# Solved: Spyware Protection Pop ups and McAfee Alarms Trojan Vundo



## WEllin11 (Nov 23, 2007)

I'm new to this forum. I will post the HJT log that I just ran. I have tried to run Combofix based on other threads, but get a pop up saying McAfee detects suspicious scripting and has stopped it; even though I have disabled McAfee. I am getting a pop up that says 
Spyprotection has found some spyware. Let me know what to do next. Thanks

SLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:21:57 PM, on 12/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Common Files\AOL\1144185022\ee\aolsoftware.exe
c:\program files\common files\aol\1144185022\ee\services\antiSpywareApp\ver2_0_27_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1144185022\ee\aolsoftware.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aol.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\pmnooml.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lipscomb.edu
O17 - HKLM\Software\..\Telephony: DomainName = lipscomb.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lipscomb.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.36 85.255.112.75
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lipscomb.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.36 85.255.112.75
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.36 85.255.112.75
O20 - Winlogon Notify: pmnooml - C:\WINDOWS\SYSTEM32\pmnooml.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 7356 bytes
pyWare Protection has caught something. Let me know what to do next.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *WEllin11* 








Please download *ATF Cleaner* by Atribune.
*This program is for XP and Windows 2000 only*

Double-click *ATF-Cleaner.exe* to run the program.
Under *Main* choose: *Select All*
Click the *Empty Selected* button.
If you use Firefox browser
Click *Firefox* at the top and choose: *Select All*
Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.
If you use Opera browser
Click *Opera* at the top and choose: *Select All*
Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.
Click *Exit* on the Main menu to close the program.
For *Technical Support*, double-click the e-mail address located at the bottom of each menu.








Your *Java* is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of *Java* components and upgrade the application. *Beware it is NOT supported for use in 9x or ME and probably will not install in those systems*

*Upgrading Java*: 

Download the latest version of *Java Runtime Environment (JRE) 6 Update 3*.
Scroll down to where it says "*The J2SE Runtime Environment (JRE) allows end-users to run Java applications*".
Click the "*Download*" button to the right.
Check the box that says: "*Accept License Agreement*".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to *Start* > *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with Java Runtime Environment *(JRE or J2SE)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.
Please download *VundoFix.exe* to your desktop.

*Note*:* In the event you already have Vundofix, this is a new version that I need you to download*.
Double-click *VundoFix.exe* to run it.
You will receive a message saying vundofix will close and re-open in a minute or less. Click *OK*
When VundoFix re-opens, click the *Scan for Vundo* button.
Once it's done scanning, click the *Remove Vundo* button.
You will receive a prompt asking if you want to remove the files, click *YES*
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click *OK*.
Turn your computer back on.
Please post the contents of C:\*vundofix.txt* in your next reply.
*Note:* It is possible that *VundoFix* encountered a file it could not remove. In this case, *VundoFix* will run on reboot, simply follow the above instructions starting from "Click the *Scan for Vundo *button" when VundoFix appears at reboot.
*Please print these instructions for reference, as you will have to restart your computer during the fix.*

Please download FixWareout from *Here* or *Here*.

*Note: You will need to run this tool while having an Internet Connection. The tool will download other files while running.*

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
If your firewall gives an alert, (because this tool will download an additional files from the internet), please don't let your firewall block it, but allow it instead.
You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads a text file will open (report.txt).
Please post the C:\fixwareout\*report.txt* ).
*Download and scan with* *SUPERAntiSpyware* Free for Home Users
Double-click *SUPERAntiSpyware.exe* and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "*Yes*". If not, update the definitions before scanning by selecting "*Check for Updates*". (_If you encounter any problems while downloading the updates, manually download and unzip them from here._)
Under "*Configuration and Preferences*", click the *Preferences* button.
Click the *Scanning Control* tab.
Under *Scanner Options* make sure the following are checked _(leave all others unchecked)_:
_Close browsers before scanning._
_Scan for tracking cookies._
_Terminate memory threats before quarantining._

Click the "*Close*" button to leave the control center screen.
Back on the main screen, under "*Scan for Harmful Software*" click *Scan your computer*.
On the left, make sure you check *C:\Fixed Drive*.
On the right, under "*Complete Scan*", choose *Perform Complete Scan*.
Click "*Next*" to start the scan. Please be patient while it scans your computer.
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "*OK*".
Make sure everything has a checkmark next to it and click "*Next*".
A notification will appear that "_Quarantine and Removal is Complete_". Click "*OK*" and then click the "*Finish*" button to return to the main menu.
If asked if you want to reboot, click "*Yes*".
To retrieve the removal information after reboot, launch SUPERAntispyware again.
_Click *Preferences*, then click the *Statistics/Logs* tab._
_Under Scanner Logs, double-click *SUPERAntiSpyware Scan Log*._
_If there are several logs, click the current dated log and press *View log*. A text file will open in your default text editor._
_Please copy and paste the Scan Log results in your next reply along with a Hijackthis log._

Click *Close* to exit the program.


----------



## WEllin11 (Nov 23, 2007)

Well, it took some time to get all these scans done, but I have completed them. SuperAntispyware did not go according to instructions, but I think it ran. I did the ATF cleaner, Upgraded my Java and removed the old version, Vundo Fix and finally did a Highjack this, that I'll post first.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:04:21 PM, on 12/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Documents and Settings\Matt Ellington\My Documents\Death1\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aol.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Documents and Settings\Matt Ellington\My Documents\Death1\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lipscomb.edu
O17 - HKLM\Software\..\Telephony: DomainName = lipscomb.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lipscomb.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lipscomb.edu
O20 - Winlogon Notify: !SASWinLogon - C:\Documents and Settings\Matt Ellington\My Documents\Death1\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 6726 bytes

VundoFix V6.6.2

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 9:24:12 PM 11/24/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

VundoFix V6.7.0

Checking Java version...

Scan started at 5:14:37 AM 12/4/2007

Listing files found while scanning....

No infected files were found.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/04/2007 at 09:48 PM

Application Version : 3.9.1008

Core Rules Database Version : 3355
Trace Rules Database Version: 1354

Scan type : Complete Scan
Total Scan Time : 01:28:25

Memory items scanned : 417
Memory threats detected : 0
Registry items scanned : 5748
Registry threats detected : 26
File items scanned : 51923
File threats detected : 20

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{4D1C4E89-A32A-416b-BCDB-33B3EF3617D3}
HKCR\CLSID\{4D1C4E89-A32A-416B-BCDB-33B3EF3617D3}
HKCR\CLSID\{4D1C4E89-A32A-416B-BCDB-33B3EF3617D3}
HKCR\CLSID\{4D1C4E89-A32A-416B-BCDB-33B3EF3617D3}\InprocServer32
HKCR\CLSID\{4D1C4E89-A32A-416B-BCDB-33B3EF3617D3}\InprocServer32#ThreadingModel
HKCR\CLSID\{4D1C4E89-A32A-416B-BCDB-33B3EF3617D3}\Programmable
HKCR\CLSID\{4D1C4E89-A32A-416B-BCDB-33B3EF3617D3}\TypeLib
C:\PROGRAM FILES\NEED2FIND\BAR\1.BIN\ND2FNBAR.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D1C4E81-A32A-416b-BCDB-33B3EF3617D3}

Adware.Tracking Cookie
C:\Documents and Settings\Matt Ellington\Cookies\matt [email protected][1].txt
C:\Documents and Settings\Matt Ellington\Cookies\matt [email protected][2].txt
C:\Documents and Settings\Matt Ellington\Cookies\matt [email protected][1].txt
C:\Documents and Settings\Matt Ellington\Cookies\matt [email protected][1].txt
C:\Documents and Settings\Matt Ellington\Cookies\matt [email protected][1].txt
C:\Documents and Settings\Matt Ellington\Cookies\matt [email protected][2].txt
C:\Documents and Settings\Matt Ellington\Cookies\matt [email protected][1].txt
C:\Documents and Settings\Matt Ellington\Cookies\matt [email protected][2].txt
C:\Documents and Settings\Matt Ellington\Cookies\matt [email protected][2].txt

Trojan.SysProtect
HKCR\CheckProd.CheckProduct.1
HKCR\CheckProd.CheckProduct.1\CLSID
HKCR\TypeLib\{7EACF70B-302F-4049-AC68-2D62EB43E473}
HKCR\AppId\CheckProduct2_1.DLL
HKCR\AppId\CheckProduct2_1.DLL#AppID
HKU\S-1-5-21-2408309094-1079718223-2475131663-1007\Software\SysProtect
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSCAN
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSCAN#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSCAN\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSCAN\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSCAN\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSCAN\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSCAN\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSCAN\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSCAN\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSCAN\0000#Capabilities
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSCAN\0000#Driver
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSCAN\0000\LogConf
C:\Program Files\Common Files\SysProtect\PCheck.dll
C:\Program Files\Common Files\SysProtect
C:\WINDOWS\SYSTEM32\DRIVERS\SSCAN.SYS

Trojan.DNSChanger-Codec
C:\DOCUMENTS AND SETTINGS\MATT ELLINGTON\MY DOCUMENTS\MOVIECODECS1163.EXE

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\CBADD.BAK1
C:\WINDOWS\SYSTEM32\CBADD.BAK2
C:\WINDOWS\SYSTEM32\CBADD.INI
C:\WINDOWS\SYSTEM32\CBADD.INI2
C:\WINDOWS\SYSTEM32\CBADD.TMP
C:\WINDOWS\SYSTEM32\MCRH.TMP

So after all this, do you think it is all fixed? I took the liberty of running the SuperAnti spyware one more time, with the internet connection disabled; it showed No threats detected. Let me know what to do now.
Thanks,
Wayne


----------



## JSntgRvr (Jul 1, 2003)

Hi, *WEllin11* 

Lets take a deeper look:

Download *WinPFind3U.exe *to your Desktop and double-click on it to extract the files. It will create a folder named *WinPFind3u* on your desktop.

Open the *WinPFind3u* folder and double-click on WinPFind3U.exe to start the program.
In the *Processes* group click *Non Microsoft *
In the *Win32 Services * group click *Non Microsoft*
In the *Driver Services * group click *Non Microsoft*
In the *Registry* group click *Non Microsoft *
In the *Files Created Within *group click *60 days *Make sure *Non-Microsoft only is UNCHECKED*
In the Files *Modified Within *group select *30 days *Make sure *Non-Microsoft only is UNCHECKED*
In the *File String Search *group select *Non Microsoft *
In the *Additional scans* sections please press select *All* and *uncheck* non-microsoft only

Now click the *Run Scan *button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file
Use the *Reply* button and attach the notepad file here *(Do not copy and paste in a reply, rather attach it to it).*


----------



## WEllin11 (Nov 23, 2007)

Judging by your reply, my problems still exist. I downloaded the requested file and started a Scan. While it was showing "Scanning Event Viewer Logs..." , a message window popped up Labeled: WinPFind3u message was: Access violation at Address ... I didn't copy the rest down. When I hit OK, it appears the scan has been stalled. What now?
Wayne


----------



## JSntgRvr (Jul 1, 2003)

Hi, *WEllin11* 

Please retry Winpfind3u in Safe Mode. To boot the computer is Safe mode, follow these steps:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press *Enter*.
Choose your usual account.


----------



## WEllin11 (Nov 23, 2007)

Booted up in Safe Mode and ran WinPFind3U as instructed. Still got a pop up WinpFind3U message with red button that had a white X in it; saying "Access violation at address 7C924D49 in module ntdll.dll. Read of address 0000001E"
What is our next move?
Wayne


----------



## JSntgRvr (Jul 1, 2003)

Hi, *WEllin11* 

I just want to make sure we have not bypased a bad file. Lets try another approach:








Download *Deckard's System Scanner (DSS)* from *here* or *here* to your Desktop. Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Go to Start - Run, and copy/paste the following and pres Enter:

*"%userprofile%\desktop\dss.exe" /config​*
Deselect all except for the following:
*
Divers
Services
Files created/Modified
Registry dump
*
Under Options:
*Check Files Signatures*

Click on Scan

Please post the resulting report.

If the file is too long, attach it to a reply:

Scroll down and click the [*Manage Attachments*] button
Browse to the following folder:
*C:\Deckard\System Scanner*

Click *Upload* to upload this file
*Submit *your reply


----------



## WEllin11 (Nov 23, 2007)

Followed the instructions. Don't see how to attach, so here is a copy of the sDSS Scan.
Wayne
Deckard's System Scanner v20071014.68
Run by Matt Ellington on 2007-12-07 19:33:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
15: 2007-12-08 01:33:49 UTC - RP15 - Deckard's System Scanner Restore Point
14: 2007-12-07 03:30:28 UTC - RP14 - System Checkpoint
13: 2007-12-06 02:42:00 UTC - RP13 - System Checkpoint
12: 2007-12-05 01:54:55 UTC - RP12 - Installed SUPERAntiSpyware Free Edition
11: 2007-12-04 11:03:48 UTC - RP11 - Removed Java 2 Runtime Environment, SE v1.4.2

-- First Restore Point -- 
1: 2007-12-04 02:55:25 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).

