Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some More Infections Left


  • This topic is locked This topic is locked
14 replies to this topic

#1 jase07

jase07

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 13 September 2008 - 03:41 AM

After battling out threats on my computer for few weeks now, im glad to say that my programs are now working well but still get can't an infection that keeps redirecting some of my pages to www.inonto.com and some more with this dll file named fipsbqlkjih.dll that keeps on putting itself into the winlogon

Posted Image

i used malwarebytes to detect and remove these infections but they keep on coming back so i decided to seek for help from one of the most respected forums on the net...

here is my hijackthislog:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:41:10 PM, on 9/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\FarStone\VirtualDrive\vdtask.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Programs\WServer\Apache2\bin\Apache.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Faronics\Deep Freeze Enterprise Server\DF5ServerService.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
D:\Programs\Webserver\MySQl\bin\mysqld-nt.exe
D:\Programs\WServer\Apache2\bin\Apache.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\dhen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Faronics\Deep Freeze 6 Enterprise\DF6Console.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\PROGRA~1\CAFEMA~1\CafeManila.exe
C:\Program Files\Radmin Viewer 3.0\Radmin.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.1:5555
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: winhost_app.winhost_appdll - {5E06398E-3017-467B-A399-18425A20F655} - C:\WINDOWS\winhost_app.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [VirtualDrive] C:\Program Files\FarStone\VirtualDrive\vdtask.exe /AutoRestore
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Locate Spot on Map by GPS - C:\Program Files\Opanda\IExif 2.3\IExifMap.htm
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: View Exif/GPS/IPTC with IExif - C:\Program Files\Opanda\IExif 2.3\IExifCom.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/BookWorm/Images/stg_drm.ocx
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/BookWorm/Images/armhelper.ocx
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://my.levelupgames.ph/keycrypt/npkcx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C560AD6-A5B1-477E-9088-9B8CEA8D6685}: NameServer = 208.68.222.222,192.168.0.1
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: fipsbqlkjih - fipsbqlkjih.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Apache Software Foundation - D:\Programs\WServer\Apache2\bin\Apache.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Deep Freeze Server Service (DF5Server) - Faronics Corporation - C:\Program Files\Faronics\Deep Freeze Enterprise Server\DF5ServerService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: MySQL - Unknown owner - D:\Programs\Webserver\MySQl\bin\mysqld-nt (file missing)
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

--
End of file - 8527 bytes

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:33 PM

Posted 14 September 2008 - 04:05 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 jase07

jase07
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 14 September 2008 - 11:45 AM

Hi miekiemoes, thank you for responding quickly..

ComboFix 08-09-13.05 - dhen 2008-09-15 0:31:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1459 [GMT 8:00]
Running from: C:\Documents and Settings\dhen\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\dhen\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\dhen\Application Data\inst.exe
C:\Documents and Settings\dhen\Cookies\dhen@ad.yieldmanager[2].txt
C:\Documents and Settings\dhen\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GOOGLE_ONLINE_SERVICES
-------\Legacy_QANDR
-------\Legacy_TCPSR


((((((((((((((((((((((((( Files Created from 2008-08-14 to 2008-09-14 )))))))))))))))))))))))))))))))
.

