches
------------------------------

The syntax for the NTREGOPT command line is:

NTREGOPT silent [/noprogresswindow] [/reboot]

(Switches in brackets are optional.)

Description of the command line switches:

silent
Puts NTREGOPT into "silent" mode and enables the other switches.

/noprogresswindow
Hides the progress window during optimization.

/reboot
Automatically reboots the computer when optimization of the registry
is complete.



Known problems
--------------

ERUNT and NTREGOPT sometimes fail with error 1450 - "Insufficient
system resources exist to complete the requested service" - when
trying to save a registry hive. I have not yet been able to reproduce
this error on any PC, and reports from affected users indicate that it
also pops up when trying to back up the critical hive using
Microsoft's REGBACK program. This makes it unlikely that there is
anything I can do on my (the programmer's) side. Some users reported
however that they were able to work around the problem by running
ERUNT/NTREGOPT in Windows' safe mode, and in one case uninstalling a
Symantec software suite solved it permanently. One user reported that
increasing the "IRPStackSize" value as described in Microsoft
Knowledge Base article 177078 fixed the problem on his system.

When the system is rebooted after a restoration of the registry with
ERDNT or optimization with NTREGOPT, Windows Server 2003 will by
default display the shutdown event tracker during logon asking why the
system has been shut down unexpectedly. This is because the info that
the shutdown was in fact an expected one is written to the "old"
registry during shutdown of the system which is replaced by the
restored/optimized registry next time the system is booted, and
therefore the shutdown info is discarded and shutdown event tracker
thinks the system crashed. You may want to disable the tracker to
avoid this message in the future (see the Windows help for information
on how to do this).

If you experience any other problems, please email me at
[email protected] with a detailed description and I will see if
I can help you.



Localization
------------

You can translate all programs from this package into your language by
editing the appropriate .LOC file.

Keep in mind that the LOC files of the three Windows programs (ERUNT,
ERDNTWIN, NTREGOPT) should be edited using a Windows based editor
(Notepad), and ERDNTDOS.LOC using an MS-DOS based editor (EDIT.COM).
This is to ensure that any OEM characters are displayed correctly in
the program.

If your language is not yet present on my homepage and you want your
localization to be available to the general public, you are welcome to
send the four translated files to me. I will then make them available
for download, with credits of course.

I have included a German language pack. If you want to use the program
in German, simply unzip LOC_GER.ZIP into your ERUNT folder.



Version history
---------------

v1.1j, 10/20/2005
- Fixed compatibility issues with 64-bit Windows (many thanks to
Ian Smith and Hajo for all testing)
- Enhanced error messages
- AutoBackup now supports all date formats
- ERUNT.INI: "TimeSeparator" fixed; "DefaultDestinationFolder" now
supports all environment variables (previously only %SystemRoot%
could be used)
- ERDNT now displays the source Windows folder in addition to the
backup's creation date

v1.1i, 08/17/2005
- AutoBackup: Improved support for complex date formats
- NTREGOPT: Optimization results are now calculated correctly when
optimization failed on one or more hives

v1.1h, 03/06/2005
- Updated homepage address
- New ERUNT.INI option: AppendTimeToFolderEditField
- Fixed a problem where the current user registry could not be
identified on some systems
- Changed behavior of AutoBackup's /days:n switch

v1.1g, 11/02/2004
- ERUNT is now MUCH faster on Windows XP and Server 2003
- Added time string support on the command line
- AutoBackup now by default skips creating a backup for the current
day if one already exists

v1.1f, 08/26/2004
- Added AUTOBACK.EXE command line tool for automated registry backup
and deletion of old restore folders created prior to a specific
number of days
- Window position is now screen center instead of desktop center,
fixing display problem when using multiple monitors (thanks John :)

v1.1e, 07/31/2004
- Appearance of the date string can be configured via ERUNT.INI
- NTREGOPT: Optimization results: use thousand separator