-- HijackThis (run as Matt Ellington.exe) --------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:35:15 PM, on 12/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Matt Ellington\My Documents\Death1\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Matt Ellington.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aol.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lipscomb.edu
O17 - HKLM\Software\..\Telephony: DomainName = lipscomb.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lipscomb.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lipscomb.edu
O20 - Winlogon Notify: !SASWinLogon - C:\Documents and Settings\Matt Ellington\My Documents\Death1\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 6397 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 SASDIFSV - c:\documents and settings\matt ellington\my documents\death1\sasdifsv.sys
R1 SASKUTIL - c:\documents and settings\matt ellington\my documents\death1\saskutil.sys
R3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>

S3 BLKWGU(Belkin) (Belkin Wireless G USB Network Adapter(Belkin)) - c:\windows\system32\drivers\blkwgu.sys (file missing)
S3 catchme - c:\docume~1\mattel~1\locals~1\temp\catchme.sys (file missing)
S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
S3 EL90XBC (3Com EtherLink XL 90XB/C Adapter Driver) - c:\windows\system32\drivers\el90xbc5.sys (file missing)
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 SASENUM - c:\documents and settings\matt ellington\my documents\death1\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S3 wlluc51 (Wireless LAN USB Driver) - c:\windows\system32\drivers\wlluc51.sys <Not Verified; Lucent Technologies; ORiNOCO Driver for Windows.>
S3 ZDPSp50 (ZDPSp50 NDIS Protocol Driver) - c:\windows\system32\drivers\zdpsp50.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2007-12-07 17:58:11 512 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (US-ELLINGTOMS-Matt Ellington).job
2007-12-07 14:09:00 382 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2007-12-07 03:00:00 514 --a------ C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job

-- Files created between 2007-11-07 and 2007-12-07 -----------------------------

2007-12-04 20:07:40 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-04 19:54:56 0 d-------- C:\Documents and Settings\Matt Ellington\Application Data\SUPERAntiSpyware.com
2007-12-04 19:50:26 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-03 20:21:16 0 d-------- C:\Program Files\Trend Micro
2007-11-24 21:24:12 0 d-------- C:\VundoFix Backups
2007-11-24 20:18:04 0 d-------- C:\Documents and Settings\Matt Ellington\Application Data\AdwareAlert
2007-11-14 19:09:38 0 d-------- C:\Program Files\XoftSpySE

-- Find3M Report ---------------------------------------------------------------

2007-12-04 19:50:26 0 d-------- C:\Program Files\Common Files
2007-12-04 05:03:03 0 d-------- C:\Program Files\Java
2007-11-23 19:45:27 0 d-------- C:\Program Files\AOL Deskbar
2007-11-19 00:25:29 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-19 00:25:29 0 d-------- C:\Program Files\Britannica
2007-10-27 15:50:07 0 d-------- C:\Program Files\Common Files\Matts Ipod5

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [05/11/2000 12:00 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [09/16/2005 08:43 AM]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe" [12/15/2002 07:47 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/06/2003 01:16 PM]
"MCUpdateExe"="C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe" [08/21/2003 06:10 PM]
"MCAgentExe"="C:\PROGRA~1\McAfee.com\Agent\McAgent.exe" [08/27/2003 11:00 AM]
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [08/08/2003 06:02 PM]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [08/17/2003 09:50 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

C:\Documents and Settings\Matt Ellington\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 8:00:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [10/22/2003 1:27:05 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Documents and Settings\Matt Ellington\My Documents\Death1\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 
C:\Documents and Settings\Matt Ellington\My Documents\Death1\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Documents and Settings\Matt Ellington\My Documents\Death1\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddccd.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3c141b17]
rundll32.exe "C:\WINDOWS\system32\buunobvf.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
"C:\Program Files\America Online 9.0a\AOL.EXE" -b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\AOLSP Scheduler.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
"C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1144185022\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
"C:\Program Files\Common Files\BestsellerAntivirus\bm.exe" dm=http://bestsellerantivirus.com; ad=http://bestsellerantivirus.com

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SemanticInsight]
C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter]
C:\Documents and Settings\Matt Ellington\My Documents\spyhunder\SpyHunter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Documents and Settings\Matt Ellington\My Documents\Death1\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
%SystemRoot%\system32\mobsync.exe /logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
"C:\Program Files\support.com\bin\tgcmd.exe" /server

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
"c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

-- End of Deckard's System Scanner: finished at 2007-12-07 19:42:47 ------------


----------



## WEllin11 (Nov 23, 2007)

There was one more .txt on the Task bar. Maybe it has additional info. Here it is.
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 2.40GHz
CPU 1: Intel(R) Pentium(R) 4 CPU 2.40GHz
Percentage of Memory in Use: 54%
Physical Memory (total/avail): 510.98 MiB / 233.48 MiB
Pagefile Memory (total/avail): 1248.84 MiB / 1027.68 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1935.54 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.21 GiB total, 21.76 GiB free. 
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - IC35L060AVV207-0 - 37.25 GiB - 2 partitions
\PARTITION0 - Unknown - 39.19 MiB
\PARTITION1 (bootable) - Installable File System - 37.21 GiB - C:

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Matt Ellington\Application Data
CLASSPATH=C:\Program Files\Java\j2re1.4.2\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=US-ELLINGTOMS
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Matt Ellington
LOGONSERVER=\\US-ELLINGTOMS
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.2\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\MATTEL~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\MATTEL~1\LOCALS~1\Temp
USERDOMAIN=US-ELLINGTOMS
USERNAME=Matt Ellington
USERPROFILE=C:\Documents and Settings\Matt Ellington
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

smithat _(new local, net ready)_
ellingtoms _(new local, net ready)_
Matt Ellington _(admin)_

-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Creative\SBLive\Program\Ctzapxx.EXE" /X /U /S /R 
--> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\System32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9 
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45893FEB-30FD-4034-8661-3BA4238FE67A}\SETUP.EXE" -l0x9 -uninst -y -a -f"b2003ce.isu"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48E3A9E6-FA13-11D5-8CC9-00A0C98192B6}\setup.exe" -l0x9 
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48E3A9E6-FA13-11D5-8CC9-00A0C98192B6}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{51F5239C-197B-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{51F5239C-197B-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7337A45-3FE5-4392-ABBB-26B794D060C9}\setup.exe" -l0x9 
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7337A45-3FE5-4392-ABBB-26B794D060C9}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
--> rundll32 C:\PROGRA~1\NEED2F~1\bar\1.bin\Nd2fnBar.dll,O 
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Download Manager 1.2 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 6.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-000000000001}
AOL Coach Version 1.0(Build:20040229.1 en) --> C:\Program Files\Common Files\aolshare\Coach\AolCInUn.exe
AOL Coach Version 2.0(Build:20041026.5 en) --> C:\Program Files\Common Files\AolCoach\en_en\AolCInUn.exe -lang=en_en -ext=UDP
AOL Deskbar --> "C:\Program Files\AOL Deskbar\UNWISE.EXE" /u "C:\Program Files\AOL Deskbar\INSTALL.LOG"
AOL Toolbar --> "C:\Program Files\AOL Toolbar\UNWISE.EXE" /u "C:\Program Files\AOL Toolbar\INSTALL.LOG"
AOL Uninstaller (Choose which Products to Remove) --> C:\Program Files\Common Files\AOL\uninstaller.exe
AOL You've Got Pictures Screensaver --> C:\Program Files\Common Files\AOL\Screensaver\uninst_ygpss.exe
BCM V.92 56K Modem --> C:\WINDOWS\BCMSMU.exe quiet
BearShare --> C:\PROGRA~1\BEARSH~1\BEARSH~1\UNWISE.EXE C:\PROGRA~1\BEARSH~1\BEARSH~1\INSTALL.LOG
Britannica Ready Reference --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45893FEB-30FD-4034-8661-3BA4238FE67A}\SETUP.EXE" -l0x9 -uninst 
CardRd81 --> MsiExec.exe /I{54C8FE84-89C4-40E8-976C-439EB0729BD6}
CC_ccStart --> MsiExec.exe /I{D6414CC7-F215-467F-88B1-546ED863F35B}
CCScore --> MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
Comcast High-Speed Internet Install Wizard --> C:\Program Files\support.com\uninstall\chsi_uninstaller.exe
ComcastSUPPORT --> "C:\Program Files\support.com\bin\tgfix.exe" /rm /nq
Command & Conquer Red Alert 2 --> C:\Westwood\RA2\Uninstll.EXE
Compact Wireless-G USB Adapter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F855C3AE-992D-4B84-A09D-07103CDCDAC2}\setup.exe" -l0x9 
CR2 --> MsiExec.exe /I{432C3720-37BF-4BD7-8E49-F38E090246D0}
DAO --> MsiExec.exe /I{64116298-93C5-401D-B06C-39D8E3338508}
DC++ 0.691 --> "C:\Program Files\DC++\uninstall.exe"
Dell Digital Jukebox Driver --> C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s
Dell Picture Studio - Dell Image Expert --> MsiExec.exe /I{151C555A-A9E7-4A2E-B6D7-165D04A3C956}
Dell Solution Center --> MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}
DellSupport --> MsiExec.exe /X{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}
DirectVideo --> "C:\Program Files\DirectVideo\Uninstall.exe"
DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DS21Patch --> MsiExec.exe /I{9B79DCB0-AAD7-456B-8D07-433C936FA24B}
DVDSentry --> MsiExec.exe /I{98DF85D9-96C0-4F57-A92E-C3539477EF5E}
EarthLink Setup Files --> MsiExec.exe /X{9B2CFE3B-7F55-4786-A20D-BB244914F6D8}
ESSBrwr --> MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}
ESSCDBK --> MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore --> MsiExec.exe /I{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}
ESSCT --> MsiExec.exe /I{8BB4B58A-A402-4DE8-8FCD-287E60B88DD8}
ESSEMAIL --> MsiExec.exe /I{FEDE2483-87B7-44C1-A5BB-D75AEB8B6340}
ESSgui --> MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESShelp --> MsiExec.exe /I{87843A41-7808-4F2E-B13F-25C1E67CF2FD}
ESSini --> MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD --> MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSPDock --> MsiExec.exe /I{FCDB1C92-03C6-4C76-8625-371224256091}
ESSSONIC --> MsiExec.exe /I{4F677FC7-7AA8-412B-A957-F13CBE1C7331}
ESSTOOLS --> MsiExec.exe /I{8A502E38-29C9-49FA-BCFA-D727CA062589}
ESSTUTOR --> MsiExec.exe /I{CA60320D-6A16-49C8-A34F-84EEF4799567}
ESSvpaht --> MsiExec.exe /I{A5B3EB8A-4071-42F0-8E8E-7A8342AA8E69}
ESSvpot --> MsiExec.exe /I{48C82F7A-F100-4DAB-A310-8E18BF2159E1}
FLV Player 1.3.3 --> "C:\Program Files\FLVPlayer\uninstall.exe"
FreeSpace --> C:\WINDOWS\ISUNINST.EXE -fC:\Games\FREESP~2\Uninst.isu -cC:\Games\FreeSpace\fsuninst.dll
FreeSpace 2 --> C:\WINDOWS\ISUNINST.EXE -fC:\Games\FreeSpace2\Uninst.isu -cC:\Games\FreeSpace2\fs2uninst.dll
GTK+ Runtime 2.2.4 rev a (remove only) --> C:\Program Files\Common Files\GTK\2.0\uninst.exe
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HLPIndex --> MsiExec.exe /I{38441BE7-79B0-42B8-8297-833704F949FE}
HLPPDOCK --> MsiExec.exe /I{154508C0-07C5-4659-A7A0-E49968750D21}
HLPSFO --> MsiExec.exe /I{8DD94CA3-BCD2-49C0-B537-F3B5D95FF0C8}
Homeworld2 --> C:\Program Files\Sierra\Homeworld2\uninstall.exe
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
hp deskjet 6122 --> MsiExec.exe /X{E1F4FB82-3EA6-46B6-A18A-9B3A62DA393E}
hp deskjet 6122 series --> rundll32 hpzcon07.dll,VendorJettison hp deskjet 6122 series
Independence War 2 - Edge of Chaos --> C:\PROGRA~1\INFOGR~1\INDEPE~1\UNWISE.EXE C:\PROGRA~1\INFOGR~1\INDEPE~1\INSTALL.LOG
Intel(R) PRO Network Adapters and Drivers --> Prounstl.exe
Intel(R) PROSet --> MsiExec.exe /I{A790BEB1-BCCF-4EC6-807B-5708B36E8A79}
iPod for Windows 2005-09-23 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{D4936AAF-FFD0-44A1-A7EA-A2DB41CEB5BC} /l1033 
iTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{78F4DFCE-1336-4027-BCB2-1A00C24A8653} /l1033 
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Kodak EasyShare software --> C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140011_1d184d\Setup.exe /APR-REMOVE
KSU --> MsiExec.exe /I{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
LimeWire 4.12.11 --> "C:\Program Files\LimeWire\uninstall.exe"
LiveUpdate 1.90 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
McAfee SecurityCenter --> c:\PROGRA~1\mcafee.com\shared\mcappins.exe /v=3 /uninstall=1 /interact=1 /script_proactive=0 /start=c:\PROGRA~1\mcafee.com\agent\uninst\screm.ui::uninstall.htm
McAfee VirusScan --> c:\PROGRA~1\mcafee.com\shared\mcappins.exe /v=3 /uninstall=1 /interact=1 /script_proactive=1 /start=c:\PROGRA~1\mcafee.com\agent\uninst\vsoremui.dll::uninstall.htm
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office 2000 SR-1 Disc 2 --> MsiExec.exe /I{00040409-78E1-11D2-B60F-006097C998E7}
Microsoft Office 2000 SR-1 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Notifier --> MsiExec.exe /I{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}
NVIDIA Display Driver --> C:\WINDOWS\System32\nvudisp.exe Uninstall C:\WINDOWS\System32\nvdisp.nvu,NVIDIA Display Driver
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nv4_disp.inf
OfotoXMI --> MsiExec.exe /I{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}
OTtBP --> MsiExec.exe /I{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}
OTtBPSDK --> MsiExec.exe /I{3CA39B0C-BA85-4D42-AC0F-1FF5F60C3353}
Paint Shop Pro 7 --> MsiExec.exe /I{D6DE02C7-1F47-11D4-9515-00105AE4B89A}
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Pure Networks Port Magic --> C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe -Uninstall -ShowUI
Quicken 2002 New User Edition --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\QUICKENW\Uninst.isu" -c"C:\Program Files\QUICKENW\uninst.dll"
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{4E5E22C2-1386-47AE-8EDE-32DDCDCD6653} /l1033 
RealOne Player --> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
RTC Client API v1.2 --> MsiExec.exe /X{44CDBD1B-89FB-4E02-8319-2A4C550F664A}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
SFR --> MsiExec.exe /I{DB02F716-6275-42E9-B8D2-83BA2BF5100B}
SHASTA --> MsiExec.exe /I{605A4E39-613C-4A12-B56F-DEFBE6757237}
Shockwave --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.log
SKIN0001 --> MsiExec.exe /I{FDF9943A-3D5C-46B3-9679-586BD237DDEE}
SKINXSDK --> MsiExec.exe /I{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
Sound Blaster Live! --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{96E16100-A77F-4B31-B9AD-FFBA040EE1BD}\setup.exe" -l0x9 
Starcraft --> C:\WINDOWS\SCunin.exe C:\WINDOWS\SCunin.dat
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
VPRINTOL --> MsiExec.exe /I{999D43F4-9709-4887-9B1A-83EBB15A8370}
WinAce Archiver --> "C:\Program Files\WinAce\SXUNINST.EXE" "C:\Program Files\WinAce\SXUNINST.INI"
Windows Blaster Worm Removal Tool (KB833330) --> C:\WINDOWS\$NtUninstallKB833330$\spuninst\spuninst.exe
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WIRELESS --> MsiExec.exe /I{F9593CFB-D836-49BC-BFF1-0E669A411D9F}
WordPerfect Office 11 --> MsiExec.exe /I{54F90B55-BEB3-4F0D-8802-228822FA5921}

-- Application Event Log -------------------------------------------------------

Event Record #/Type11511 / Error
Event Submitted/Written: 12/07/2007 07:26:57 PM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Event Record #/Type11504 / Error
Event Submitted/Written: 12/07/2007 07:25:57 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Event Record #/Type11503 / Error
Event Submitted/Written: 12/07/2007 00:27:56 PM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Event Record #/Type11502 / Error
Event Submitted/Written: 12/07/2007 04:27:55 AM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Event Record #/Type11501 / Error
Event Submitted/Written: 12/06/2007 08:27:54 PM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type85158 / Warning
Event Submitted/Written: 12/07/2007 07:25:56 PM / 12/07/2007 07:26:20 PM
Event ID/Source: 4 / E100B
Event Description:
Adapter Intel(R) PRO/100 VE Network Connection: Adapter Link Down

Event Record #/Type85154 / Error
Event Submitted/Written: 12/07/2007 07:25:57 PM
Event ID/Source: 5719 / NETLOGON
Event Description:
No Domain Controller is available for domain DLU_NT due to the following: 
%%1311.

