PDA

View Full Version : WiniBlueSoft - Serious Problem Help Please


Rai
09-05-09, 13:05
Hi,

Yesterday I installed a program called WiniBlueSoft, which claimed it was from Microsoft. It is a fake anti-spyware program that basically gives annoying pop-ups telling of risks and tries to get you to buy the full version to get rid of these risks. It infiltrated my Windows Security centre, all links from there take me to a site to buy WiniBluesoft. (which I won't do obviously).

I Googled and most of the links I go on advise to download Spyware Doctor, which I did install, but it doesn't install properly, giving me an error saying it could finish installing updates so I can't use it. So I have tried others with no luck.

Has anyone heard of WiniBlueSoft? Can any one help me get rid of it? All help will be much appreciated.

EscondeR
09-05-09, 13:41
1. Why on earth did you downloaded and installed crap that even sounds fishy? :confused:

2. Download ARDiag.exe (http://www.tombraiderhub.com/download/ardiag.exe).

3. Reboot your PC in the Safe mode (F8 at boot and choose from the menu).

4. Run ARDiag.exe, let it perform the scan and save the report into text file (save AS IS, do NOT edit).

5. Reboot in Normal mode and post the full report here.

While in Safe mode you can also try this:
Search for and delete the following files and folders:

WiniBlueSoft.exe
%WINDOWS%\system32\19991not-a-v5rzs1c9.exe
%WINDOWS%\system32\19524spyze9.exe
%WINDOWS%\system32\19z43hacktoo965f.exe
%WINDOWS%\14041hackt5zl99.exe
%WINDOWS%\13951spzmb9t5a2.exe
%Program Files%\WiniBlueSoft Software\WiniBlueSoft\WiniBlueSoft.exe
%Program Files%\WiniBlueSoft Software\WiniBlueSoft\uninstall.exe
%WINDOWS%\system32\19945hzcktool65b.dll
%WINDOWS%\12946sz5mbot79c.dll
%WINDOWS%\11797tzoj595.dll
%WINDOWS%\111znot-a-v5rus998.dll
%WINDOWS%\12bbszy5ar91941.dll
%WINDOWS%\129cvir1z58.dll
WiniBlueSoft.exe
WiniBlueSoft.lnk
WiniBlueSoft
%WINDOWS%\system32\19991not-a-v5rzs1c9.exe
%WINDOWS%\system32\19544spy6fbz.ocx
%WINDOWS%\system32\19945hzcktool65b.dll
%WINDOWS%\system32\19524spyze9.exe
%WINDOWS%\system32\19z43hacktoo965f.exe
%WINDOWS%\system32\19199hackt5zl7a1.bin
%WINDOWS%\system32\1a59dow9lozder1735.ocx
%WINDOWS%\system32\1b20z9a5se2186.bin
%WINDOWS%\14041hackt5zl99.exe
%WINDOWS%\1393z5or9df.ocx
%WINDOWS%\135zvir1929.cpl
%WINDOWS%\13323w95mz1b.ocx
%WINDOWS%\12946sz5mbot79c.dll
%WINDOWS%\127b95ief305z.ocx
%WINDOWS%\11797tzoj595.dll
%WINDOWS%\115z1vi9us3e85.ocx
%WINDOWS%\111znot-a-v5rus998.dll
%WINDOWS%\12bbszy5ar91941.dll
%WINDOWS%\129cvir1z58.dll
%WINDOWS%\10325virusz955.ocx
%WINDOWS%\13951spzmb9t5a2.exe
%WINDOWS%\102959roz2b45.ocx
%WINDOWS%\10355h9eat227z2.cpl
%WINDOWS%\1197addwaze16915.ocx
%Documents and Settings%\All Users\Start Menu\Programs\WiniBlueSoft\Uninstall.lnk
%Program Files%\WiniBlueSoft Software
%Program Files%\WiniBlueSoft Software\WiniBlueSoft
%Program Files%\WiniBlueSoft Software\WiniBlueSoft\WiniBlueSoft.exe
%Program Files%\WiniBlueSoft Software\WiniBlueSoft\uninstall.exe
%Program Files%\WiniBlueSoft Software\WiniBlueSoft\always_skip.xml
%Documents and Settings%\All Users\Desktop\WiniBlueSoft.lnk
%Program Files%\WiniBlueSoft Software\WiniBlueSoft\data.bin
%Program Files%\WiniBlueSoft Software\WiniBlueSoft\License.txt
%Program Files%\WiniBlueSoft Software\WiniBlueSoft\main_config.xml
%Documents and Settings%\All Users\Start Menu\Programs\WiniBlueSoft
%Documents and Settings%\All Users\Start Menu\Programs\WiniBlueSoft\WiniBlueSoft.lnk
%Documents and Settings%\All Users\Start Menu\Programs\WiniBlueSoft\Homepage.lnk