2008-09-14 22:35 . 2008-09-14 22:35 0 --a------ C:\25.tmp
2008-09-14 12:36 . 2008-09-14 21:51 97,156 --a------ C:\17.tmp
2008-09-13 14:55 . 2008-09-13 14:55 0 --a------ C:\14.tmp
2008-09-13 14:53 . 2008-09-13 14:54 98,677 --a------ C:\13.tmp
2008-09-11 23:50 . 2008-09-11 23:54 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-11 23:50 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-11 23:50 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-09 14:55 . 2008-09-11 15:09 0 --a------ C:\23.tmp
2008-09-08 17:36 . 2008-09-08 18:01 164 --a------ C:\WINDOWS\mix-fx.ini
2008-09-07 03:42 . 2008-09-07 03:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-09-07 03:31 . 2008-09-07 03:31 <DIR> d-------- C:\Program Files\Bonjour
2008-09-07 03:26 . 2008-09-07 03:26 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-09-06 13:07 . 2008-09-06 23:21 0 --a------ C:\24.tmp
2008-08-31 13:49 . 2008-09-10 14:53 119,488 --a------ C:\21.tmp
2008-08-29 18:56 . 2008-09-06 19:04 98,647 --a------ C:\18.tmp
2008-08-27 11:30 . 2008-08-27 11:30 <DIR> d-------- C:\Documents and Settings\dhen\Application Data\Malwarebytes
2008-08-27 11:30 . 2008-08-27 11:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-27 09:00 . 2008-08-27 09:03 4,856 --a------ C:\WINDOWS\system32\tmp.reg
2008-08-27 04:13 . 2008-08-27 04:13 <DIR> d-------- C:\_OTMoveIt
2008-08-27 01:50 . 2008-08-27 03:23 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-08-27 01:04 . 2008-04-15 05:52 <DIR> d-------- C:\Documents and Settings\Administrator\ff_temp
2008-08-27 01:04 . 2008-04-15 05:52 <DIR> d-------- C:\Documents and Settings\Administrator\7zS183B.tmp
2008-08-27 01:04 . 2008-08-27 09:06 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-26 20:42 . 2008-08-26 20:42 <DIR> d-------- C:\Documents and Settings\dhen\Application Data\AntsSoft
2008-08-26 19:23 . 2008-09-01 18:11 0 --a------ C:\28.tmp
2008-08-24 16:41 . 2008-08-24 16:41 0 --a------ C:\12.tmp
2008-08-24 15:23 . 2008-08-24 15:23 <DIR> d-------- C:\Program Files\Xilisoft
2008-08-23 18:43 . 2008-08-23 18:43 <DIR> d-------- C:\Program Files\KoolMoves
2008-08-22 17:36 . 2008-02-17 04:11 36,864 --a------ C:\WINDOWS\winhost_app.dll
2008-08-21 20:29 . 2008-08-21 20:38 <DIR> d-------- C:\Program Files\IrfanView
2008-08-21 18:12 . 2008-08-21 18:12 <DIR> d-------- C:\Documents and Settings\dhen\temp
2008-08-21 18:12 . 2008-08-27 23:23 <DIR> d-------- C:\Documents and Settings\dhen\Application Data\TeamViewer
2008-08-20 22:09 . 2008-08-20 22:09 <DIR> d-------- C:\Program Files\Common Files\Canon
2008-08-19 23:49 . 2008-08-19 23:49 <DIR> d-------- C:\Program Files\SourceTec
2008-08-19 23:49 . 2008-08-19 23:49 <DIR> d-------- C:\Program Files\Common Files\SourceTec
2008-08-19 13:20 . 2008-08-19 13:20 <DIR> d-------- C:\Documents and Settings\dhen\Application Data\Hewlett-Packard
2008-08-19 00:25 . 2008-08-19 00:25 <DIR> d-------- C:\Documents and Settings\dhen\Application Data\Nokia
2008-08-19 00:25 . 2008-08-19 00:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-08-19 00:24 . 2008-08-19 00:24 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-08-19 00:24 . 2008-08-19 00:47 <DIR> d-------- C:\Program Files\Nokia
2008-08-19 00:24 . 2008-08-19 00:24 <DIR> d-------- C:\Program Files\DIFX
2008-08-19 00:24 . 2008-08-19 00:24 <DIR> d-------- C:\Documents and Settings\dhen\Application Data\PC Suite
2008-08-19 00:24 . 2007-02-22 11:15 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-08-19 00:24 . 2007-02-22 11:15 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-08-19 00:24 . 2007-02-22 11:15 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-08-19 00:24 . 2007-02-22 11:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-08-19 00:24 . 2007-02-22 11:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-08-19 00:24 . 2007-02-22 11:15 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-08-19 00:22 . 2008-08-19 00:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2008-08-14 10:35 . 2008-08-14 10:35 35 --a------ C:\WINDOWS\worldbuilder.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-14 12:28 --------- d-----w C:\Documents and Settings\dhen\Application Data\FileZilla
2008-09-13 15:04 --------- d-----w C:\Documents and Settings\dhen\Application Data\Vso
2008-09-13 01:13 --------- d-----w C:\Documents and Settings\dhen\Application Data\AVG7
2008-09-10 18:07 --------- d-----w C:\Documents and Settings\dhen\Application Data\uTorrent
2008-09-09 18:47 --------- d-----w C:\Program Files\GetRight
2008-09-08 05:55 --------- d-----w C:\Documents and Settings\dhen\Application Data\U3
2008-09-08 05:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\CanonIJPLM
2008-09-06 19:29 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-27 18:30 --------- d-----w C:\Program Files\Google
2008-08-27 16:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-26 17:50 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-20 18:23 --------- d-----w C:\Program Files\Faronics
2008-08-08 04:26 --------- d-----w C:\Program Files\MSECache
2008-07-25 10:33 --------- d-----w C:\Program Files\Noel Danjou
2008-07-15 16:01 --------- d-----w C:\Program Files\iriver
2008-07-15 06:54 --------- d-----w C:\Documents and Settings\dhen\Application Data\FMZilla
2008-07-14 23:52 --------- d-----w C:\Program Files\Orbitdownloader
2008-07-14 15:06 --------- d-----w C:\Documents and Settings\dhen\Application Data\Xilisoft Corporation
2008-07-14 09:22 --------- d-----w C:\Documents and Settings\dhen\Application Data\Orbit
2008-07-14 09:16 --------- d-----w C:\Program Files\Pegasys Inc
2008-07-14 09:14 --------- d-----w C:\Documents and Settings\dhen\Application Data\GrabPro
2008-04-27 13:43 47,360 ----a-w C:\Documents and Settings\dhen\Application Data\pcouffin.sys
2008-05-18 02:24 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051820080519\index.dat
.