Make sure that the computer is connected to the network and try
again. If the problem persists, please contact your domain administrator.

Event Record #/Type85150 / Error
Event Submitted/Written: 12/07/2007 07:25:25 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type85149 / Error
Event Submitted/Written: 12/07/2007 07:25:16 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type85148 / Error
Event Submitted/Written: 12/07/2007 06:11:24 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load: 
AFD
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
SASDIFSV
SASKUTIL
Tcpip

-- End of Deckard's System Scanner: finished at 2007-12-07 19:42:47 ------------


----------



## JSntgRvr (Jul 1, 2003)

Hi, *WEllin11* 

Download the enclosed folder. Save and extract its contents to the desktop. It is a folder containing a Registry Entries file, *Regfix.reg* . Once extracted, open the folder and double click on the *Regfix.reg* file and select *Yes* when prompted to merge it into the registry.

The rest looks clear. How is the computer doing?


----------



## WEllin11 (Nov 23, 2007)

I am afraid to leave the computer with access to the internet for fear of it downloading more malware. I have not done the Regfix yet but will. Does it look like I can leave it connected to the internet now? Let me know while I do the regfix.
Wayne


----------



## WEllin11 (Nov 23, 2007)

Some WinAce ad came up wanting me to change association with the zip file? I just closed it out. What should I have done.
Wayne


----------



## JSntgRvr (Jul 1, 2003)

WEllin11 said:


> Some WinAce ad came up wanting me to change association with the zip file? I just closed it out. What should I have done.
> Wayne


It isn't an *Ad*, but a program installed in your computer, *WinAce Archiver*. Do you recognize this program? Windows has its own utility to .zip and unzip folders. You don't need this program to do so.

Other than that, *how is it doing?*


----------



## WEllin11 (Nov 23, 2007)

Should I reconnect to the internet and resume normal use? What did you see being the biggest problem?
Wayne


----------



## WEllin11 (Nov 23, 2007)

I forgot to mention that I don't recall a program WinAce Archiver. Should I do an uninstall if it is in ADD/REMOVE Prgrams?
Wayne


----------



## JSntgRvr (Jul 1, 2003)

WEllin11 said:


> I forgot to mention that I don't recall a program WinAce Archiver. Should I do an uninstall if it is in ADD/REMOVE Prgrams?
> Wayne


If you do not recognize it, by all means.


----------



## JSntgRvr (Jul 1, 2003)

WEllin11 said:


> Should I reconnect to the internet and resume normal use? What did you see being the biggest problem?
> Wayne


Sorry, but I see you posted several times.

There is no reason not to resume normal use. There was some adware in your system, but now they are gone. Nothing to worry about. I need to know how is the computer is doing to submit my last remarks to complete the cleaning.

*How is it doing?*


----------



## WEllin11 (Nov 23, 2007)

Since you were confident my computer was clean; I enabled the internet connection. Instead of leaving well enough alone, I went to Add/Remove Programs to clean things up a bit. I removed the WinArchive, an old Semantec updater(I now have McAfee) then tried to remove the SuperAntiSpyware. When it rebooted after removal, I noticed the Starting Windows message took much longer than usual. Finally the icons came up, but no Task Bar!? Then I got a message that McAfee Antivirus was not able to start. Realizing something very bad had happened, I tried to go to Restore. I got a message saying the Restore function is no longer working. I even tried booting in the Safe Mode; same result. I am absolutely sick!!! What do I do now??!!
Wayne


----------



## JSntgRvr (Jul 1, 2003)

WEllin11 said:


> Since you were confident my computer was clean; I enabled the internet connection. Instead of leaving well enough alone, I went to Add/Remove Programs to clean things up a bit. I removed the WinArchive, an old Semantec updater(I now have McAfee) then tried to remove the SuperAntiSpyware. When it rebooted after removal, I noticed the Starting Windows message took much longer than usual. Finally the icons came up, but no Task Bar!? Then I got a message that McAfee Antivirus was not able to start. Realizing something very bad had happened, I tried to go to Restore. I got a message saying the Restore function is no longer working. I even tried booting in the Safe Mode; same result. I am absolutely sick!!! What do I do now??!!
> Wayne


When you remove programs, registry keys are removed and or modified, and also exists the possibility that it may get corrupted.

Press the Windows key and right click on the start menu. Select Properties, then Taskbar.

Is the Auto-hide Taskbar setting checked?

Move your mouse cursor to the bottom of the Screen. If it becomes an arrow, drag the taskbar up.

Keep me posted


----------



## WEllin11 (Nov 23, 2007)

The Windows key does not work. I had a shortcut to Control Panel and checked the Properties of the Task Bar and Auto Hide is not selected. I can not drag the Task Bar up to where I can see it. I don't think it is there. The error message I get says, " an error occurred while initializing Active Shield. Your system might be running out of resources or Disc space. Please close other applications and try restarting Active Shield." I am not low on disc space, nor is anything unusual that I can tell running while Windows should be booting up. I hope you can help with this; I'm really bummed now.
Wayne


----------



## JSntgRvr (Jul 1, 2003)

> The Windows key does not work


Did you attempt to reinstall?

The issue seems that was produced by a corruption in your registry, however, seems that you have tried other ways to resolve the issue, but blind folded. Consequently the possibilities that you may recover from this are slim.

I am enclosing a batch file. This file will recover the registry hives backed-up by Deckard's System Scanner.

Please download the enclosed folder. Save and extract its contents to the desktop. It is a batch file. Once extracted, doubleclick on the *Restore.bat* file. The MSDOS window will appear for a second. That is normal. Restart the computer once done.

Keep me posted.


----------



## WEllin11 (Nov 23, 2007)

I have not attempted to reinstall anything. I downloaded the file, ran the .bat and I did see the black dos screen flash by for a moment. Unfortunately, upon restart I have the same symptoms: The starting Windows message stays on for a long time, then the background picture comes up, the icons, but no task bar. Then I get the message "An error occured while initializing active shield..." Please help. Sorry for taking so much of your time.
Wayne


----------



## JSntgRvr (Jul 1, 2003)

Hi, *WEllin11* 

You will need to remove McAfee from your system.

Press Ctrl+Alt+Delete to bring up the Task Manager. Run the following command as a New Task:

*Control appwiz.cpl*

Scroll down and remove all McAfee Programs.

Restart the computer when done. Let me know it goes.

BTW: What version of McAfee you are running?


----------



## WEllin11 (Nov 23, 2007)

Under Task Manager, I did File, Run new task Control appwiz.cpl. It brought up the Add/Remove Program screen that I have used. I clicked on McAfee Security Center and hit the Remove button. The line turned gray, seemed to hang up the computer, never went away, then returned to normal brightness. The next McAfee program just below it, McAfee Virus Shield, reacted exactly the same. Neither would remove. Remember, one of the symptoms is upon restart, I get a McAfee error message indicating that an error occurred while initiating Active shield. I found the McAfee folder, but could not find any uninstall applications inside. The Version was whatever AOL gives out for free and it was updated automatically. There is no icon on the Task Bar to look at the "About" to get the version from, as I don't have a Task Bar. Just by the way, AOL has just today sent a message indicating that the previous versions it passed out will expire and I am to download a new version of McAfee. I did this on the family computer and it look a little different, but I assume it does the same job. Should I download the latest from AOL McAfee version onto the computer experiencing this trouble?


----------



## JSntgRvr (Jul 1, 2003)

Hi, *WEllin11* 

*Download and run the McAfee Removal tool*

*This tool is not compatible with Microsoft Windows 98 or ME.*


Download the removal tool from *HERE*.
Click Save and save the file to any folder on the computer. 
Navigate to the folder where the file is saved. 
Double-click MCPR.exe. 
Click Run. A Command Line window will be displayed, and then close automatically. Wait for a second Command Line window to be displayed. 
*Note*: Do not double-click MCPR.exe again, you may have to wait up to 1 minute for the next window to appear.

After the second window appears, the program will begin the cleanup. 
Observe the installation, which could take several minutes. The following message will be displayed in the Command Line window:
The machine must reboot to complete the un-installation. Reboot now? [y.n]
Press Y on the keyboard. 
Wait for the computer to restart. 
All *McAfee* products are now removed from your computer.

Do not download McAfee from AOL. It is notorious for being a resources hog.

Antivirus programs play an important role in the protection of your system. Here are some options:

*Free Protection*:

*AVG FREE*
*AVIRA*
*AVAST*
*Activevirusshield*

*Shareware:*

*Node32*

*Reccomendation:*
->* Node32*


Keep me posted.


----------



## WEllin11 (Nov 23, 2007)

Well, I followed the instructions and upon reboot no longer get the error message about McAfee initializing. However, there is still no task bar. One other clue, maybe, was that when I clicked on your message- download the removal tool from "HERE" it would not download. I had to right click and hit "save as" to get it to download. One other thing I noted; upon reboot the starting Windows message still shows longer than usual. When it booted up, I was curious about whether I was hooked to the internet yet because there in no icon on the task bar indicating wirless hookup to be seen. So I went to Control Panel, Network Connections to see if it was active or not. A message came up indicating there were no connections to be found in the folder. The folder appears to be empty. I hope I am not over complicating the problem by giving you these other symptoms. When I went to Internet Explorer, it got me back to Tech Guy forums OK, so I must be connected. Anyway, what is the next step?
Wayne
PS Thanks for hanging in there with me! I do not want to reformat the hard drive and reload everything from scratch.


----------



## WEllin11 (Nov 23, 2007)

I rebooted again and went back to the Network Connections in the Control Panel and wrote down the exact message that I got, "The Network Connections Folder was unable to retrieve the list of Network adaptors on you machine. Maske sure Network Connections service in enabled and running." I have tried clicking on the "AVGFree" hyperlink in Blue, but do not get the redirect or download.
Wayne


----------



## JSntgRvr (Jul 1, 2003)

WEllin11 said:


> Well, I followed the instructions and upon reboot no longer get the error message about McAfee initializing. However, *there is still no task bar*. One other clue, maybe, was that when I clicked on your message- download the removal tool from "HERE" it would not download. I had to right click and hit "save as" to get it to download. One other thing I noted; upon reboot the starting Windows message still shows longer than usual. When it booted up, I was curious about whether I was hooked to the internet yet because *there in no icon on the task bar indicating wirless hookup to be seen.* So I went to Control Panel, Network Connections to see if it was active or not. A message came up indicating there were no connections to be found in the folder. The folder appears to be empty. I hope I am not over complicating the problem by giving you these other symptoms. When I went to Internet Explorer, it got me back to Tech Guy forums OK, so I must be connected. Anyway, what is the next step?
> Wayne
> PS Thanks for hanging in there with me! I do not want to reformat the hard drive and reload everything from scratch.


Your post is confusing. Is the Taskbar and Start button visible?

Run the following command as a New Task:

*Services.msc*

Scroll down to *Remote Procedure Call* and right click on it. Make sure is started and set to Automatic.

Scroll up to *Network Connections* and right click on it. Make sure is started and set to Manual.

Try again.


----------



## WEllin11 (Nov 23, 2007)

Sorry, the Start button and Task Bar are not visible. Ran the Services.msc and scrolled down to RPC. It was not running and set to Automatic. I right clicked and hit Start. Got the following message: Services: Could not start the Remote Procedure Call service on Local Computer. Error 1069: The service did not start due to logon failure.
Then I went up to Network Connections; it was not running and set to Manual. I right clicked and hit Start. Got the following message: Services: Could not start Network Connections Service on Local Computer. Error 1068: The dependency service or group failed to start.


----------



## JSntgRvr (Jul 1, 2003)

Ouch!

The Network Connections will not work unless the RPC is running.

Let check for restrictions in your system.


*Copy the entire contents of the Code Box * below to *Notepad*. 
Name the file as *Policies.bat* 
Change the *Save as Type* to *All Files * 
and *Save* it on the *desktop* (or on a place you can access)
 Once saved, double click on the *Policies.bat* file and post its report. (This is a huge report. Attach it to the reply if easier)


```
@ECHO OFF
IF EXIST logit.txt Del logit.txt
ECHO Working .....
Reg Query "HKCU\Software\Policies" /s >> Logit.txt
Reg Query "HKLM\SOFTWARE\Policies" /s >> Logit.txt
Reg Query "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Policies" /s >> logit.txt
Reg Query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Policies" /s >> logit.txt
Reg Query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies" /s >> logit.txt
Reg Query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies" /s >> logit.txt
Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /s >> logit.txt
Start logit.txt
```


----------



## WEllin11 (Nov 23, 2007)

How do I save this to Notepad?


----------



## JSntgRvr (Jul 1, 2003)

Select all from the Code box. Run *Notepad.exe *as a New Task. Right click on the document and Paste, then *Save* to *C:\* as *Policies.bat* (change Save as Type to All Files). Once done, run *C:\Policies.bat* as a New Task. Copy and paste the results on a reply.


----------



## WEllin11 (Nov 23, 2007)

I could not get the Past function to work on the problem computer, so I copied the .bat file onto a diskette and ran it from the A drive. Here is the report attached. Seemed like I saw a lot of errors while it was being generated. It was also too long, so I'll cut it half to post it all. This is not looking good, is it?
Wayne

! REG.EXE VERSION 3.0
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software\Policies\Microsoft
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates

HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\ca

HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\ca\Certificates

HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\ca\CRLs

HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\ca\CTLs

HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed

HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates

HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs

HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs

HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust

HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\Certificates

HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CRLs

HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CTLs

HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher

HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates

HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs

HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\AppCompat

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Conferencing

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client
PreventAutoRun	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ca

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ca\Certificates

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ca\CRLs

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ca\CTLs

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\EFS
EFSBlob	REG_BINARY	01000100010000006B020000670200001C000000020000002F0200003800000000000000000000000105000000000005150000002159727D2F41FC3A94696F4D9C2300003082022B30820198A0030201020210C8040964BD40018D4BB8A0B93B0598CF300906052B0E03021D0500304A3110300E06035504031307726F62696E636E310C300A0603550407130345465331283026060355040B131F4546532046696C6520456E6372797074696F6E204365727469666963617465301E170D3032303831303032313332395A170D3035303830393032313332395A304A3110300E06035504031307726F62696E636E310C300A0603550407130345465331283026060355040B131F4546532046696C6520456E6372797074696F6E20436572746966696361746530819F300D06092A864886F70D010101050003818D0030818902818100C4588F132633593CC780E8797D7DE77E4AF1D7CB8F3731B10917CD64BD21A91A3F9E93E7C879B34D6CF2988676F21C9E4233FA9ED586648C413E9394B79115950D14E34BAFE3C175585D6E4978EBBFF89588EEAD4E36280835352C80625F4DF7E73E091791C0689D255B709FEF2F1A8C4ACC1E03DDF13E10470D94495D88A3170203010001A31A301830160603551D25040F300D060B2B0601040182370A030401300906052B0E03021D050003818100A9A0401122B7339FA75C04F3ED25BF0AC0DAF797CD06606F5191609395DF094D5558028B3CA86A35C96486E86958352934EEAF04CB1E02C81E530F72198717D3BB9682B06A30CE3557B8A2167EAB4D522E72053FB17115C0067638A084F1FD4E7C3CF3BC57797D1E2904844ABCFA5C09247A29CE5B8B2B370EED7EF91C2258B6

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\EFS\Certificates

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\EFS\Certificates\A1E7C0CCFC5DCECB36C4E1FC87DF55DBA00B8600
Blob	REG_BINARY	030000000100000014000000A1E7C0CCFC5DCECB36C4E1FC87DF55DBA00B86000200000001000000C40000001C0000006C0000000100000000000000000000000000000001000000630038006200630036003700370065002D0062003100310031002D0034003100350030002D0038003800380032002D0033003100660066006100640038003700370062003100380000000000000000004D006900630072006F0073006F0066007400200042006100730065002000430072007900700074006F0067007200610070006800690063002000500072006F00760069006400650072002000760031002E0030000000000020000000010000002F0200003082022B30820198A0030201020210C8040964BD40018D4BB8A0B93B0598CF300906052B0E03021D0500304A3110300E06035504031307726F62696E636E310C300A0603550407130345465331283026060355040B131F4546532046696C6520456E6372797074696F6E204365727469666963617465301E170D3032303831303032313332395A170D3035303830393032313332395A304A3110300E06035504031307726F62696E636E310C300A0603550407130345465331283026060355040B131F4546532046696C6520456E6372797074696F6E20436572746966696361746530819F300D06092A864886F70D010101050003818D0030818902818100C4588F132633593CC780E8797D7DE77E4AF1D7CB8F3731B10917CD64BD21A91A3F9E93E7C879B34D6CF2988676F21C9E4233FA9ED586648C413E9394B79115950D14E34BAFE3C175585D6E4978EBBFF89588EEAD4E36280835352C80625F4DF7E73E091791C0689D255B709FEF2F1A8C4ACC1E03DDF13E10470D94495D88A3170203010001A31A301830160603551D25040F300D060B2B0601040182370A030401300906052B0E03021D050003818100A9A0401122B7339FA75C04F3ED25BF0AC0DAF797CD06606F5191609395DF094D5558028B3CA86A35C96486E86958352934EEAF04CB1E02C81E530F72198717D3BB9682B06A30CE3557B8A2167EAB4D522E72053FB17115C0067638A084F1FD4E7C3CF3BC57797D1E2904844ABCFA5C09247A29CE5B8B2B370EED7EF91C2258B6

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\EFS\CRLs

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\EFS\CTLs

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\root

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\root\Certificates

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\root\CRLs

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\root\CTLs

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
EnableAdminTSRemote	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{72385235-70fa-11d1-864c-14a300000000}
 ClassName	REG_SZ	ipsecFilter
description	REG_SZ	Matches all ICMP packets between this computer and any other computer.
name	REG_SZ	ipsecFilter{72385235-70fa-11d1-864c-14a300000000}
ipsecName	REG_SZ	All ICMP Traffic
ipsecID	REG_SZ	{72385235-70fa-11d1-864c-14a300000000}
ipsecDataType	REG_DWORD	0x100
ipsecData	REG_BINARY	B520DC80C82ED111A89E00A0248D302152000000010000000200000000000200000000000A000000490043004D0050000000504D82C8E4437D48BA45C46487AB1D5F0100000000000000FFFFFFFF00000000000000000000000001000000000000000000000000
whenChanged	REG_DWORD	0x3d75216e
ipsecOwnersReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d9b103a6-aac9-4f47-a798-3e2dec0cd6d3}\0SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{53633ec0-5258-44e9-87d6-c03e73624b22}\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{7238523a-70fa-11d1-864c-14a300000000}
ClassName	REG_SZ	ipsecFilter
description	REG_SZ	Matches all IP packets from this computer to any other computer, except broadcast, multicast, Kerberos, RSVP and ISAKMP (IKE).
name	REG_SZ	ipsecFilter{7238523a-70fa-11d1-864c-14a300000000}
ipsecName	REG_SZ	All IP Traffic
ipsecID	REG_SZ	{7238523a-70fa-11d1-864c-14a300000000}
ipsecDataType	REG_DWORD	0x100
ipsecData	REG_BINARY	B520DC80C82ED111A89E00A0248D30214A00000001000000020000000000020000000000020000000000E6E98F201AB26941B06EFED45E82D7CC0100000000000000FFFFFFFF00000000000000000000000000000000000000000000000000
whenChanged	REG_DWORD	0x3d75216e
ipsecOwnersReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{19063139-c32a-422d-b8e8-c09da3c1e483}\0SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{6d7fb14a-969c-48e7-b62c-4608988d71ee}\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{72385231-70fa-11d1-864c-14a300000000}
ClassName	REG_SZ	ipsecISAKMPPolicy
name	REG_SZ	ipsecISAKMPPolicy{72385231-70fa-11d1-864c-14a300000000}
ipsecID	REG_SZ	{72385231-70fa-11d1-864c-14a300000000}
ipsecDataType	REG_DWORD	0x100
ipsecData	REG_BINARY	B820DC80C82ED111A89E00A0248D302140010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000000003000000000000000000000002000000000000000000000000000000000000000000000000000000020000000000000000000000807000000000000000000000030000000000000000000000010000000000000000000000000000000000000000000000000000000200000000000000000000008070000000000000000000000100000000000000000000000200000000000000000000000000000000000000000000000000000001000000000000000000000080700000000000000000000001000000000000000000000001000000000000000000000000000000000000000000000000000000010000000000000000000000807000000000000000
whenChanged	REG_DWORD	0x3d75216e
ipsecOwnersReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{72385230-70fa-11d1-864c-14a300000000}\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{72385234-70fa-11d1-864c-14a300000000}
ClassName	REG_SZ	ipsecISAKMPPolicy
name	REG_SZ	ipsecISAKMPPolicy{72385234-70fa-11d1-864c-14a300000000}
ipsecID	REG_SZ	{72385234-70fa-11d1-864c-14a300000000}
ipsecDataType	REG_DWORD	0x100
ipsecData	REG_BINARY	B820DC80C82ED111A89E00A0248D302140010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000000003000000000000000000000002000000000000000000000000000000000000000000000000000000020000000000000000000000807000000000000000000000030000000000000000000000010000000000000000000000000000000000000000000000000000000200000000000000000000008070000000000000000000000100000000000000000000000200000000000000000000000000000000000000000000000000000001000000000000000000000080700000000000000000000001000000000000000000000001000000000000000000000000000000000000000000000000000000010000000000000000000000807000000000000000
whenChanged	REG_DWORD	0x3d75216e

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{72385237-70fa-11d1-864c-14a300000000}
ClassName	REG_SZ	ipsecISAKMPPolicy
name	REG_SZ	ipsecISAKMPPolicy{72385237-70fa-11d1-864c-14a300000000}
ipsecID	REG_SZ	{72385237-70fa-11d1-864c-14a300000000}
ipsecDataType	REG_DWORD	0x100
ipsecData	REG_BINARY	B820DC80C82ED111A89E00A0248D302140010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000000003000000000000000000000002000000000000000000000000000000000000000000000000000000020000000000000000000000807000000000000000000000030000000000000000000000010000000000000000000000000000000000000000000000000000000200000000000000000000008070000000000000000000000100000000000000000000000200000000000000000000000000000000000000000000000000000001000000000000000000000080700000000000000000000001000000000000000000000001000000000000000000000000000000000000000000000000000000010000000000000000000000807000000000000000
whenChanged	REG_DWORD	0x3d75216e
ipsecOwnersReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{72385236-70fa-11d1-864c-14a300000000}\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{7238523d-70fa-11d1-864c-14a300000000}
ClassName	REG_SZ	ipsecISAKMPPolicy
name	REG_SZ	ipsecISAKMPPolicy{7238523d-70fa-11d1-864c-14a300000000}
ipsecID	REG_SZ	{7238523d-70fa-11d1-864c-14a300000000}
ipsecDataType	REG_DWORD	0x100
ipsecData	REG_BINARY	B820DC80C82ED111A89E00A0248D302140010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000000003000000000000000000000002000000000000000000000000000000000000000000000000000000020000000000000000000000807000000000000000000000030000000000000000000000010000000000000000000000000000000000000000000000000000000200000000000000000000008070000000000000000000000100000000000000000000000200000000000000000000000000000000000000000000000000000001000000000000000000000080700000000000000000000001000000000000000000000001000000000000000000000000000000000000000000000000000000010000000000000000000000807000000000000000
whenChanged	REG_DWORD	0x3d75216e
ipsecOwnersReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{7238523c-70fa-11d1-864c-14a300000000}\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{11dfac47-27d3-4a36-9ddd-f2fa107c8693}
ClassName	REG_SZ	ipsecNegotiationPolicy
name REG_SZ	ipsecNegotiationPolicy{11dfac47-27d3-4a36-9ddd-f2fa107c8693}
ipsecID	REG_SZ	{11dfac47-27d3-4a36-9ddd-f2fa107c8693}
ipsecNegotiationPolicyAction	REG_SZ	{8a171dd3-77e3-11d1-8659-a04f00000000}
ipsecNegotiationPolicyType	REG_SZ	{62f49e13-6c37-11d1-864c-14a300000000}
ipsecDataType	REG_DWORD	0x100
ipsecData	REG_BINARY	B920DC80C82ED111A89E00A0248D3021E40100000600000000000000000000000000000000000000010000000300000002000000020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000030000000100000002000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000001000000020000000200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000001000000020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000020000000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000001000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
whenChanged	REG_DWORD	0x3d75216e
ipsecOwnersReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{b6084394-15e0-4693-a2eb-eb4ab2aa969f}\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{29911e57-c362-45eb-b499-63b2319f2e9c}
ClassName	REG_SZ	ipsecNegotiationPolicy
name	REG_SZ	ipsecNegotiationPolicy{29911e57-c362-45eb-b499-63b2319f2e9c}
ipsecID	REG_SZ	{29911e57-c362-45eb-b499-63b2319f2e9c}
ipsecNegotiationPolicyAction	REG_SZ	{8a171dd3-77e3-11d1-8659-a04f00000000}
ipsecNegotiationPolicyType	REG_SZ	{62f49e13-6c37-11d1-864c-14a300000000}
ipsecDataType	REG_DWORD	0x100
ipsecData	REG_BINARY	B920DC80C82ED111A89E00A0248D3021E40100000600000000000000000000000000000000000000010000000300000002000000020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000030000000100000002000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000001000000020000000200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000001000000020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000020000000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000001000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
whenChanged	REG_DWORD	0x3d75216e
ipsecOwnersReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{e561b969-abac-4cc4-957f-a038d0ead805}\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{6c70debf-dfd5-4d8f-9b1e-4fbe4202d385}
ClassName	REG_SZ	ipsecNegotiationPolicy
name	REG_SZ	ipsecNegotiationPolicy{6c70debf-dfd5-4d8f-9b1e-4fbe4202d385}
ipsecID	REG_SZ	{6c70debf-dfd5-4d8f-9b1e-4fbe4202d385}
ipsecNegotiationPolicyAction	REG_SZ	{8a171dd3-77e3-11d1-8659-a04f00000000}
ipsecNegotiationPolicyType	REG_SZ	{62f49e13-6c37-11d1-864c-14a300000000}
ipsecDataType	REG_DWORD	0x100
ipsecData	REG_BINARY	B920DC80C82ED111A89E00A0248D3021E40100000600000000000000000000000000000000000000010000000300000002000000020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000030000000100000002000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000001000000020000000200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000001000000020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000020000000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000001000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
whenChanged	REG_DWORD	0x3d75216e
ipsecOwnersReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d05bf3b3-6019-4931-82d7-99a0cdc62cb4}\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{72385233-70fa-11d1-864c-14a300000000}
ClassName	REG_SZ	ipsecNegotiationPolicy
description	REG_SZ	Accepts unsecured communication, but requests clients to establish trust and security methods. Will communicate insecurely to untrusted clients if they do not respond to request.
name	REG_SZ	ipsecNegotiationPolicy{72385233-70fa-11d1-864c-14a300000000}
ipsecName	REG_SZ	Request Security (Optional)
ipsecID	REG_SZ	{72385233-70fa-11d1-864c-14a300000000}
ipsecNegotiationPolicyAction	REG_SZ	{3f91a81a-7647-11d1-864d-d46a00000000}
ipsecNegotiationPolicyType	REG_SZ	{62f49e10-6c37-11d1-864c-14a300000000}
ipsecDataType	REG_DWORD	0x100
ipsecData	REG_BINARY	B920DC80C82ED111A89E00A0248D3021940100000500000084030000A086010000000000000000000100000003000000020000000200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000084030000A08601000000000000000000010000000100000002000000020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002C010000A08601000000000000000000010000000200000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002C010000A0860100000000000000000001000000010000000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
whenChanged	REG_DWORD	0x3d75216e
ipsecOwnersReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{6d7fb14a-969c-48e7-b62c-4608988d71ee}\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7238523b-70fa-11d1-864c-14a300000000}
ClassName	REG_SZ	ipsecNegotiationPolicy
description	REG_SZ	Permit unsecured IP packets to pass through.
name	REG_SZ	ipsecNegotiationPolicy{7238523b-70fa-11d1-864c-14a300000000}
ipsecName	REG_SZ	Permit
ipsecID	REG_SZ	{7238523b-70fa-11d1-864c-14a300000000}
ipsecNegotiationPolicyAction	REG_SZ	{8a171dd2-77e3-11d1-8659-a04f00000000}
ipsecNegotiationPolicyType	REG_SZ	{62f49e10-6c37-11d1-864c-14a300000000}
ipsecDataType	REG_DWORD	0x100
ipsecData	REG_BINARY	B920DC80C82ED111A89E00A0248D3021040000000000000000
whenChanged	REG_DWORD	0x3d75216e
ipsecOwnersReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d9b103a6-aac9-4f47-a798-3e2dec0cd6d3}\0SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{53633ec0-5258-44e9-87d6-c03e73624b22}\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7238523f-70fa-11d1-864c-14a300000000}
ClassName	REG_SZ	ipsecNegotiationPolicy
description	REG_SZ	Accepts unsecured communication, but always requires clients to establish trust and security methods. Will NOT communicate with untrusted clients.
name	REG_SZ	ipsecNegotiationPolicy{7238523f-70fa-11d1-864c-14a300000000}
ipsecName	REG_SZ	Require Security
ipsecID	REG_SZ	{7238523f-70fa-11d1-864c-14a300000000}
ipsecNegotiationPolicyAction	REG_SZ	{3f91a81a-7647-11d1-864d-d46a00000000}
ipsecNegotiationPolicyType	REG_SZ	{62f49e10-6c37-11d1-864c-14a300000000}
ipsecDataType	REG_DWORD	0x100
ipsecData	REG_BINARY	B920DC80C82ED111A89E00A0248D3021440100000400000084030000A086010000000000000000000100000003000000020000000200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000084030000A086010000000000000000000100000003000000010000000200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000084030000A086010000000000000000000100000001000000020000000200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000084030000A086010000000000000000000100000001000000010000000200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
whenChanged	REG_DWORD	0x3d75216e
ipsecOwnersReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{19063139-c32a-422d-b8e8-c09da3c1e483}\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{19063139-c32a-422d-b8e8-c09da3c1e483}
ClassName	REG_SZ	ipsecNFA
name	REG_SZ	ipsecNFA{19063139-c32a-422d-b8e8-c09da3c1e483}
ipsecName	REG_SZ	Require Security
description	REG_SZ	Accepts unsecured communication, but always requires clients to establish trust and security methods. Will NOT communicate with untrusted clients.
ipsecID	REG_SZ	{19063139-c32a-422d-b8e8-c09da3c1e483}
ipsecDataType	REG_DWORD	0x100
ipsecData	REG_BINARY	00ACBB118D49D111863900A0248D30212A0000000100000005000000020000000000FDFFFFFF0200000000000000000000000000010000000200000000000101010101010101010101010101010101000000050000000000000000
ipsecNegotiationPolicyReference	REG_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7238523f-70fa-11d1-864c-14a300000000}
ipsecFilterReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{7238523a-70fa-11d1-864c-14a300000000}\0\0
whenChanged	REG_DWORD	0x3d75216e
ipsecOwnersReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{7238523c-70fa-11d1-864c-14a300000000}\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{53633ec0-5258-44e9-87d6-c03e73624b22}
ClassName	REG_SZ	ipsecNFA
name	REG_SZ	ipsecNFA{53633ec0-5258-44e9-87d6-c03e73624b22}
ipsecName	REG_SZ	Permit unsecure ICMP packets to pass through.
description	REG_SZ	Permit unsecure ICMP packets to pass through.
ipsecID	REG_SZ	{53633ec0-5258-44e9-87d6-c03e73624b22}
ipsecDataType	REG_DWORD	0x100
ipsecData	REG_BINARY	00ACBB118D49D111863900A0248D30212A0000000100000005000000020000000000FDFFFFFF0200000000000000000000000000010000000200000000000101010101010101010101010101010101000000050000000000000000
ipsecNegotiationPolicyReference	REG_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7238523b-70fa-11d1-864c-14a300000000}
ipsecFilterReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{72385235-70fa-11d1-864c-14a300000000}\0\0
whenChanged	REG_DWORD	0x3d75216e
ipsecOwnersReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{72385230-70fa-11d1-864c-14a300000000}\0\0


----------



## WEllin11 (Nov 23, 2007)

Last half below:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{72385236-70fa-11d1-864c-14a300000000}
ClassName	REG_SZ	ipsecPolicy
description	REG_SZ	Communicate normally (unsecured). Use the default response rule to negotiate with servers that request security. Only the requested protocol and port traffic with that server is secured.
name	REG_SZ	ipsecPolicy{72385236-70fa-11d1-864c-14a300000000}
ipsecName	REG_SZ	Client (Respond Only)
ipsecID	REG_SZ	{72385236-70fa-11d1-864c-14a300000000}
ipsecDataType	REG_DWORD	0x100
ipsecData	REG_BINARY	632120224C4FD111863B00A0248D302104000000302A000000
ipsecISAKMPReference	REG_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{72385237-70fa-11d1-864c-14a300000000}
whenChanged	REG_DWORD	0x3d75216e
ipsecNFAReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{b6084394-15e0-4693-a2eb-eb4ab2aa969f}\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{7238523c-70fa-11d1-864c-14a300000000}
ClassName	REG_SZ	ipsecPolicy
description	REG_SZ	For all IP traffic, always require security using Kerberos trust. Do NOT allow unsecured communication with untrusted clients.
name	REG_SZ	ipsecPolicy{7238523c-70fa-11d1-864c-14a300000000}
ipsecName	REG_SZ	Secure Server (Require Security)
ipsecID	REG_SZ	{7238523c-70fa-11d1-864c-14a300000000}
ipsecDataType	REG_DWORD	0x100
ipsecData	REG_BINARY	632120224C4FD111863B00A0248D302104000000302A000000
ipsecISAKMPReference	REG_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{7238523d-70fa-11d1-864c-14a300000000}
whenChanged	REG_DWORD	0x3d75216e
ipsecNFAReference	REG_MULTI_SZ	SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{19063139-c32a-422d-b8e8-c09da3c1e483}\0SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d9b103a6-aac9-4f47-a798-3e2dec0cd6d3}\0SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{e561b969-abac-4cc4-957f-a038d0ead805}\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetCache

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RTC

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RTC\PortRange
Enabled	REG_DWORD	0x0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers
ExecutableTypes	REG_MULTI_SZ	ADE\0ADP\0BAS\0BAT\0CHM\0CMD\0COM\0CPL\0CRT\0EXE\0HLP\0HTA\0INF\0INS\0ISP\0LNK\0MDB\0MDE\0MSC\0MSI\0MSP\0MST\0OCX\0PCD\0PIF\0REG\0SCR\0SHS\0URL\0VB\0WSC\0\0
TransparentEnabled	REG_DWORD	0x1
DefaultLevel	REG_DWORD	0x40000
AuthenticodeEnabled	REG_DWORD	0x0
PolicyScope	REG_DWORD	0x0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}
Description	REG_SZ	Stop the download of this file
FriendlyName	REG_SZ	Mdac11.cab
SaferFlags	REG_DWORD	0x0
HashAlg	REG_DWORD	0x8003
ItemData	REG_BINARY	5EAB304F957A49896A006C1C31154015
LastModified	REG_NONE	85C434DC19A2C201
ItemSize	REG_NONE	0B03000000000000

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}
Description	REG_SZ	Stop the download of this file
FriendlyName	REG_SZ	mdac20.cab
SaferFlags	REG_DWORD	0x0
HashAlg	REG_DWORD	0x8003
ItemData	REG_BINARY	67B0D48B343A3FD3BCE9DC646704F394
LastModified	REG_NONE	038A39DC19A2C201
ItemSize	REG_NONE	0502000000000000

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}
Description	REG_SZ	Stop the download of this file
FriendlyName	REG_SZ	mdac20_a.cab
SaferFlags	REG_DWORD	0x0
HashAlg	REG_DWORD	0x8003
ItemData	REG_BINARY	327802DCFEF8C893DC8AB006DD847D1D
LastModified	REG_NONE	BE7745DC19A2C201
ItemSize	REG_NONE	9603000000000000

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}
Description	REG_SZ	Stop the download of this file
FriendlyName	REG_SZ	_msadc10.cab
SaferFlags	REG_DWORD	0x0
HashAlg	REG_DWORD	0x8003
ItemData	REG_BINARY	BD9A2ADB42EBD8560E250E4DF8162F67
LastModified	REG_NONE	814F3EDC19A2C201
ItemSize	REG_NONE	E500000000000000

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}
Description	REG_SZ	Stop the download of this file
FriendlyName	REG_SZ	msadc11.cab
SaferFlags	REG_DWORD	0x0
HashAlg	REG_DWORD	0x8003
ItemData	REG_BINARY	386B085F84ECF669D36B956A22C01E80
LastModified	REG_NONE	40B240DC19A2C201
ItemSize	REG_NONE	7201000000000000

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}
Description	REG_SZ	
SaferFlags	REG_DWORD	0x0
ItemData	REG_EXPAND_SZ	%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*
LastModified	REG_NONE	3A3FAEC53B5BC501

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers
PhysicalLocationSupport	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
<NO NAME>	REG_SZ	
NoDriveTypeAutoRun	REG_DWORD	0xff
NoCDBurning	REG_DWORD	0x0
NoDriveAutoRun	REG_DWORD	0x3ffffff

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F}	REG_DWORD	0x1
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}	REG_DWORD	0x40000021
{0DF44EAA-FF21-4412-828E-260A8728E7F1}	REG_DWORD	0x20

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ratings

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system
dontdisplaylastusername	REG_DWORD	0x0
legalnoticecaption	REG_SZ	
legalnoticetext	REG_SZ	
shutdownwithoutlogon	REG_DWORD	0x1
undockwithoutlogon	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun	REG_DWORD	0x91

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
AutoRestartShell	REG_DWORD	0x1
DefaultDomainName	REG_SZ	US-ELLINGTOMS
DefaultUserName	REG_SZ	matt ellington
LegalNoticeCaption	REG_SZ	
LegalNoticeText	REG_SZ	
PowerdownAfterShutdown	REG_SZ	0
ReportBootOk	REG_SZ	1
Shell	REG_SZ	Explorer.exe
ShutdownWithoutLogon	REG_SZ	0
Userinit	REG_SZ	C:\WINDOWS\system32\userinit.exe,
VmApplet	REG_SZ	rundll32 shell32,Control_RunDLL "sysdm.cpl"
SfcQuota	REG_DWORD	0xffffffff
allocatecdroms	REG_SZ	0
allocatedasd	REG_SZ	0
allocatefloppies	REG_SZ	0
cachedlogonscount	REG_SZ	10
forceunlocklogon	REG_DWORD	0x0
passwordexpirywarning	REG_DWORD	0xe
scremoveoption	REG_SZ	0
AllowMultipleTSSessions	REG_DWORD	0x0
UIHost	REG_EXPAND_SZ	logonui.exe
LogonType	REG_DWORD	0x0
DebugServerCommand	REG_SZ	no
SFCDisable	REG_DWORD	0x0
WinStationsDisabled	REG_SZ	0
HibernationPreviouslyEnabled	REG_DWORD	0x1
ShowLogonOptions	REG_DWORD	0x1
AltDefaultUserName	REG_SZ	matt ellington
AltDefaultDomainName	REG_SZ	US-ELLINGTOMS
AutoAdminLogon	REG_SZ	0
DisableCAD	REG_DWORD	0x0
CachePrimaryDomain	REG_SZ	DLU_NT
DCacheUpdate	REG_BINARY	C07F6D4D3939C801

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DomainCache
DLU_NT	REG_SZ	lipscomb.edu

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}
<NO NAME>	REG_SZ	Wireless
ProcessGroupPolicy	REG_SZ	ProcessWIRELESSPolicy
DllName	REG_EXPAND_SZ	gptext.dll
NoUserPolicy	REG_DWORD	0x1
NoGPOListChanges	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}
<NO NAME>	REG_SZ	Folder Redirection
ProcessGroupPolicyEx	REG_SZ	ProcessGroupPolicyEx
DllName	REG_EXPAND_SZ	fdeploy.dll
NoMachinePolicy	REG_DWORD	0x1
NoSlowLink	REG_DWORD	0x1
PerUserLocalSettings	REG_DWORD	0x1
NoGPOListChanges	REG_DWORD	0x0
NoBackgroundPolicy	REG_DWORD	0x0
GenerateGroupPolicy	REG_SZ	GenerateGroupPolicy
EventSources	REG_MULTI_SZ	(Folder Redirection,Application)\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}
Status	REG_DWORD	0x0
RsopStatus	REG_DWORD	0x0
LastPolicyTime	REG_DWORD	0xc17cd2
PrevSlowLink	REG_DWORD	0x0
PrevRsopLogging	REG_DWORD	0x1
ForceRefreshFG	REG_DWORD	0x0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}
<NO NAME>	REG_SZ	Microsoft Disk Quota
NoMachinePolicy	REG_DWORD	0x0
NoUserPolicy	REG_DWORD	0x1
NoSlowLink	REG_DWORD	0x1
NoBackgroundPolicy	REG_DWORD	0x1
NoGPOListChanges	REG_DWORD	0x1
PerUserLocalSettings	REG_DWORD	0x0
RequiresSuccessfulRegistry	REG_DWORD	0x1
EnableAsynchronousProcessing	REG_DWORD	0x0
DllName	REG_EXPAND_SZ	dskquota.dll
ProcessGroupPolicy	REG_SZ	ProcessGroupPolicy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}
<NO NAME>	REG_SZ	QoS Packet Scheduler
ProcessGroupPolicy	REG_SZ	ProcessPSCHEDPolicy
DllName	REG_EXPAND_SZ	gptext.dll
NoUserPolicy	REG_DWORD	0x1
NoGPOListChanges	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}
<NO NAME>	REG_SZ	Scripts
ProcessGroupPolicy	REG_SZ	ProcessScriptsGroupPolicy
ProcessGroupPolicyEx	REG_SZ	ProcessScriptsGroupPolicyEx
GenerateGroupPolicy	REG_SZ	GenerateScriptsGroupPolicy
DllName	REG_EXPAND_SZ	gptext.dll
NoSlowLink	REG_DWORD	0x1
NoGPOListChanges	REG_DWORD	0x1
NotifyLinkTransition	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}
<NO NAME>	REG_SZ	Internet Explorer Zonemapping
DllName	REG_EXPAND_SZ	iedkcs32.dll
ProcessGroupPolicy	REG_SZ	ProcessGroupPolicyForZoneMap
NoGPOListChanges	REG_DWORD	0x1
RequiresSucessfulRegistry	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}
ProcessGroupPolicy	REG_SZ	SceProcessSecurityPolicyGPO
GenerateGroupPolicy	REG_SZ	SceGenerateGroupPolicy
ExtensionRsopPlanningDebugLevel	REG_DWORD	0x1
ProcessGroupPolicyEx	REG_SZ	SceProcessSecurityPolicyGPOEx
ExtensionDebugLevel	REG_DWORD	0x1
DllName	REG_EXPAND_SZ	scecli.dll
<NO NAME>	REG_SZ	Security
NoUserPolicy	REG_DWORD	0x1
NoGPOListChanges	REG_DWORD	0x1
EnableAsynchronousProcessing	REG_DWORD	0x1
MaxNoGPOListChangesInterval	REG_DWORD	0x3c0
PreviousPolicyAreas	REG_DWORD	0x1
Status	REG_DWORD	0x0
RsopStatus	REG_DWORD	0x0
LastPolicyTime	REG_DWORD	0xc36987
PrevSlowLink	REG_DWORD	0x0
PrevRsopLogging	REG_DWORD	0x1
ForceRefreshFG	REG_DWORD	0x0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}
ProcessGroupPolicyEx	REG_SZ	ProcessGroupPolicyEx
GenerateGroupPolicy	REG_SZ	GenerateGroupPolicy
ProcessGroupPolicy	REG_SZ	ProcessGroupPolicy
DllName	REG_EXPAND_SZ	iedkcs32.dll
<NO NAME>	REG_SZ	Internet Explorer Branding
NoSlowLink	REG_DWORD	0x1
NoBackgroundPolicy	REG_DWORD	0x0
NoGPOListChanges	REG_DWORD	0x1
NoMachinePolicy	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}
ProcessGroupPolicy	REG_SZ	SceProcessEFSRecoveryGPO
DllName	REG_EXPAND_SZ	scecli.dll
<NO NAME>	REG_SZ	EFS recovery
NoUserPolicy	REG_DWORD	0x1
NoGPOListChanges	REG_DWORD	0x1
RequiresSuccessfulRegistry	REG_DWORD	0x1
Status	REG_DWORD	0x0
RsopStatus	REG_DWORD	0x80070032
LastPolicyTime	REG_DWORD	0xc17cd2
PrevSlowLink	REG_DWORD	0x0
PrevRsopLogging	REG_DWORD	0x1
ForceRefreshFG	REG_DWORD	0x0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}
<NO NAME>	REG_SZ	Software Installation
DllName	REG_EXPAND_SZ	appmgmts.dll
ProcessGroupPolicyEx	REG_SZ	ProcessGroupPolicyObjectsEx
GenerateGroupPolicy	REG_SZ	GenerateGroupPolicy
NoBackgroundPolicy	REG_DWORD	0x0
RequiresSucessfulRegistry	REG_DWORD	0x0
NoSlowLink	REG_DWORD	0x1
PerUserLocalSettings	REG_DWORD	0x1
EventSources	REG_MULTI_SZ	(Application Management,Application)\0(MsiInstaller,Application)\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}
<NO NAME>	REG_SZ	IP Security
ProcessGroupPolicy	REG_SZ	ProcessIPSECPolicy
DllName	REG_EXPAND_SZ	gptext.dll
NoUserPolicy	REG_DWORD	0x1
NoGPOListChanges	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon
DllName	REG_SZ	C:\Documents and Settings\Matt Ellington\My Documents\Death1\SASWINLO.dll
Logon	REG_SZ	SABWINLOLogon
Logoff	REG_SZ	SABWINLOLogoff
Startup	REG_SZ	SABWINLOStartup
Shutdown	REG_SZ	SABWINLOShutdown
Asynchronous	REG_DWORD	0x0
Impersonate	REG_DWORD	0x0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
Asynchronous	REG_DWORD	0x0
Impersonate	REG_DWORD	0x0
DllName	REG_EXPAND_SZ	crypt32.dll
Logoff	REG_SZ	ChainWlxLogoffEvent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
Asynchronous	REG_DWORD	0x0
Impersonate	REG_DWORD	0x0
DllName	REG_EXPAND_SZ	cryptnet.dll
Logoff	REG_SZ	CryptnetWlxLogoffEvent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
DLLName	REG_SZ	cscdll.dll
Logon	REG_SZ	WinlogonLogonEvent
Logoff	REG_SZ	WinlogonLogoffEvent
ScreenSaver	REG_SZ	WinlogonScreenSaverEvent
Startup	REG_SZ	WinlogonStartupEvent
Shutdown	REG_SZ	WinlogonShutdownEvent
StartShell	REG_SZ	WinlogonStartShellEvent
Impersonate	REG_DWORD	0x0
Asynchronous	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
DLLName	REG_SZ	wlnotify.dll
Logon	REG_SZ	SCardStartCertProp
Logoff	REG_SZ	SCardStopCertProp
Lock	REG_SZ	SCardSuspendCertProp
Unlock	REG_SZ	SCardResumeCertProp
Enabled	REG_DWORD	0x1
Impersonate	REG_DWORD	0x1
Asynchronous	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
Asynchronous	REG_DWORD	0x0
DllName	REG_EXPAND_SZ	wlnotify.dll
Impersonate	REG_DWORD	0x0
StartShell	REG_SZ	SchedStartShell
Logoff	REG_SZ	SchedEventLogOff

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
Logoff	REG_SZ	WLEventLogoff
Impersonate	REG_DWORD	0x0
Asynchronous	REG_DWORD	0x1
DllName	REG_EXPAND_SZ	sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
DLLName	REG_SZ	WlNotify.dll
Lock	REG_SZ	SensLockEvent
Logon	REG_SZ	SensLogonEvent
Logoff	REG_SZ	SensLogoffEvent
Safe	REG_DWORD	0x1
MaxWait	REG_DWORD	0x258
StartScreenSaver	REG_SZ	SensStartScreenSaverEvent
StopScreenSaver	REG_SZ	SensStopScreenSaverEvent
Startup	REG_SZ	SensStartupEvent
Shutdown	REG_SZ	SensShutdownEvent
StartShell	REG_SZ	SensStartShellEvent
PostShell	REG_SZ	SensPostShellEvent
Disconnect	REG_SZ	SensDisconnectEvent
Reconnect	REG_SZ	SensReconnectEvent
Unlock	REG_SZ	SensUnlockEvent
Impersonate	REG_DWORD	0x1
Asynchronous	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
Asynchronous	REG_DWORD	0x0
DllName	REG_EXPAND_SZ	wlnotify.dll
Impersonate	REG_DWORD	0x0
Logoff	REG_SZ	TSEventLogoff
Logon	REG_SZ	TSEventLogon
PostShell	REG_SZ	TSEventPostShell
Shutdown	REG_SZ	TSEventShutdown
StartShell	REG_SZ	TSEventStartShell
Startup	REG_SZ	TSEventStartup
MaxWait	REG_DWORD	0x258
Reconnect	REG_SZ	TSEventReconnect
Disconnect	REG_SZ	TSEventDisconnect

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
Logon	REG_SZ	WLEventLogon
Logoff	REG_SZ	WLEventLogoff
Startup	REG_SZ	WLEventStartup
Shutdown	REG_SZ	WLEventShutdown
StartScreenSaver	REG_SZ	WLEventStartScreenSaver
StopScreenSaver	REG_SZ	WLEventStopScreenSaver
Lock	REG_SZ	WLEventLock
Unlock	REG_SZ	WLEventUnlock
StartShell	REG_SZ	WLEventStartShell
PostShell	REG_SZ	WLEventPostShell
Disconnect	REG_SZ	WLEventDisconnect
Reconnect	REG_SZ	WLEventReconnect
Impersonate	REG_DWORD	0x1
Asynchronous	REG_DWORD	0x0
SafeMode	REG_DWORD	0x1
MaxWait	REG_DWORD	0xffffffff
DllName	REG_EXPAND_SZ	WgaLogon.dll
Event	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings
Data	REG_BINARY	01000000D08C9DDF0115D1118C7A00C04FC297EB01000000C0A61C556A594543AD18F837FB84653604000000040000005300000003660000A80000001000000033EBD933B8CD16EA1728D3D6F87E6E2D0000000004800000A000000010000000CD784941D691C05A6056198C38FE431BB001000096308B370EA599AC12423D6F1D33CCCC6B85EE6652776782FD3F608BDE9A911B87F47C1FE452433AC95E3C5CE72C0F3CE9644C954CB8586535BAAD324B94EE05145E9F6B44138B0EED17209CE2529056731E6F2EF0F1B3DA5A838A68F9175257EC6FAB9BDBF2528870EB14C1BDDCF531F47902BDE2635179132582FDC95FB0E5B1A96596EBC2BF7DA6D43D65143B5D5B04B836E394E4497EE59EC452088CA5DFFB6928A52805DBD1F978F714995DFAD32E09780307B1CE999C1191B186093ADF4E849BE4F3E6ECB63E7A2DE43CD13FF7498E816B4D5862F24A08BAB9048ACBFF5BA607D6B079327280984122487D5A7BC21CF2E722A68300800A17BCB73723769AFC18DEE883C31FC8F850A75CF998C7B7BAF8D8DBD73E8115405DA2D1CE7FDB163F18B6E80D0F27695B1F5B80F5D7EAD5E5FEAC7CF4691F1DCD96A389322CDD7F6F4E0A43C0C60AA1FAD218F63DC0C3C073D72CC43AFADE21B1CB1AE0D9C291CA1EB0F665676B1F915446D5B885EAE07ADC90B0F00B5A6B39F2E70EB7763CB1FC4988A78AB1BB9482B7643607835C9E6393498DE4944863CE1BF1DF30F72BF737505C5A4399A4C4C9768E1312992F35140000003393B8171F51155720723FC3209ADD3E67EF9668

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
DLLName	REG_SZ	wlnotify.dll
Logon	REG_SZ	RegisterTicketExpiredNotificationEvent
Logoff	REG_SZ	UnregisterTicketExpiredNotificationEvent
Impersonate	REG_DWORD	0x1
Asynchronous	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
HelpAssistant	REG_DWORD	0x0
TsInternetUser	REG_DWORD	0x0
SQLAgentCmdExec	REG_DWORD	0x0
NetShowServices	REG_DWORD	0x0
IWAM_	REG_DWORD	0x10000
IUSR_	REG_DWORD	0x10000
VUSR_	REG_DWORD	0x10000
ASPNET	REG_DWORD	0x0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Credentials


----------



## WEllin11 (Nov 23, 2007)

I may not have gotten the report cut exactly in half.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *WEllin11* 

There is nothing in that report that should contribute to this problem. We need to concentrate on the RPC Service. A colleague has suggested a posible fix:

Run:

*Services.msc*

Scroll down to *Remote Procedure Call* and doubleclick on it. Select the* Log On* tab. Make sure the *Local System Account* is selected. Click Ok.

Close all windows and restart the computer.

Let me know the outcome.


----------



## WEllin11 (Nov 23, 2007)

Remote Procedure Call is listed as "Network Services" under the "Logon As" column. I do not see a "Log On" tab or any way of changing it to "System Account".


----------



## Mosaic1 (Aug 17, 2001)

JSntgRvr isn't signed on right now. Sorry to butt in.

See attached pic to see what is meant.

We may have to look at your registry if this doesn't help.


----------



## JSntgRvr (Jul 1, 2003)

WEllin11 said:


> Remote Procedure Call is listed as "Network Services" under the "Logon As" column. I do not see a "Log On" tab or any way of changing it to "System Account".


You must scroll down to Remote Procedure Call and double click on it.

Can you see it now?


----------



## WEllin11 (Nov 23, 2007)

I did double click on it, which made it highlighted. But it is not running and there is no tab to make any changes. I could not make the thumbnail posted by another large enough for me to see. Sorry.


----------



## Mosaic1 (Aug 17, 2001)

> Remote Procedure Call is listed as "Network Services" under the "Logon As" column


Also, there is another service listed as Remote Procedure Call (RPC) Locator. This is a network services logon.

Please be sure you are looking at Remote Procedure call and not the Locator.


----------



## Mosaic1 (Aug 17, 2001)

Instead of double clicking on it ttry this. Be sure you have the right service as described above.

Then right clck on it and this will bring up a menu. Click Properties on that menu. This should bring up the properties page. This should have the Logon tab wew told you about. Click that.


----------



## WEllin11 (Nov 23, 2007)

I am on the right one, but nothing happens other than highlighting when I double click on it. Nothing comes up like the thumbnail you posted.


----------



## Mosaic1 (Aug 17, 2001)

You posted at the same time as I did. 

Here are the new direcrtions again:

Instead of double clicking on it ttry this. Be sure you have the right service as described above.

Then right clck on it and this will bring up a menu. Click Properties on that menu. This should bring up the properties page. This should have the Logon tab wew told you about. Click that.


----------



## WEllin11 (Nov 23, 2007)

OK, I highlighted it, then did a right click. Selected Properties, but nothing else came up.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *WEllin11* 

Take a look at this link:

http://support.microsoft.com/kb/279783

Run the following command:

*Control nusrmgr.cpl *

Please create a new account with Administrative rights (Computer Administrator). Once done, restart the computer and logon under this new account.

Let me know if there is a difference.


----------



## Mosaic1 (Aug 17, 2001)

JSntgRvr is back again. I'll be reading to see what happens, but you're in very good hands with his help/ 

Good luck with this.


----------



## WEllin11 (Nov 23, 2007)

I can not see the site depicted by the hyperlink on the problem computer. I could see it on the family computer. The problem computer has Windows XP Pro. When I ran the Control nusrmgr.cpl it brought up A User Accounts Window. It does not look like what is described in the hyper link site. I did press the "Add" button to add a new user and give it Admin status. Unfortunately, the new name caused an error saying it could not be found in the Domain that I had copied from the other users listed.


----------



## JSntgRvr (Jul 1, 2003)

Please boot in Safe Mode and logon as the Administrator. If your normal account is loaded without giving you an option to logon as the Administrator, LogOff and you will be given the option to logon as the Administrator. Once logged as the Administrator, create the new account with administrative rights. Restart and logon under the new account. 

Let me know the outcome.


----------



## WEllin11 (Nov 23, 2007)

Booted in Safe Mode. Logged on as Administrator, but still can't "Add" a new user with Administrator privileges. After typing in the new name, selecting Administrator, then "Finish". I get an error that says "User .... could not be added to Administrators group because ... does not exist." Now what?
Wayne


----------



## Mosaic1 (Aug 17, 2001)

Ok I wonder if the administrators group has been removed fom yoru system.

Forst, are you runningan English version of windows?

IF so, then please run a new task. 
cmd.exe 
When the black command window opens, type in this command and then press enter:

net localgroup

Tell me what you see listed as the local groups please.

Are you able to copy and paste, or not?


----------



## WEllin11 (Nov 23, 2007)

Yes, it is an English version of Windows. Ran cmd.exe then typed "net localgroup" and entered. Got the following message: "The Workstation service has not been started. More help is available ...." The computer with the problem does not appear to be able to "Paste"
What now?


----------



## JSntgRvr (Jul 1, 2003)

Run:

Services.msc

Scroll down to *Workstation*. Right click on it and select Properties. Make sure is set to Automatic and is Started. Then try that command again.


----------



## Mosaic1 (Aug 17, 2001)

Ok When RCp is not running you get all kinds of issues bercause just about all th eother services depend on it. So no paste, no properties pages in services.msc and on and on.

Let's try this as a start and see if we can write to the registry. Then if a success, restart. Then come back. After that., the issues of groups not existing can be addressed. 

I'll be back in a second with a batch file for you to run.


----------



## WEllin11 (Nov 23, 2007)

Ran Services.msc then found Workstation to be not started but set for Automatic. Did a right click, selected "Properties", but no additional window would appear. Did another right click and selected "Start" and message: "Could not start the workstation service on the Local Computer. Error 1364: a specified authentication package is unknown." (I remember the "Properties" function did not call up a Window on an earlier request you made.)


----------



## Mosaic1 (Aug 17, 2001)

Download and save the attached zip file.

Extract the contents, a file named fixit.bat to your C: drive. So now you'll have C:\fixit.bat

Run a new task 

Type in C:\fixit.bat

The black command window will remain open. If you see Operation completed successfully, close the command window. Restart. And come back to let us know how things are working. 

After we get the system running well, then you can address the other issues.

I am not sure the command will work though. Writing to that part of the registry requires admin permissions. Let's cross our fingers.


----------



## WEllin11 (Nov 23, 2007)

Ran the fixit.bat file and the "Operation completed successfully". Now I'm rebooting and I'll let you know what happens.


----------



## Mosaic1 (Aug 17, 2001)

Great! I'll be here for a bit. When you gety back I'll have you check out someting in Local Security policies. But that's for after the reboot.


----------



## WEllin11 (Nov 23, 2007)

The Start button and Task Bar are back!!!! Yeah!!!! I think you are onto something now! I did get the MS Update message indicating updates are ready to install. Should I do that now or wait til later?


----------



## Mosaic1 (Aug 17, 2001)

That's great! 

First can you go to start >run and type (or copy and paste)

secpol.msc

Press enter

When Local Security Policies opens, In the left pane, click on Local Policies.

Now in the right, you see USer Rights Assignment listed. Double click on that.
You see a long list in the right pane.

CAn you check these two please and tell me what you see listed under the Security setting column for each?

Log on as a service

Deny Log on as a service. 

-----------

Also, have a look around and see if you are able to do the things you weren't before. Let me know how that all is. Once you have things are up and running, get your updates.


----------



## WEllin11 (Nov 23, 2007)

Log on as a Service- System, Network Service, *S-1-5-21-2408309094.....
Deny Log on as a service- (it is blank under Security Setting column)
I did go to Control Panel, Network Connections, and it appeared to be working correctly showing connections. So what do you think? Is it fixed? I'll check a few more things. I was able to download AVG Free, where I wasn't able to before. What else should I check?


----------



## Mosaic1 (Aug 17, 2001)

No. Because other services may not start correctly if the Administrator group is not added to that list. The issue it caused was fixed by having the RPC service log on differently so that it would start. RPC is the most importatn service on your Windows. If it doesn't start. the computer is pretty much toast. 

Can you please go back, and then find Log on as a service again and copy exactly what is on that list? Thanks.

We'll add Administrator to it in a second if it is not already there. I'll show you how.


----------



## WEllin11 (Nov 23, 2007)

I do not understand what I am to do. Please give me the instructions.


----------



## JSntgRvr (Jul 1, 2003)

WEllin11 said:


> I do not understand what I am to do. Please give me the instructions.


Check Post #61


----------



## Mosaic1 (Aug 17, 2001)

First can you go to start >run and type (or copy and paste)

secpol.msc

Press enter

When Local Security Policies opens, In the left pane, click on Local Policies.

Now in the right, you see USer Rights Assignment listed. Double click on that.
You see a long list in the right pane.

Double click on 
Log on as a service

This will bring up its properties page.

The list you gave me earlier was cut short. I need to see exactly what's in there. Viewing from the properties page will be better. Can you copy the entries and post them please? 

If Administrators is not there, I'll then give you more directions to add it so your services will work correctly.


----------



## WEllin11 (Nov 23, 2007)

I followed the instructions concerning User rights, Log on as a service. The Properties page brought up: Log on as a service Properties window showing the following entries: *S-1-5-21-2408309094-1079718223-2475131663-1005, ASPNET,NETWORK SERVICE, SYSTEM
I was not able to copy them and did not see any "Administrators" entered.


----------



## Mosaic1 (Aug 17, 2001)

Ok. It seems you have more groups listed there than I do. Are you on a server or network?

Let's add the Administrators group to that list. Here's how to do that.

Double click Log On as a service to bring up its property page. When that comes up, Click the Add User or Group button. This will bring up a new dialog. Click the Object Types Button. A new page will appear. Be sure the 
Box in front of Groups is checked. Then click OK.

This will close that window. Now look at the Select Users or Groups Windows again. It will still be open. In the box labeled
"Enter the object names to select"

Type *Administrators* and then click ok.This window will now close. Press ok in the Log on as a service Dialog and check the Local Security Settings window. In the right pane, Log on as a service should now list Administrators in the Security Setting column along with the others.

If so, then go ahead and close the Local Security Settings Window.


----------



## WEllin11 (Nov 23, 2007)

All User rights listings posted below:

Policy	Security Setting
Access this computer from the network	*S-1-5-21-2408309094-1079718223-2475131663-1005,ASPNET,Guest,Users
Act as part of the operating system	
Add workstations to domain	
Adjust memory quotas for a process	LOCAL SERVICE,NETWORK SERVICE,Administrators
Allow logon through Terminal Services	Administrators,Remote Desktop Users
Back up files and directories	Administrators
Bypass traverse checking	Everyone,Administrators,Users
Change the system time	Administrators
Create a pagefile	Administrators
Create a token object	
Create global objects	Administrators,INTERACTIVE,SERVICE
Create permanent shared objects	
Debug programs	Administrators
Deny access to this computer from the network	SUPPORT_388945a0,SUPPORT_3f151ab9,Guest
Deny logon as a batch job	
Deny logon as a service	
Deny logon locally	SUPPORT_388945a0,SUPPORT_3f151ab9,*S-1-5-21-2408309094-1079718223-2475131663-1005,ASPNET,Guest
Deny logon through Terminal Services	*S-1-5-21-2408309094-1079718223-2475131663-1005,ASPNET
Enable computer and user accounts to be trusted for delegation	
Force shutdown from a remote system	Administrators
Generate security audits	LOCAL SERVICE,NETWORK SERVICE
Impersonate a client after authentication	ASPNET,Administrators,SERVICE
Increase scheduling priority	Administrators
Load and unload device drivers	Administrators
Lock pages in memory	
Log on as a batch job	*S-1-5-21-2104645921-989610287-1299147156-13523,*S-1-5-21-2104645921-989610287-1299147156-19574,SUPPORT_388945a0,*S-1-5-21-2408309094-1079718223-2475131663-1003,SUPPORT_3f151ab9,*S-1-5-21-2408309094-1079718223-2475131663-1005,Matt Ellington,ASPNET
Log on as a service	SYSTEM,NETWORK SERVICE,*S-1-5-21-2408309094-1079718223-2475131663-1005,ASPNET
Log on locally	Guest,Administrators,Users
Manage auditing and security log	Administrators
Modify firmware environment values	Administrators
Perform volume maintenance tasks	Administrators
Profile single process	Administrators
Profile system performance	Administrators
Remove computer from docking station	Administrators,Users,Power Users
Replace a process level token	LOCAL SERVICE,NETWORK SERVICE
Restore files and directories	Administrators
Shut down the system	Administrators,Users
Synchronize directory service data	
Take ownership of files or other objects	Administrators


----------



## Mosaic1 (Aug 17, 2001)

As to everything else working. If you use System Restore , then you wnat to be sure it is working.

Go to Start >Run and type msconfig. Press enter.

When msconfig opens, click the Lauch System Restore Button. Any error messages? 

If not, then click the next button. This will get you to the calendar page. Are there any restore points available?

Once we get you set. you'll want to purge all your Restore Points and create a new one so you don't end up back with the same old problems. But I just want to see what's there at the moment. Do not restore anything. Close it up and let us know how it worked. 

I take it copy and paste works.


EDIT: I just got an alert that you have answered again. Let me review your last post and get back to you.


----------



## WEllin11 (Nov 23, 2007)

I completed Post #68 by Mosaic. Now what?


----------



## WEllin11 (Nov 23, 2007)

No error messages in System Restore. I took the liberty of making a Restore Point as soon as you got the Start button back. Then another when I was able to download AVG Free anti virus. There are several restore points now available. I have not tried copy and paste yet.


----------



## Mosaic1 (Aug 17, 2001)

Please read my next post. Also, are you on a networked system? Part of a workgroup?That's for you to have a quick look at System restore.
Also, are you on a networked system? Part of a workgroup? I need to know that please. 

Then let's test something. Run services.msc

Look at the services list. Look at the Log on as Column.

Now under there, see which services are set to log on as either 
Network service or Local Service.

For any of these which are suppoed to run, let;s see what is happening. 

Anything which is disabled, ignore. You don;t want that running. But for anything which is set to manual or automatic, see if it is running. If set to start automatically and not running then try to start it. Hopefully, they will start. All the services which are set to run, may not be. A reboot should set that right. We have added the Administrators to the groups allowed to log on as a service. A reboot should allow those others to behave as they should.


----------



## WEllin11 (Nov 23, 2007)

I take that back, I did do a copy and paste in my response on Post #69. So it must be working.


----------



## Mosaic1 (Aug 17, 2001)

Please read my next post. Also, are you on a networked system? Part of a workgroup?That's for you to have a quick look at System restore.
Also, are you on a networked system? Part of a workgroup? I need to know that please. 

Then let's test something. Run services.msc

Look at the services list. Look at the Log on as Column.

Now under there, see which services are set to log on as either 
Network service or Local Service.

For any of these which are suppoed to run, let's see what is happening. 

Anything which is disabled, ignore. You don't want that running. But for anything which is set to manual or automatic, see if it is running. If set to start automatically and not running then try to start it. Hopefully, they will start. All the services which are set to run, may not be. A reboot should set that right. We have added the Administrators to the groups allowed to log on as a service. A reboot should allow those others to behave as they should.


----------



## WEllin11 (Nov 23, 2007)

This computer is on a wireless network, not in a work group that I know of. I will run the test you mentioned next.


----------



## Mosaic1 (Aug 17, 2001)

> I took the liberty of making a Restore Point as soon as you got the Start button back.


 Since you had so many problems, it would be good to get rid of all restore points and start fresh.