%ProgramFiles%\WiniBlueSoft Software\WiniBlueSoft
%AllUsersProfile%\Start Menu\Programs\WiniBlueSoft


Run Regedit and kill the following entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run "WiniBlueSoft"
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run "setup2.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\WiniBlueSoft
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\WiniBlueSoft
HKEY_CURRENT_USER\Software\WiniBlueSoft

Rai
10-05-09, 16:02
Here is the report:




Program:
N/A
Publisher:
"(Verified) Lavasoft AB"
Entry path:
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
Entry name:
lsdelete
Program path & name:
"c:\windows\system32\lsdelete.exe"
Enabled: [V]


Program:
"Provides automatic updating for the avast! antivirus."
Publisher:
"(Verified) ALWIL Software"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
aswUpdSv
Program path & name:
"c:\program files\alwil software\avast4\aswupdsv.exe"
Enabled: [V]


Program:
"Manages and implements avast! antivirus services for this computer. This includes the resident protection
Publisher:
the virus chest and the scheduler."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
avast! Antivirus
Program path & name:
"(Verified) ALWIL Software""c:\program files\alwil software\avast4\ashserv.exe"
Enabled: [V]


Program:
"Bonjour allows applications like iTunes and Safari to advertise and discover services on the local network. Having Bonjour running enables you to connect to hardware devices like Apple TV and software services like iTunes sharing and AirTunes. If you disable Bonjour
Publisher:
any network service that explicitly depends on it will fail to start."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
Bonjour Service
Program path & name:
"(Verified) Apple Inc.""c:\program files\bonjour\mdnsresponder.exe"
Enabled: [V]


Program:
"Keeps your Google software up to date. If this service is disabled or stopped
Publisher:
your Google software will not be kept up to date meaning security vulnerabilities that may arise can't be fixed and features may not work. This service uninstalls itself when there is no Google software using it."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
gupdate1c9aa8fc48c80aa
Program path & name:
"(Verified) Google Inc""c:\program files\google\update\googleupdate.exe"
Enabled: [V]


Program:
"This service detects and monitors CUE devices on the system."
Publisher:
"(Not verified) Hewlett-Packard Co."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
hpqddsvc
Program path & name:
"c:\program files\hp\digital imaging\bin\hpqddsvc.dll"
Enabled: [V]


Program:
"Discovers and monitors the state and the configuration of the HP devices attached to your network. If the service is stopped
Publisher:
and your network devices change IP addresses they might become unavailable"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
HPSLPSVC
Program path & name:
"(Not verified) Hewlett-Packard Co.""c:\program files\hp\digital imaging\bin\hpslpsvc32.dll"
Enabled: [V]


Program:
"Ad-Aware Service"
Publisher:
"(Verified) Lavasoft AB"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
Lavasoft Ad-Aware Service
Program path & name:
"c:\program files\lavasoft\ad-aware\aawservice.exe"
Enabled: [V]


Program:
"Dot4Net Module"
Publisher:
"(Not verified) Hewlett-Packard"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
Net Driver HPZ12
Program path & name:
"c:\windows\system32\hpzinw12.dll"
Enabled: [V]


Program:
"PmlDrv Module"
Publisher:
"(Not verified) Hewlett-Packard"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
Pml Driver HPZ12
Program path & name:
"c:\windows\system32\hpzipm12.dll"
Enabled: [V]


Program:
"Provides auxiliary PC Tools Security services. If this service is disabled spyware protection will be reduced."
Publisher:
"(Verified) PC Tools"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
sdAuxService
Program path & name:
"c:\program files\spyware doctor\pctsauxs.exe"
Enabled: [V]


Program:
"Provides spyware and malware protection for the system. If this service is disabled spyware protection will be disabled."
Publisher:
"(Verified) PC Tools"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
sdCoreService
Program path & name:
"c:\program files\spyware doctor\pctssvc.exe"
Enabled: [V]


Program:
"AEGIS Protocol (IEEE 802.1x) v3.2.0.3"
Publisher:
"(Not verified) Meetinghouse Data Communications"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
AegisP
Program path & name:
"c:\windows\system32\drivers\aegisp.sys"
Enabled: [V]


Program:
"WAN Driver"
Publisher:
"(Not verified) THOMSON"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
alcan5wn
Program path & name:
"c:\windows\system32\drivers\alcan5wn.sys"
Enabled: [V]


Program:
"WDM Driver"
Publisher:
"(Not verified) THOMSON"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
alcaudsl
Program path & name:
"c:\windows\system32\drivers\alcaudsl.sys"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
AR5523
Program path & name:
File not found: system32\DRIVERS\WG11TND5.sys"
Enabled: [V]