------- Sigcheck -------

2006-01-13 10:03 360448 2a4818aea80acd2c95d7d92d2f3155f8 C:\WINDOWS\system32\drivers\tcpip.sys

2006-01-13 09:46 1075200 2deaca71a7fd77205f59d48d76b2f565 C:\WINDOWS\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-01-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-01-03 13508608]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-01-03 86016]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-06-28 580096]
"BigDog303"="C:\WINDOWS\VM303_STI.EXE" [2005-10-25 61440]
"VirtualDrive"="C:\Program Files\FarStone\VirtualDrive\vdtask.exe" [2002-01-09 184320]
"nwiz"="nwiz.exe" [2008-01-03 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-05-27 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2006-01-13 44544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2008-04-30 1183744]
Monitor Apache Servers.lnk - D:\Programs\WServer\Apache2\bin\ApacheMonitor.exe [2005-04-16 41042]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL"= 0 (0x0)
"NoAdminPage"= 0 (0x0)
"NoConfigPage"= 0 (0x0)
"NoDevMgrPage"= 0 (0x0)
"NoFileSysPage"= 0 (0x0)
"NoVirtMemPage"= 0 (0x0)
"NoPwdPage"= 0 (0x0)
"DisableLockWorkstation"= 0 (0x0)
"DisableChangePassword"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableLockWorkstation"= 0 (0x0)
"DisableChangePassword"= 0 (0x0)
"NoSecCPL"= 0 (0x0)
"NoConfigPage"= 0 (0x0)
"NoDevMgrPage"= 0 (0x0)
"NoFileSysPage"= 0 (0x0)
"NoVirtMemPage"= 0 (0x0)
"NoPwdPage"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 0 (0x0)
"RestrictRun"= 0 (0x0)
"EnforceShellExtensionSecurity"= 0 (0x0)
"NoPrinters"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)
"NoWinKeys"= 0 (0x0)
"NoInstrumentation"= 0 (0x0)
"HideDesktop"= 0 (0x0)
"NoLogOff"= 0 (0x0)
"NoWorkgroupContents"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"NoPrinterTabs"= 0 (0x0)
"ClearDocsOnExit"= 0 (0x0)
"NoExpandedNewMenu"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogOff"= 0 (0x0)
"NoPrinterTabs"= 0 (0x0)
"RestrictRun"= 0 (0x0)
"AutoUpdate"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)
"NoAutoUpdate"= 0 (0x0)
"NoSMConfigurePrograms"= 0 (0x0)
"NoToolbarsCustomize"= 0 (0x0)
"NoUserNameInStartMenu"= 0 (0x0)
"DisableTaskMgr"= 0 (0x0)
"EnforceShellExtensionSecurity"= 0 (0x0)
"NoPrinters"= 0 (0x0)
"NoWinKeys"= 0 (0x0)
"NoInstrumentation"= 0 (0x0)
"HideDesktop"= 0 (0x0)
"NoWorkgroupContents"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"ClearDocsOnExit"= 0 (0x0)
"NoExpandedNewMenu"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.imc"= imc32.acm
"msacm.l3codecp"= l3codecp.acm
"VIDC.i263"= i263_32.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ekw62.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Fyv85.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\jsP28.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\uoU86.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11983:TCP"= 11983:TCP:@xpsp2res.dll,-22004
"1650:TCP"= 1650:TCP:@xpsp2res.dll,-22004
"35401:TCP"= 35401:TCP:@xpsp2res.dll,-22004
"31716:TCP"= 31716:TCP:@xpsp2res.dll,-22004
"5307:TCP"= 5307:TCP:@xpsp2res.dll,-22004