Give your system a day or so and be sure everything, including AVG is ok. Then follow this to purge and start fresh:

Go to Start>Run and type msconfig Press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.

Check the box labeled Turn off System restore.

Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.


----------



## WEllin11 (Nov 23, 2007)

How do you attach a file? I am not able to past the copy of page you asked for?


----------



## Mosaic1 (Aug 17, 2001)

To attqach a file, don't use the quick reply here. Instead, click post a reply. That has more functions. One of those is manage attachments. Click that and then attach the file you wanted.


----------



## WEllin11 (Nov 23, 2007)

Are my attachments attatched?


----------



## WEllin11 (Nov 23, 2007)

OK, you should be able to review my attachments above to see how the Services look. Let me know what to do next.


----------



## Mosaic1 (Aug 17, 2001)

Yes they are. I'll have a qjuick look and then call it a night. It's getting late here. I'll be back tomorrow and want to read this entire thread again. There's a lot here and I'll need to be fresh to digest it all.


----------



## WEllin11 (Nov 23, 2007)

I am tired as well, but you have made a major improvement in a very short time. I have been working on this on and off for 2 weeks!


----------



## WEllin11 (Nov 23, 2007)

Am I good to go for now?


----------



## Mosaic1 (Aug 17, 2001)

You do have some services set to start automatically which are not started. A reboot shouldd fix that.

So if you are going to continue, you might want to restart. Then tomorrow, we'll triple check the state of your services. I'll giuve you a batch file and we'll make that easier to read. We'll have more to do to refine and triple check things.


----------



## WEllin11 (Nov 23, 2007)

Thank you so much. What was the biggest problem that you fixed with the fixit program?


----------



## WEllin11 (Nov 23, 2007)

I have done a restart and took the liberty of exporting a copy of the Services (Local), both tabs for you to inspect. However, when I hit "Post a Reply" I don't get the Template to fill in and attach files to. Why would this be happening? I'll try this Quick Reply first. Well now I see that Tech Guy is down for the moment. I'll wait to post the reply.


----------



## WEllin11 (Nov 23, 2007)

Here are attached files showing the current state of the Problem computer under Services (Local). Also, one other fact, this computer was in a College Dorm and hooked up to the Schools Domain, through a wireless connection several years ago which may explain why there are several Administrators under Account Users.


----------



## Mosaic1 (Aug 17, 2001)

Hi,

This is the 4th time I am trying to post this. So far it hasn't gone through. I think the Software updates currently being performed on the forums may be interfering.

Let's hope the 4th time is the charm.

You're welcome.

I'll answer your question about what that batch did first, and then give you a brief explanation.

The batch wrote to the registry to change the way the RPC service logs on. It was logging on as the Network Service from what you had said.

So we changed that to have it log in under Local System. That is fine and works well.

But why and how does this effect so much of how Windows works?

Services are key to the proper functioning of the operating system. Each service provides you with one or more features. For example the system restore service you had a problem with. That had not started and therefore you couldn't use it after your other problems started.

You had no network connections listed. That was because yet another service had not started.

You couldn't create a new User Profile.

In fact most, if not all of your problems were the result of one or more services not having started. The missing taskbar, the no copy and paste, the no properties pages in the Services snap in. The net command generating an error......

----------------------------

When we deal with services, we see that they have Dependencies. Some services depend on other services starting first. If these services on which they depend are not started, then they will not start either. That can cause a domino effect of services not starting.

Remote Procedure Call is a very important service. Most of the other Windows Services depend on RPC either directly or indirectly. So if RPC cannot start, then most of the other services will not start either.

That leaves you with a barely functioning Windows. And that's what you had.

----------------------------

Let's get back to the core issue. Why didn't RPC start?

I had mentioned the Log on earlier and how it was changed.

You had a particular error which pointed to a failed log on. This can be caused by several things. We changed the way RPC logs on and rebooted. RPC and its dependent services started and you were back.

However, there were underlying issues. You should have been able, as a uer with Administrative rights, to have RPC log on as a Service. But it didn't.

----------------------

That brings us to another issue. That issue is User Rights. All users on Windows XP are not allowed to perform all tasks. There are special rights assigned to each user group or to individual groups.

Looking in secpol.msc, we found that the Administrative gropup did not have the right to log on as a service. Without that right, when RPC was set to log on as a service, it couldn't start.

We had already fixed RPC. However, there are other Services in Windows which are set to log on as a service. Without the right to do so under an Administrative account, they just would not start.

So we added the Administrators Group to the list there. Now Administrators have the right to log on as a service on your system.

----------------

We took a look and found that many of your services had not started. these were the services which still were set to log on as Service.

So now you needed to reboot and see if they started.

And that's where we are now. We have to examine the list of services set to automatic where the log on is either Network Service or Local Service to see if they have now started after our fix, assuming you have done another reboot.

-------------------------

These services are listed as Automatic and were not started before we did part two and fixed your User Rights assignments.

DNS Client	
Windows Media Player Network Sharing Service	
Remote Registry	
TCP/IP NetBIOS Helper
WebClient

If you have not already rebooted after we went into Secpol, please do that now.

Let's see if they have how started after a reboot.

Please run services.msc
Look at the list. Check each of these services to see if they have started. The Status column will give you that information.

*
DNS Client	
Windows Media Player Network Sharing Service	
Remote Registry	
TCP/IP NetBIOS Helper
WebClient	*

Let me know if these 5 services are now running please.


----------



## Mosaic1 (Aug 17, 2001)

It would be easier not to have to read your attachments. Can you please follow the last set of instructions and let me know? Thanks.
Thanks for the information about the several accounts. Yes. There are surely a lot more than the usual listed in User Rights.


----------



## WEllin11 (Nov 23, 2007)

DNS Client- Not started, set for Auto, Network Service
Windows Media Player- Not Started, set for Auto, Network Service
Remote Registry- Not Started, set for Auto, Local Service
TCP/IP NetBIOS- Not Started, set for Auto, Local Service
WebClient- Not started, set for Auto, Local Service


----------



## Mosaic1 (Aug 17, 2001)

Ok. Can you please try to start the Dns Client service and see what error you get?

Then we'll check out a few things.


----------



## WEllin11 (Nov 23, 2007)

Message I got was: Could not start the DNS Client Service on the LOCAL Computer Error: 1069 The service did not start due to Logon failure.


----------



## Mosaic1 (Aug 17, 2001)

That's the same issue. And it can be caused by password issues. Does your account have a password? Does the Administrator account have a password?

Also, can you go back into secpol.msc and double check to be sure that the Administrators Group was actually added to the Log on as a service right?


----------



## WEllin11 (Nov 23, 2007)

Yes, my son's account has a password and he is in the Administrators Group. I do not know what the password is for "Administrator". I'll go back and do secpol.msc to check Administrators Group being added.


----------



## WEllin11 (Nov 23, 2007)

Yes, "Administrators" has been added to the list under "Log on as a service" window.


----------



## WEllin11 (Nov 23, 2007)

Does the word "Administrators" need to be in all capital letters? "ADMINISTRATORS"? Although, when I go to Control Panel, User Accounts, it is typed "Administrators" under Groups.


----------



## Mosaic1 (Aug 17, 2001)

Let's try something on a service you don't want running anyway. That would be the Alerter service. 
In services.msc, enable alerter and set it to manual. Then press the log on tab. 
Then select the Local System Account under" Log on as".

Try to Start the service. You'll get this error.

Could not start the Alerter service on Local Computer.
Error 1079: The account specified for this service is different from the account specified for other services running in the same process.

-----------------------
Go back into the logon tab again. Now select the "This account" radio button.

Paste this into the top box under This Account:
*NT AUTHORITY\LocalService*

So now you have reset it back to the Local Service account.

Clear both the Password and Confirm Password boxes so that now they are empty.

Leave them that way and then click the apply button.

Close the alerter properties page.

Now try to start the alerter service. Does it start?

Now stop it and then either way, disable it again.

Let me know if this works and if Alerter started for you after you made these changes. If it does, we'll try it on the other services.


----------



## Mosaic1 (Aug 17, 2001)

> Does the word "Administrators" need to be in all capital letters? "ADMINISTRATORS"? Although, when I go to Control Panel, User Accounts, it is typed "Administrators" under Groups.


No. It should be Administrators.


----------



## Mosaic1 (Aug 17, 2001)

You will get errors trying the last instructions. 

I have tracked down the cause. As promised, I read this entire thread again. It was bewildering as to what could have caused this. You did some fixes and then rebooted to find these issues. I tested something on my own system and duplicated your current errors. 


What happened was that a registry key was corrupted and now you have this password checking error. Changing the log on type for RPC allowed it to run. No password is required or verified when a service logs on as Local System so this worked. 

Let's fix it. 

Download and save the zip attachment. Then unzip it to your desktop. You will now have a file named lsafix.reg on your desktop. 

Double click on lsafix.reg and say yes to the prompts to enter into your registry. 

Then you'll need to restart to have the change recognized by your security.

When you get back to Windows, check those services I previously listed again. They should all be running. 

Let me know how you do.


----------



## WEllin11 (Nov 23, 2007)

Mosaic,
You are a genious!! I ran the Isafix, then rebooted. Did the service.msc and found DNS Client, Windows Media Player, Remote Registry, TCP/IP NetBios and Web Client all to be "Started"!! So now what? Any other cleanups or advice?


----------



## Mosaic1 (Aug 17, 2001)

Thanks. I am just stubborn more than genius...

I am rusty on the log reading. But I think we should have another Deckard System Scan following the same routine you did earlier. 
See how that goes and take it from there. 

And you'll want to purge your restore points and start fresh too.


----------



## WEllin11 (Nov 23, 2007)

At this point I can't remember the Deckard System Scan, but I can go back in the Posts and find it. What will it be looking for? I have purged the Restore Points and will creat one now if you think I'm in good shape.


----------



## Mosaic1 (Aug 17, 2001)

Here's a link to those directions. 
http://forums.techguy.org/5401207-post8.html

I just want to see if ther;s anything leftover. And may I have a new hijackthis log too please?

Deckard makes a new system restore point. But I would really like you to purge the old ones. IF everything is fine, then they are just taking up space. If you were to restore back to one of them. you might be back in trouble with some of these issues being put back.

I can only stay a very short time tonight. Maybe 20 more minutes.


----------



## WEllin11 (Nov 23, 2007)

Here is the result of Deckards. Let me know what to do next other than the Restore stuff. Thanks so much!!


----------



## WEllin11 (Nov 23, 2007)

Here is a Hijack this log. What do you think? Am I good to go?


----------



## Mosaic1 (Aug 17, 2001)

Ther ea re just a couple of things leftover here. 


And I don't see a firewall. You should install one.

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

Did you uninstall McAfee? 

If so, you have a leftover here:
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe /Embedding

I have to leave for the night. But I'll be back tomorrow.


----------



## WEllin11 (Nov 23, 2007)

I have the Windows XP Pro SP2 Firewall enabled with very few exceptions. The no name Toolbar could be from trying to uninstall an AOL Toolbar that was listed under the ADD/REMOVE Software Window, then reinstalled it from AOL hoping my Start Button and Task Bar would come back. (It didn't, of course) McAffee was giving an error during boot up, so the other Tech Guy, JSntgRvr, gave me a McAfee uninstall tool to download on Post #26. I ran the tool, maybe it didn't get everything. Post what I need to do next tomorrow when you return. I have done the flush of the System Restore and created a new point with your name on it! Again, thanks for everything you have done. (Especially for being persistant!!)
Wayne


----------



## JSntgRvr (Jul 1, 2003)

Hi, *WEllin11* 

Congratulations. That was a tough one. Thanks to *Mosaic1* for her persistence and support.

Lets finish with the clean-up. Whats left are entries pertaining to McAfee, Norton and BestsellerAntivirus.

Download the enclosed folder. Save and extract its contents to the desktop. It is a folder containing a Registry Entries file, *Regfix.reg* . Once extracted, open the folder and double click on the *Regfix.reg* file and select *Yes* when prompted to merge it into the registry.

Go to *Start*->*Run*, type *CMD *and click *Ok*. The *MSDOS* window will be displayed. At the prompt type the following and press Enter after each line:

*SC Stop MCVSRte
SC Delete MCVSRte
Exit*

Note: You may receive an error on the first command as the file no longer exist. Run the Second command anyway to remove the entry from your services.

Please re-open HijackThis and scan. Check the boxes next to all the entries listed below. *

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

*Now *close all windows and browsers, other than HiJackThis*, then click Fix Checked.

Close Hijackthis.

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press *Enter*.
Choose your usual account.
.
Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these *folders* (if present):

*C:\VundoFix Backups
C:\Program Files\Symantec
C:\Program Files\Common Files\BestsellerAntivirus*

Restart the computer.

*Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.*

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
*Spybot Search & Destroy *- Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
*Comodo Free Firewall* - Although AVG provides you with realtime protection, it will be a good idea to have an extra protection against attackers.

*AdAware* - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.

SpywareBlaster - Great prevention tool to keep nasties from installing on your system.

*IE-SpyAd* - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

*CleanUP*! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

Windows Updates - It is *very important* to make sure that both Internet Explorer and Windows are kept current with *the latest critical security patches* from Microsoft. To do this just start *Internet Explorer* and select *Tools > Windows Update*, and follow the online instructions from there.

*Google Toolbar* - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

*Trillian* or *Miranda-IM* - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

*ERUNT* (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read *this* article by Tony Klein.

Click *Here* for some advise from our security Experts.

Please use the thread's Tools and mark this thread as "*Solved*".

Best wishes!


----------



## WEllin11 (Nov 23, 2007)

Well, it has taken a long time but I think it is finally repaired. Thanks so much for both your persistance. I am going to take a leap of faith and download the IE Explorer 7 update that I have been putting off for some time. Any problem with that?
Thanks again,
Wayne


----------



## Mosaic1 (Aug 17, 2001)

WEllin11,


I just wanted to pop in an sy you're welcome. You're in good hands with JSntgRvr.

I would think an update would be ok now. 

Mo


----------



## JSntgRvr (Jul 1, 2003)

For information on Services, you can reach this site:

http://www.theeldergeek.com/services_guide.htm

It contains valuable information on services that should be running and those that are unnecessary.

:up::up:


----------