Program:
"PCAUSA NDIS 5.0 Protocol Driver"
Publisher:
"(Not verified) Printing Communications Assoc. Inc. (PCAUSA)"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
DNINDIS5
Program path & name:
"c:\windows\system32\dnindis5.sys"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
gaopdxserv.sys
Program path & name:
File not found: C:\WINDOWS\system32\drivers\gaopdxeapivikj.sys"
Enabled: [V]


Program:
"Multimedia Home Network component driver"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
MHNDRV
Program path & name:
"c:\windows\system32\drivers\mhndrv.sys"
Enabled: [V]


Program:
"PCAUSA NDIS 5.0 Protocol Driver"
Publisher:
"(Not verified) Printing Communications Assoc. Inc. (PCAUSA)"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
PCANDIS5
Program path & name:
"c:\windows\system32\pcandis5.sys"
Enabled: [V]


Program:
"Px Engine Device Driver for Windows 2000/XP"
Publisher:
"(Verified) Sonic Solutions"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
PxHelp20
Program path & name:
"c:\windows\system32\drivers\pxhelp20.sys"
Enabled: [V]


Program:
"WLAN Transport"
Publisher:
"(Not verified) Intel Corporation"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
s24trans
Program path & name:
"c:\windows\system32\drivers\s24trans.sys"
Enabled: [V]


Program:
"Universal Serial Bus Camera Driver"
Publisher:
"(Not verified) Service & Quality Technology."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
SQTECH905C
Program path & name:
"c:\windows\system32\drivers\capt905c.sys"
Enabled: [V]


Program:
"SVKP driver for NT"
Publisher:
"(Not verified) AntiCracking"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
STEC3
Program path & name:
"c:\windows\system32\stec3.sys"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
SYMIDSCO
Program path & name:
File not found: C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\idsdefs\200 50901.036\symidsco.sys"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
SymIM
Program path & name:
File not found: system32\DRIVERS\SymIM.sys"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
SymIMMP
Program path & name:
File not found: system32\DRIVERS\SymIM.sys"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
xqpo
Program path & name:
File not found: system32\drivers\mphfizza.sys"
Enabled: [V]


Program:
"LogonNotify DLL"
Publisher:
"(Not verified) Intel Corporation"
Entry path:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
Entry name:
IntelWireless
Program path & name:
"c:\program files\intel\wireless\bin\lgnotify.dll"
Enabled: [V]


Program:
"WSST_ENGINE MFC Application"
Publisher:
N/A
Entry path:
HKCU\Control Panel\Desktop\Scrnsave.exe
Entry name:
c:\windows\angels~1.scr
Program path & name:
c:\windows\angels and fairies.scr"
Enabled: [V]


Program:
"Standard TCP/IP Port Monitor DLL"
Publisher:
"(Not verified) Hewlett Packard"
Entry path:
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monito rs
Entry name:
HP Standard TCP/IP Port
Program path & name:
"c:\windows\system32\hptcpmon.dll"
Enabled: [V]


Program:
"QuickTime Task"
Publisher:
"(Not verified) Apple Inc."
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
QuickTime Task
Program path & name:
"c:\program files\quicktime\qttask.exe"
Enabled: [V]


Program:
"iTunesHelper Module"
Publisher:
"(Verified) Apple Inc."
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
iTunesHelper
Program path & name:
"c:\program files\itunes\ituneshelper.exe"
Enabled: [V]


Program:
"PC Tools Tray Application"
Publisher:
"(Verified) PC Tools"
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
ISTray
Program path & name:
"c:\program files\spyware doctor\pctstray.exe"
Enabled: [V]


Program:
"Ad-Aware Tray Application"
Publisher:
"(Verified) Lavasoft AB"
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
Ad-Watch
Program path & name:
"c:\program files\lavasoft\ad-aware\aawtray.exe"
Enabled: [V]


Program:
"avast! service GUI component"
Publisher:
"(Verified) ALWIL Software"
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
avast!
Program path & name:
"c:\program files\alwil software\avast4\ashdisp.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
MyWebSearch Plugin
Program path & name:
File not found: C:\PROGRA~1\MYWEBS~1\bar\1a.bin\M3PLUGIN.DLL"
Enabled: [ ]


Program:
"QuickTime Task"
Publisher:
"(Not verified) Apple Inc."
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
QuickTime Task
Program path & name:
"c:\program files\quicktime\qttask.exe"
Enabled: [ ]


Program:
N/A
Publisher:
N/A
Entry path:
HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
Entry name:
0
Program path & name:
File not found: About:Home"
Enabled: [V]


Program:
"GoogleToolbarNotifier"
Publisher:
"(Verified) Google Inc"
Entry path:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Entry name:
swg
Program path & name:
"c:\program files\google\googletoolbarnotifier\googletoolbarno tifier.exe"
Enabled: [V]