v1.1d, 07/07/2004
- Optimized error handling
- Combined DOS and Windows ERDNT into a single Win32 executable,
fixing problems with the previous 16-bit exe stub on some systems
and with BartPE
- Added Windows Recovery Console support with ERDNT batch file
- Default destination folder can now be configured via file ERUNT.INI,
replacing #DestinationFolder command line option
- Changed the default destination folder to be inside the Windows
folder, for easy recovery console access
- New folder named the current date is automatically appended to
destination folder (can be disabled in ERUNT.INI)
- Rewrote major parts of the documentation

v1.1c, 05/10/2004
- Fixed problems with dynamic disks
- Added browse function for destination folder, as well as the option
to change the default name (use #DestinationFolder on the command
line)
- Re-added support for Windows NT 3.51 (got lost with v1.1) except
browse function

v1.1b, 04/23/2004
- ERUNT and NTREGOPT are now compatible with Windows Server 2003 and
Windows XP Service Pack 2
- Fixed a problem where the registry hives could not be
saved/restored/optimized on some systems
- Changed naming convention for user subfolders in the ERDNT folder

v1.1a, 10/03/2002
- Fixed a problem where the registry hives could not be
saved/restored/optimized on some systems

v1.1, 09/25/2002
- Fixed "Invalid pointer operation" message which occurred on some
systems (many thanks to Russ Cordner for his assistance in isolating
the problem)
- Fixed "Error opening localization file" message when ERUNT.EXE was
called from outside the ERUNT folder
- Fixed some problems with UNC path names
- Added command line support for ERDNT and NTREGOPT
- NTREGOPT: show optimization results (initial and new registry size)

v1.0, 11/24/2001
- Initial release



Distribution
------------

The ERUNT package (including the programs ERUNT, AUTOBACK, ERDNT and
NTREGOPT) is freeware. Please pass it to anyone who you think may find
it useful.

I explicitly allow this package to be included in any file archive,
CD-ROM or other media collection as well as usage in your own programs
provided that all files are kept and remain unchanged. A quick note
via e-mail where my program has been included is appreciated.



Donations
---------

Though I chose to make my programs freeware so that no one is required
to pay for using them, I accept and appreciate donations. So, if you
find my programs helpful and want to support further development,
simply visit my homepage and click one of the "PayPal" buttons, or
donate directly to my e-mail address via PayPal. Thanks in advance!

If you live in Germany and want to make a donation, you may also
transfer money directly to my bank account. Contact me for more
information.



Disclaimer
----------

Use this software at your own risk. I do not take responsibility for
anything that might happen to you or the PC upon use of my programs,
including but not limited to: registry destruction, hard disk crash,
heart attack...

Comments and suggestions via e-mail, however, are always welcome!

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3969

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

4/8/2010 11:18:11 AM
mbam-log-2010-04-08 (11-18-11).txt

Scan type: Quick scan
Objects scanned: 115555
Time elapsed: 10 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{17996e72-ee06-4d59-943f-4c3ebba5a916} (Adware.ISMonitor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{17996e72-ee06-4d59-943f-4c3ebba5a916} (Adware.ISMonitor) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,711 posts
  • MVP
Copy the text between the lines of stars by highlighting and Ctrl + c
***************************************************************************************************
:OTL
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
FF - prefs.js..network.proxy.type: 4
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe File not found
O16 - DPF: Microsoft XML Parser for Java file:///C:/WINDOWS/Java/classes/xmldso.cab (Reg Error: Key error.)

:Files
C:\Documents and Settings\All Users\Application Data\ac73cf9
C:\WINDOWS\Tasks\Rescue Reminder for 2HAPPLGC.job

:Commands
[RESETHOSTS]
[purity]
[emptytemp]
[Reboot]

*******************************************************************

then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done.

Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Run Malwarebytes' Anti-Malware

* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.



Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See:

http://www.bleepingc...opic114351.html


Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan

completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer

to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even

when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your protection programs at this time :!:

Reboot now, please :!:

Post Back (copy/paste the .txt files, do not use attachments)
After following the above, post back with:

OTL Log
MBAM log
Combofix log

Ron
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP