[onedavester]

Symantec removed a Trojan from my Xp computer today along with copy.exe.

Now when I go to my computer and click on any of my hard drives, I get Windows cannot find "copy.exe". I can only access my hard drives via IE.

[JSntgRvr]

Hi, onedavester

Welcome.

There is something strange about this.

Click here to download HJTsetup.exe

• Save HJTsetup.exe to your desktop.
• Doubleclick on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
• Put a check by Create a desktop icon then click Next again.
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

In addition, Click here to download WinPFind .

• Right Click the Zip Folder and Select "Extract All"
• Extract it somewhere you will remember like the Desktop
• Dont do anything with it yet!

Reboot into Safe Mode

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

• Double click WinPFind.exe
• Click "Start Scan"
• It will scan the entire System, so please be patient!
• Once the Scan is Complete, restart the computer back in Normal Mode.
• Go to the WinPFind folder
• Locate WinPFind.txt
• Place those results in the next reply!

[onedavester]

Logfile of HijackThis v1.99.1
Scan saved at 6:53:33 PM, on 8/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Evidence Eliminator\ee.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\regedit.exe
C:\Documents and Settings\Dave\Desktop\Stick\HijackThis.exe

F2 - REG:system.ini: Shell=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RegClean Expert Scheduler] "C:\Registry Clean Expert\RegCleanExpert.exe" /startup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_2.2.2.89.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-36.cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://portal.bassett.org/dana-cach...terisSetup.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1139751853687
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/40...02/Coupons.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...90/mcfscan.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neut...cab?10,0,910,0
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A4CFFE9-3148-4C77-8B47-78A07CECCF0E}: NameServer = 12.189.32.61
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

[onedavester]

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 8/23/2001 9:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 5/17/2006 11:23:38 AM 579888 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
aspack 8/4/2004 1:56:38 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 1:56:46 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
PEC2 1/21/2006 12:09:50 PM 230400 C:\WINDOWS\SYSTEM32\tssOfficeMenu1d.ocx
PECompact2 1/21/2006 12:09:50 PM 230400 C:\WINDOWS\SYSTEM32\tssOfficeMenu1d.ocx
winsync 8/23/2001 9:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
UPX! 12/5/2003 11:18:08 PM 101376 C:\WINDOWS\SYSTEM32\xvid.ax