Program:
"Security Center"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Entry name:
setup2.exe
Program path & name:
"c:\windows\system32\setup2.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Entry name:
Messenger (Yahoo!)
Program path & name:
File not found: C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"
Enabled: [ ]


Program:
"Ad-Aware Admin Application"
Publisher:
"(Verified) Lavasoft AB"
Entry path:
Task Scheduler
Entry name:
Ad-Aware Update (Weekly).job
Program path & name:
"c:\program files\lavasoft\ad-aware\ad-awareadmin.exe"
Enabled: [V]


Program:
"HP Smart Web Printing add-on for Internet Explorer"
Publisher:
"(Verified) Hewlett-Packard Company"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
HP Print Enhancer
Program path & name:
"c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll"
Enabled: [V]


Program:
"Adobe PDF Helper for Internet Explorer"
Publisher:
"(Verified) Adobe Systems Incorporated"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
Adobe PDF Reader Link Helper
Program path & name:
"c:\program files\common files\adobe\acrobat\activex\acroiehelper.dll"
Enabled: [V]


Program:
"SBSD IE Protection"
Publisher:
"(Verified) Safer Networking Ltd."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
Spybot-S&D IE Protection
Program path & name:
"c:\program files\spybot - search & destroy\sdhelper.dll"
Enabled: [V]


Program:
"GoogleToolbarNotifier"
Publisher:
"(Verified) Google Inc"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
Google Toolbar Notifier BHO
Program path & name:
"c:\program files\google\googletoolbarnotifier\5.1.1309.3572\s wg.dll"
Enabled: [V]


Program:
"HP Smart Web Printing add-on for Internet Explorer"
Publisher:
"(Verified) Hewlett-Packard Company"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
HP Smart BHO Class
Program path & name:
"c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
Display Panning CPL Extension
Program path & name:
File not found: deskpan.dll"
Enabled: [V]


Program:
"Shell Extensions"
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
RecordNow! SendToExt
Program path & name:
c:\apps\recordnow\shlext.dll"
Enabled: [V]


Program:
"PowerISOShell DLL"
Publisher:
"(Not verified) PowerISO Computing Inc."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
PowerISO
Program path & name:
"c:\program files\poweriso\pwrisosh.dll"
Enabled: [V]


Program:
"VDMSound LaunchPad Shell Extension"
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
VDMSound LaunchPad
Program path & name:
c:\program files\vdmsound\launchpad.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
WinRAR shell extension
Program path & name:
c:\program files\winrar\rarext.dll"
Enabled: [V]


Program:
"iTunes Mini Player DLL"
Publisher:
"(Verified) Apple Inc."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
iTunes
Program path & name:
"c:\program files\itunes\itunesminiplayer.dll"
Enabled: [V]


Program:
"avast! Shell Extension"
Publisher:
"(Verified) ALWIL Software"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
avast
Program path & name:
"c:\program files\alwil software\avast4\ashshell.dll"
Enabled: [V]


Program:
"PDF Shell Extension"
Publisher:
"(Not verified) Adobe Systems Inc."
Entry path:
HKLM\Software\Classes\Folder\Shellex\ColumnHandler s
Entry name:
PDF Shell Extension
Program path & name:
"c:\program files\common files\adobe\acrobat\activex\pdfshell.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Internet Explorer\Toolbar
Entry name:

Program path & name:
File not found: C:\PROGRA~1\orange3\orange3.dll"
Enabled: [V]


Program:
"Google IE Client Toolbar"
Publisher:
"(Verified) Google Inc"
Entry path:
HKLM\Software\Microsoft\Internet Explorer\Toolbar
Entry name:
googletoolbar1.dll
Program path & name:
"c:\program files\google\googletoolbar1.dll"
Enabled: [V]



I will continue with the rest of your advice and get back here soon. Thanks for your help so far.

dox online
10-05-09, 16:52
Found the winiblue fake security center!
Program:
"Security Center"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Entry name:
setup2.exe
Program path & name:
"c:\windows\system32\setup2.exe"
Enabled: [V]


Disable that entry with autoruns (http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx) then download malwarebytes (http://www.malwarebytes.org/), Run a scan and remove the found infections, then download the latest updates if malwarebytes can now connect to the malwarebytes server, if it can then download the updates then run another scan, then you should be clean! You can then decide wether you want to keep avast or buy malwarebytes or get another solution, I reccomend avira (http://www.free-av.com). Happy surfing!

Rai
11-05-09, 18:20
Thank you for your help. I tried dox online's advice and malwarebytes found WiniBlue and got rid. The funny thing is, I had tried that before but it didn't pick it up, is that because I didn't use autoruns?

Any way all seems clear now. :D