R0 sikuqbzz;sikuqbzz;C:\WINDOWS\system32\drivers\tjwzvmzz.dat [ ]
R1 cdawdm;CDAWDM;C:\WINDOWS\system32\DRIVERS\CDAWDM.sys [2001-12-21 46735]
R2 DF5Server;Deep Freeze Server Service;C:\Program Files\Faronics\Deep Freeze Enterprise Server\DF5ServerService.exe [2008-08-21 958836]
R2 IJPLMSVC;PIXMA Extended Survey Program;C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [2007-04-13 101528]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l151x86.sys [2007-11-01 36864]
R3 FsHotKey;FsHotKey;C:\WINDOWS\system32\drivers\FsHotKey.sys [2001-12-31 3855]
S0 Ekw62;Ekw62;C:\WINDOWS\system32\Drivers\Ekw62.sys [ ]
S0 Fyv85;Fyv85;C:\WINDOWS\system32\Drivers\Fyv85.sys [ ]
S0 jsP28;jsP28;C:\WINDOWS\system32\Drivers\jsP28.sys [ ]
S0 uoU86;uoU86;C:\WINDOWS\system32\Drivers\uoU86.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03e1111a-6d91-11dd-a792-000272b00026}]
\Shell\0pen\command - H:\krag.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL krag.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03e1112e-6d91-11dd-a792-000272b00026}]
\Shell\AutoRun\command - H:\lgrncie.bat
\Shell\explore\Command - H:\lgrncie.bat
\Shell\open\Command - H:\lgrncie.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03e111eb-6d91-11dd-a792-000272b00026}]
\Shell\AutoRun\command - H:\y82td3td.com
\Shell\explore\Command - H:\y82td3td.com
\Shell\open\Command - H:\y82td3td.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{052009ef-68dc-11dd-a78c-000272b00026}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{052009f0-68dc-11dd-a78c-000272b00026}]
\Shell\AutoRun\command - I:\bar311.exe %1
\Shell\Explore\command - I:\bar311.exe %1
\Shell\Open\command - I:\bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{052009f5-68dc-11dd-a78c-000272b00026}]
\Shell\AutoRun\command - I:\vuts0e.cmd
\Shell\explore\Command - I:\vuts0e.cmd
\Shell\open\Command - I:\vuts0e.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{05522994-4d55-11dd-a759-001583b3d1f3}]
\Shell\AutoRun\command - H:\wak.cmd
\Shell\explore\Command - H:\wak.cmd
\Shell\open\Command - H:\wak.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{05ca4378-31de-11dd-a711-000272b00026}]
\Shell\AutoRun\command - H:\SSCVIHOST.exe
\Shell\Open\command - H:\SSCVIHOST.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{06c9a6aa-50d0-11dd-a761-000272b00026}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{07c4c33c-6a63-11dd-a78e-000272b00026}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{086f23c2-12ae-11dd-9f69-000272b00026}]
\Shell\AutoRun\command - I:\n.com
\Shell\explore\Command - I:\n.com
\Shell\open\Command - I:\n.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{086f242d-12ae-11dd-9f69-000272b00026}]
\Shell\AutoRun\command - I:\bar311.exe %1
\Shell\Explore\command - I:\bar311.exe %1
\Shell\Open\command - I:\bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0cb2a327-5d11-11dd-a77a-000272b00026}]
\Shell\AutoRun\command - H:\hgu.bat
\Shell\explore\Command - H:\hgu.bat
\Shell\open\Command - H:\hgu.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f673a75-489f-11dd-a745-000272b00026}]
\Shell\Auto\command - setup.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f673abc-489f-11dd-a745-001583b3d1f3}]
\Shell\AutoRun\command - bar311.exe %1
\Shell\Explore\command - bar311.exe %1
\Shell\Open\command - bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1574c589-4276-11dd-a735-000272b00026}]
\Shell\AutoRun\command - r.bat
\Shell\explore\Command - r.bat
\Shell\open\Command - r.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16d356fa-38e8-11dd-a721-001583b3d1f3}]
\Shell\AutoRun\command - H:\
\Shell\explore\Command - WScript.exe .\alecks.vbs
\Shell\open\Command - WScript.exe .\alecks.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{18f878e7-1b12-11dd-a6e8-000272b00026}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe antz.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{19a981e5-3432-11dd-a719-000272b00026}]
\Shell\AutoRun\command - I:\w00g.exe
\Shell\explore\Command - I:\w00g.exe