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
8/12/2006 11:25:44 PM S 2048 C:\WINDOWS\bootstat.dat
8/12/2006 10:59:28 PM RH 749 C:\WINDOWS\WindowsShell.Manifest
8/12/2006 10:59:34 PM H 65 C:\WINDOWS\Downloaded Program Files\desktop.ini
8/12/2006 11:00:12 PM HS 67 C:\WINDOWS\Fonts\desktop.ini
8/12/2006 10:59:36 PM H 65 C:\WINDOWS\Offline Web Pages\desktop.ini
8/12/2006 11:00:54 PM H 266240 C:\WINDOWS\repair\ntuser.dat
8/12/2006 4:49:26 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\044a6f562ca5290509d799bf41a52aed\BIT16.tmp
8/12/2006 4:53:32 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\05050b9994d820e7079f0c7c2a7a3e01\BIT1A.tmp
8/12/2006 4:57:38 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\0da4d07f1c0daddae341154d5c5618e8\BIT1E.tmp
8/12/2006 4:58:38 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\12872a4fd5ad52aafc9035961c16e563\BIT1F.tmp
8/12/2006 5:14:16 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\20cd36d7283b4940f5d55fba9d008bc7\BIT2E.tmp
8/12/2006 5:30:20 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2337f75b6cfb9c1756b2d48701476ee3\BIT3D.tmp
8/12/2006 5:21:46 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2599f89a22d2a65299ffec348453588c\BIT35.tmp
8/12/2006 4:52:30 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2991f70fec08210a301ba3d28684d595\BIT19.tmp
8/12/2006 5:18:34 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2bf1a26042bcc156c98a41e2105dfc3b\BIT32.tmp
8/12/2006 5:32:28 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2f8972f47c1980a533dc0f726730f789\BIT3F.tmp
8/12/2006 5:29:16 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\321ca12b9fa3a6e84c5208a19d84f4b9\BIT3C.tmp
8/12/2006 5:24:58 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\35cce4c0c04512d0bce9f3bf12fcbdee\BIT38.tmp
8/12/2006 5:15:20 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\36a2d56bfaf653641b67e8413870534a\BIT2F.tmp
8/12/2006 5:33:34 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\3a84255fa53bf624e6efd81d8d5d3ebf\BIT40.tmp
8/12/2006 5:11:08 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\3d1f1ef69c42658cd4588e972c54bb63\BIT2B.tmp
8/12/2006 5:31:24 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\4507315e795e4b1a19374ad387e506fb\BIT3E.tmp
8/12/2006 5:05:54 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\550b1142f7e1f8ec32b1cdb4c5b12158\BIT26.tmp
8/12/2006 5:23:56 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\57bffbe98102c87c00d9009d1a21597a\BIT37.tmp
8/12/2006 5:22:50 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\5b4fc36992d4aa37911376d5c1e0e6ff\BIT36.tmp
8/12/2006 5:26:02 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\5ce82d6fe07555fb9de241d0a5a80347\BIT39.tmp
8/12/2006 5:36:48 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\67b903d652c691e53b3eb9a727375ac0\BIT43.tmp
8/12/2006 4:51:30 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\6b06da40652f8ab972561e743ae05a96\BIT18.tmp
8/12/2006 4:48:26 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\6d23b8f719dc5412ac7aeb7db3387c36\BIT15.tmp
8/12/2006 5:16:26 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\74eac9a4b069a45e3e4e8d162f3dd349\BIT30.tmp
8/12/2006 4:45:24 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\79a472c662fcaea1ff845b3a03de2d4f\BIT12.tmp
8/12/2006 5:17:30 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\7a0b2e29d3aa48d4be478bc6a367b3b1\BIT31.tmp
8/12/2006 5:08:00 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\7fb9a1dcd00c55662f93dcfc1b3ae0e6\BIT28.tmp
8/12/2006 4:47:24 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\837ee431df87226c3788bde39d0fd5c6\BIT14.tmp
8/12/2006 5:27:06 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8cba22abe8f75dc35995de26fee51cb5\BIT3A.tmp
8/12/2006 4:54:32 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8cd6b657df2be1875bba5acbd76b9294\BIT1B.tmp
8/12/2006 4:46:24 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\901d98c899726f2d1e49c234329550a9\BIT13.tmp
8/12/2006 5:00:42 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\9068529eb9ffcb0374073e28df2ec7a6\BIT21.tmp
8/12/2006 5:28:12 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\9abfb63b253fa152e6c1ba7c8a3b216f\BIT3B.tmp
8/12/2006 5:04:52 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\9c6a857a536c230a49190993fc1c2a15\BIT25.tmp
8/12/2006 5:01:46 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\a10059c9324422cfcb0f7ef897dbfc6d\BIT22.tmp
8/12/2006 5:10:06 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\b644f487577711809366dbf3bb5f84d7\BIT2A.tmp
8/12/2006 4:42:22 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\b698fa070be2bb519363d15b488fcca8\BITF.tmp
8/12/2006 5:03:50 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\bd0c48d4592ffe3631c19bd04a50ac18\BIT24.tmp
8/12/2006 5:34:38 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\c38f81748688325a9df6ee13850c72ae\BIT41.tmp
8/12/2006 4:56:36 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\c8a4c951c3e8ab4dd628bb92a80adc33\BIT1D.tmp
8/12/2006 4:59:40 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\c9ca23e0db0bf40b7c223d3803986f23\BIT20.tmp
8/12/2006 5:20:42 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\ccf16a349964b0c1db2aca1fe8adaff2\BIT34.tmp
8/12/2006 4:41:36 PM H 333032 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\cf6711df6004b507aee20e828abd0934\BITE.tmp
8/12/2006 5:06:58 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\cf90e529267ca119c39465c951264b3a\BIT27.tmp
8/12/2006 5:02:48 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\e0dc0b83689ce7b61aec9a92ab403ff5\BIT23.tmp
8/12/2006 4:43:22 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\e248e6e6cf7cf235ca9adad589c1947a\BIT10.tmp
8/12/2006 4:44:22 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\e2b4d3fe99fff743f9d3d64ed7c7e582\BIT11.tmp
8/12/2006 4:50:28 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\e8aaf3d0f5a2a9436cb55a74f4d86214\BIT17.tmp
8/12/2006 5:09:04 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\ead7837e90f144c8b951601ec9bcfe5a\BIT29.tmp
8/12/2006 5:35:42 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\ecfce25a95ce63c5f2916759afdade7f\BIT42.tmp
8/12/2006 4:55:34 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\f3e8876507c7f9f7533d48d28ca86168\BIT1C.tmp
8/12/2006 5:13:14 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\fa4f65ff7c7106a46457f558c01dcc94\BIT2D.tmp
8/12/2006 5:12:10 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\fa998053d8f05286f86623337cfbdf24\BIT2C.tmp

[onedavester]

C:\WINDOWS\system32\cdplayer.exe.manifest
8/12/2006 10:59:34 PM RH 488 C:\WINDOWS\system32\logonui.exe.manifest
8/12/2006 10:59:28 PM RH 749 C:\WINDOWS\system32\ncpa.cpl.manifest
8/12/2006 10:59:28 PM RH 749 C:\WINDOWS\system32\nwc.cpl.manifest
8/12/2006 10:59:28 PM RH 749 C:\WINDOWS\system32\sapi.cpl.manifest
8/12/2006 10:59:34 PM RH 488 C:\WINDOWS\system32\WindowsLogon.manifest
8/12/2006 10:59:28 PM RH 749 C:\WINDOWS\system32\wuaucpl.cpl.manifest
8/12/2006 5:55:32 PM H 0 C:\WINDOWS\system32\config\default.tmp.LOG
8/12/2006 5:55:32 PM H 0 C:\WINDOWS\system32\config\software.tmp.LOG
8/12/2006 5:55:08 PM H 0 C:\WINDOWS\system32\config\system.tmp.LOG
8/12/2006 5:55:02 PM H 1024 C:\WINDOWS\system32\config\TempKey.LOG
8/12/2006 5:55:32 PM H 1024 C:\WINDOWS\system32\config\userdiff.LOG
8/12/2006 11:00:58 PM H 1024 C:\WINDOWS\system32\config\userdifr.LOG
8/12/2006 12:29:16 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\a9f405f3-85d6-477a-a873-a99f17c31460
8/12/2006 12:29:16 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
8/12/2006 11:24:40 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 11/10/2005 2:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/23/2001 9:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/23/2001 9:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
3/9/2006 3:29:00 PM 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 8/23/2001 9:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 9/27/2001 9:41:50 PM 287232 C:\WINDOWS\SYSTEM32\QuickTime.cpl
SiSoftware 6/24/2003 1:11:02 PM 53248 C:\WINDOWS\SYSTEM32\SanCpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/23/2001 9:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 162304 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/23/2001 9:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/23/2001 9:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/23/2001 9:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/23/2001 9:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 162304 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

[onedavester]

»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/12/2006 11:00:50 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/12/2006 9:57:48 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
2/12/2006 11:23:04 AM 419 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
2/11/2006 9:29:20 PM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
2/11/2006 4:18:00 PM HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Evidence Eliminator
{B1816445-A3ED-11D3-B2B3-00104B4C6B08} = C:\WINDOWS\system32\Eeshellx.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\shredderse
{00000000-0001-0001-0000-000000000000} =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Evid ence Eliminator
{B1816445-A3ED-11D3-B2B3-00104B4C6B08} = C:\WINDOWS\system32\Eeshellx.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVP Menu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpyS weeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinR AR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\E ncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\O ffline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\S haring
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\s hredderse
{00000000-0001-0001-0000-000000000000} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\W inRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0561EC90-CE54-4f0c-9C55-E226110A740C}
= C:\Program Files\Avi2Dvd\Programs\Filters\Haali media splitter\mmfinfo.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}
= "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\PROGRA~1\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
ButtonText = PartyPoker.com : C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Evidence Eliminator "C:\Program Files\Evidence Eliminator\ee.exe" /m
ElbyCheckElbyCDFL "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
vptray C:\PROGRA~1\SYMANT~1\VPTray.exe
SpySweeper "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
SM56ACL sm56hlpr.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo mponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnc e]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk
backup C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE
item Adobe Gamma Loader
backup C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE
item Adobe Gamma Loader

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk
backup C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE
item Adobe Reader Speed Launch
backup C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE
item Adobe Reader Speed Launch

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk
backup C:\WINDOWS\pss\Billminder.lnkCommon Startup
location Common Startup
item Billminder
backup C:\WINDOWS\pss\Billminder.lnkCommon Startup
location Common Startup
item Billminder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk
backup C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpohmr08.exe
item hp psc 1000 series
backup C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpohmr08.exe
item hp psc 1000 series

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk
backup C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpotdd01.exe
item hpoddt01.exe
backup C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpotdd01.exe
item hpoddt01.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Program Neighborhood Agent.lnk
backup C:\WINDOWS\pss\Program Neighborhood Agent.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Citrix\ICACLI~1\pnagent.exe
item Program Neighborhood Agent
backup C:\WINDOWS\pss\Program Neighborhood Agent.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Citrix\ICACLI~1\pnagent.exe
item Program Neighborhood Agent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk
backup C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup
location Common Startup
item Quicken Scheduled Updates
backup C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup
location Common Startup
item Quicken Scheduled Updates

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Dave^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk
backup C:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup
location Startup
command C:\PROGRA~1\OPENOF~1.0\program\QUICKS~1.EXE
item OpenOffice.org 2.0
backup C:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup
location Startup
command C:\PROGRA~1\OPENOF~1.0\program\QUICKS~1.EXE
item OpenOffice.org 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Dave^Start Menu^Programs^Startup^XFX Game Controller.lnk
path C:\Documents and Settings\Dave\Start Menu\Programs\XFXGameController\XFX Game Controller.lnk
backup C:\WINDOWS\pss\XFX Game Controller.lnkStartup
location Startup
command C:\Documents and Settings\Dave\Application Data\Microsoft\Installer\{C843A6E6-5B4E-4F36-9F1A-10187070D3DA}\XFXController.exe1_C843A6E65B4E4F369F1A10187070D3DA.exe
item XFX Game Controller
path C:\Documents and Settings\Dave\Start Menu\Programs\XFXGameController\XFX Game Controller.lnk
backup C:\WINDOWS\pss\XFX Game Controller.lnkStartup
location Startup
command C:\Documents and Settings\Dave\Application Data\Microsoft\Installer\{C843A6E6-5B4E-4F36-9F1A-10187070D3DA}\XFXController.exe1_C843A6E65B4E4F369F1A10187070D3DA.exe
item XFX Game Controller

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AnyDVD
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AnyDVD
hkey HKLM
command C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AnyDVD
hkey HKLM
command C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\C2K
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Cyb2k
hkey HKLM
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Cyb2k
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CloneCDTray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item CloneCDTray
hkey HKLM
command "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item CloneCDTray
hkey HKLM
command "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CTDVDDET
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item CTDVDDet
hkey HKLM
command C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item CTDVDDet
hkey HKLM
command C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ctfmon.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ctfmon
hkey HKCU
command C:\WINDOWS\system32\ctfmon.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ctfmon
hkey HKCU
command C:\WINDOWS\system32\ctfmon.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CTHelper
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item CTHELPER
hkey HKLM
command CTHELPER.EXE
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item CTHELPER
hkey HKLM
command CTHELPER.EXE
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CTSysVol
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item CTSysVol
hkey HKLM
command C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item CTSysVol
hkey HKLM
command C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ElbyCheckAnyDVD
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ElbyCheck
hkey HKLM
command "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L AnyDVD
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ElbyCheck
hkey HKLM
command "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L AnyDVD
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ITD65_ITD
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item itd
hkey HKCU
command "C:\Program Files\Steganos Trace Destructor 6.5\itd.exe" /booting
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item itd
hkey HKCU
command "C:\Program Files\Steganos Trace Destructor 6.5\itd.exe" /booting
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Mozilla Quick Launch
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Mozilla
hkey HKCU
command "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Mozilla
hkey HKCU
command "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NeroFilterCheck
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NeroCheck
hkey HKLM
command C:\WINDOWS\system32\NeroCheck.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NeroCheck
hkey HKLM
command C:\WINDOWS\system32\NeroCheck.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NvCplDaemon
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NvCpl
hkey HKLM
command RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NvCpl
hkey HKLM
command RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NvMediaCenter
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NvMcTray
hkey HKLM
command RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NvMcTray
hkey HKLM
command RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\nwiz
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item nwiz
hkey HKLM
command nwiz.exe /install
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item nwiz
hkey HKLM
command nwiz.exe /install
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SBDrvDet
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SBDrvDet
hkey HKLM
command C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SBDrvDet
hkey HKLM
command C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SM56ACL
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item sm56hlpr
hkey HKLM
command sm56hlpr.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item sm56hlpr
hkey HKLM
command sm56hlpr.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item jusched
hkey HKLM
command C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item jusched
hkey HKLM
command C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\UpdReg
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item UpdReg
hkey HKLM
command C:\WINDOWS\UpdReg.EXE
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item UpdReg
hkey HKLM
command C:\WINDOWS\UpdReg.EXE
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 2


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\C LSID
{17492023-C23A-453E-A040-C7C580BBF700} 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEn um
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratin gs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\syste m
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explor er
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceOb jectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon
= C:\WINDOWS\system32\NavLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PCANotify
= PCANotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/12/2006 11:34:41 PM

[JSntgRvr]

Hi, onedaveste

In Windows XP, some commands are not actually programs; they are interpreted and executed internally by the command shell in the Windows command interpreter (CMD.EXE). Some examples of these are DIR, SET, and COPY. If you look on your hard drive, you will not find a DIR.EXE or COPY.EXE. They are part of the command interpreter, CMD.EXE.

Lets refresh some entries in your registry:

The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot preform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry

1. Go Here and download ERUNT
   (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
   (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
   (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
   (the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

Registry Modifications

Download the enclosed file. Extract its contents to the desktop. It is a Registry Entries file, Shellfix.reg. Do nothing with it yet.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

F2 - REG:system.ini: Shell=
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/40...02/Coupons.cab

Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

Close Hijackthis.

Double click on the Shellfix.reg file and select Yes when prompted to merge it into the registry.

Restart the computer.

If that does not resolve the issue, download FIXPATH2.ZIP by Bill Stewart

• Extract the files to a folder in C:\, like C:\FIXPATH2 (make a folder like that to extract the files to).
• Open a command prompt window by going to Start > Run type: cmd and click Ok.
• At the command prompt, type: cd C:\ and press Enter, so you should get C:\>.
• The type: cd FIXPATH2 and press Enter, So you should get: C:\>fixpath2.
• Then type: FIXPATH.EXE and press Enter.
• It will display some preliminary information, and ask if it should continue and check for errors. Click Yes.
• If it successfully updates the Path value in the registry, you will need to
  reboot for the change to take effect. !! This is really important !!

Keep me posted.

[JSntgRvr]

Oooops! Forgot to include the file. Here it is!

[onedavester]

None of this helped but Thanks. I noticed that I can right click my hardrive(s) and then left click open. I will just have to live with that until I can reload.

[JSntgRvr]

Hi, onedavester

Download the enclosed file and extract its contents to the desktop. It is a batch file. Once extracted, doubleclick on it and a new document will be produced. Post the contents of the document.

[onedavester]

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
ComSpec REG_EXPAND_SZ %SystemRoot%\system32\cmd.exe
Path REG_EXPAND_SZ %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\WBEM;C:\Program Files\Symantec\pcAnywhere\;C:\Program Files\Common Files\Ulead Systems\MPEG
windir REG_EXPAND_SZ %SystemRoot%
FP_NO_HOST_CHECK REG_SZ NO
OS REG_SZ Windows_NT
PROCESSOR_ARCHITECTURE REG_SZ x86
PROCESSOR_LEVEL REG_SZ 15
PROCESSOR_IDENTIFIER REG_SZ x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_REVISION REG_SZ 0207
NUMBER_OF_PROCESSORS REG_SZ 1
PATHEXT REG_SZ .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
TEMP REG_EXPAND_SZ %SystemRoot%\TEMP
TMP REG_EXPAND_SZ %SystemRoot%\TEMP

[JSntgRvr]

Hi, onedavester

All seem to be in the right place; Shell, ComSpec and Path. I have no idea why are you experiencing this issue.

You can perform some maintenance and see if we have better results:

Underlined items are clickable to give more information about the process:

Click start then run, type prefetch then press enter, click edit then select all, right click any file then click delete, confirm delete.

Click start, all Programmes, Accessories, System Tools to run Disc Clean up, then from System Tools, also run Disc Defragmenter.

Click start then run, type sfc /scannow then press enter, you need the XP CD and Windows File Protection will show a blue onscreen progress bar, when the bar goes, reboot.

If you do not have an XP CD you can borrow a same version as was originally installed XP CD, if you downloaded SP2 then you need an SP1 XP CD

Click start then run, type chkdsk /f /r then press enter, type Y to confirm for next boot, press enter then reboot.

Windows will appear to load normally then either the monitor will show progress or the screen will go blank, do not disturb this.

This will take an hour or so before it gets to the desktop.

Download and install Tune Up 2006 Trial

Run Tune Up Disc Clean Up

Run Tune Up Registry Clean Up

Click Optimize and Improve to run Reg Defrag, which will take a few minutes and need a reboot. You should disable the antivirus programme to run this and check it is running after the reboot

After the reboot, click optimize then system optimizer to optimize the computer, select computer with an internet connection from the drop down menu, this also requires a reboot

After the reboot, click optimize then system optimizer to accelerate downloads, select the speed just above your actual connection speed, this requires a reboot

After the reboot, click optimize then system optimizer to run system advisor.

============================================

BTW: Have you checked the Event Viewer?

Start->Control Panel->Administrative Tools->Event Viewer

Double click on System. Are there any error reflected therein?

[onedavester]

Update:

I also had the "cannot find copy.exe" error when I clicked on my flash drive. I dumped the drive into a folder on another computer and formatted the flash drive. I put the data back on it and it now works fine. (The flash drive had the same error on another pc!) This would indicate that whatever this trojan was it is not affecting the registry, it is putting something on the drives to make them not be able to open properly! Any thoughts??

[JSntgRvr]

Hi, onedavester

That sounds like a problem with the boot sector in the hard drive.

Open Notepad. Select File then Open. Type C:\Boot.ini on the file to be opened and click on Open. Post the contents of this file in your next reply.

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

• Follow the Instruction Here for installation.
• Accept the License Agreement.
• Once the ActiveX installs,Click Full System Scan
• Once the download completes,the scan will begin automatically.
• The scan will take some time to finish,so please be patient.
• When the scan completes, click the Automatic cleaning (recommended) button.
• Click the Show Report button and Copy&Paste the entire report in your next reply along with a fresh Hijackthis log.

[onedavester]

Gonna mark this solved. Thanks for all your help. I am reloading my computer as I write this note. Probably for the best. I am going to blame Symantec for taking out copy.exe and ruining my system. Apperantly it was part of the command.com shell. I am starting a thread in here for the best "freebie" antivirus program vs the best pay software. I hope this doesn't start a debate...lol