\Shell\open\Command - I:\w00g.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{19a9825b-3432-11dd-a719-000272b00026}]
\Shell\AutoRun\command - H:\w00g.exe
\Shell\explore\Command - H:\w00g.exe
\Shell\open\Command - H:\w00g.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1e4957f5-3502-11dd-a71a-000272b00026}]
\Shell\AutoRun\command - c18vk.exe
\Shell\explore\Command - c18vk.exe
\Shell\open\Command - c18vk.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1fad8190-7c88-11dd-a7bc-001583b3d1f3}]
\Shell\AutoRun\command - H:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\lovely.exe
\Shell\open\command - H:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\lovely.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1ffc0210-7965-11dd-a7b3-001583b3d1f3}]
\Shell\AutoRun\command - I:\r1y1.bat
\Shell\explore\Command - I:\r1y1.bat
\Shell\open\Command - I:\r1y1.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2269e65a-0df3-11dd-9f5f-001e8c9743e8}]
\Shell\AutoRun\command - I:\kk3.bat
\Shell\explore\Command - I:\kk3.bat
\Shell\open\Command - I:\kk3.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{238e880d-232a-11dd-a6f8-000272b00026}]
\Shell\AutoRun\command - H:\bar311.exe %1
\Shell\Explore\command - H:\bar311.exe %1
\Shell\Open\command - H:\bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24889669-56bf-11dd-a76b-000272b00026}]
\Shell\AutoRun\command - I:\bar311.exe %1
\Shell\Explore\command - I:\bar311.exe %1
\Shell\Open\command - I:\bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24889696-56bf-11dd-a76b-000272b00026}]
\Shell\AutoRun\command - SilentSoftech.exe
\Shell\explore\command - SilentSoftech.exe
\Shell\open\command - SilentSoftech.exe
\Shell\var1\command - SilentSoftech.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28152c36-35ca-11dd-a71b-000272b00026}]
\Shell\Autoplay\Command - I:\smss.exe
\Shell\AutoRun\command - I:\smss.exe
\Shell\Explore\Command - I:\smss.exe
\Shell\Open\Command - I:\smss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2821a6a6-1b1b-11dd-a6e9-000272b00026}]
\Shell\AutoRun\command - SilentSoftech.exe
\Shell\explore\command - SilentSoftech.exe
\Shell\open\command - SilentSoftech.exe
\Shell\var1\command - SilentSoftech.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ba133e3-6743-11dd-a78a-000272b00026}]
\Shell\AutoPlay\Command - wscript.exe sowar.vbs
\Shell\AutoRun\command - wscript.exe sowar.vbs
\Shell\Explore\Command - wscript.exe sowar.vbs
\Shell\Open\Command - wscript.exe sowar.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ba13416-6743-11dd-a78a-000272b00026}]
\Shell\AutoRun\command - bar311.exe %1
\Shell\Explore\command - bar311.exe %1
\Shell\Open\command - bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d23db39-3d9c-11dd-a72b-000272b00026}]
\Shell\0pen\command - H:\krag.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL krag.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d23dbd4-3d9c-11dd-a72b-001583b3d1f3}]
\Shell\Autoplay\Command - H:\xmss.exe
\Shell\AutoRun\command - H:\xmss.exe
\Shell\Explore\Command - H:\xmss.exe
\Shell\Open\Command - H:\xmss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2f3b23b5-5aca-11dd-a776-000272b00026}]
\Shell\AutoRun\command - J:\n.com
\Shell\explore\Command - J:\n.com
\Shell\open\Command - J:\n.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{31e58f6f-39b9-11dd-a722-001583b3d1f3}]
\Shell\AutoRun\command - bar311.exe %1
\Shell\Explore\command - bar311.exe %1
\Shell\Open\command - bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{35e139c2-2484-11dd-a6fa-000272b00026}]
\Shell\AutoRun\command - H:\du08sout.cmd
\Shell\explore\Command - H:\du08sout.cmd
\Shell\open\Command - H:\du08sout.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{35e139de-2484-11dd-a6fa-000272b00026}]
\Shell\auto\command - K:\Knight.exe open
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open
\Shell\explore\command - K:\Knight.exe open
\Shell\find\command - K:\Knight.exe open
\Shell\install\command - K:\Knight.exe open
\Shell\open\command - K:\Knight.exe open

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{35e13a75-2484-11dd-a6fa-000272b00026}]
\Shell\AutoRun\command - I:\SilentSoftech.exe
\Shell\explore\command - I:\SilentSoftech.exe
\Shell\open\command - I:\SilentSoftech.exe
\Shell\var1\command - I:\SilentSoftech.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39aaa043-1984-11dd-9f7a-000272b00026}]
\Shell\AutoRun\command - scvshosts.exe
\Shell\Open\command - scvshosts.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3aaeceac-43e2-11dd-a738-000272b00026}]
\Shell\AutoRun\command - H:\bar311.exe %1
\Shell\Explore\command - H:\bar311.exe %1
\Shell\Open\command - H:\bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3dd42ef8-158a-11dd-9f72-001e8c9743e8}]
\Shell\Auto\command - I:\setup.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{40cb1892-7307-11dd-a79b-000272b00026}]
\Shell\AutoRun\command - wpfdd.exe
\Shell\explore\Command - wpfdd.exe
\Shell\open\Command - wpfdd.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41b18d9e-2c5d-11dd-a709-000272b00026}]
\Shell\AutoRun\command - H:\bar311.exe %1
\Shell\Explore\command - H:\bar311.exe %1
\Shell\Open\command - H:\bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41b18ddd-2c5d-11dd-a709-000272b00026}]
\Shell\AutoRun\command - J:\bar311.exe %1
\Shell\Explore\command - J:\bar311.exe %1
\Shell\Open\command - J:\bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41b18e1d-2c5d-11dd-a709-000272b00026}]
\Shell\AutoRun\command - H:\bar311.exe %1
\Shell\Explore\command - H:\bar311.exe %1
\Shell\Open\command - H:\bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{42a34139-310e-11dd-a710-000272b00026}]
\Shell\AutoRun\command - H:\
\Shell\explore\Command - WScript.exe .\__.vbs
\Shell\open\Command - WScript.exe .\__.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a9a7a1c-749a-11dd-a7ad-000272b00026}]
\Shell\AutoRun\command - password_viewer.exe %1
\Shell\Explore\command - password_viewer.exe %1
\Shell\Open\command - password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{595dc360-4652-11dd-a73e-000272b00026}]
\Shell\AutoRun\command - y0gcubk.exe
\Shell\explore\Command - y0gcubk.exe
\Shell\open\Command - y0gcubk.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5a2bf94a-8136-11dd-a7c6-000272b00026}]
\Shell\AutoRun\command - I:\bar311.exe %1
\Shell\Explore\command - I:\bar311.exe %1
\Shell\Open\command - I:\bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5a2bf9af-8136-11dd-a7c6-000272b00026}]
\Shell\AutoRun\command - I:\password_viewer.exe %1
\Shell\Explore\command - I:\password_viewer.exe %1
\Shell\Open\command - I:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5cd78aa2-1fc9-11dd-a6f1-000272b00026}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe uragon.txt.js "%1"
\Shell\E&xplore\command - wscript.exe uragon.txt.js "%1"
\Shell\verb\command - wscript.exe uragon.txt.js "%1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5cd78acf-1fc9-11dd-a6f1-000272b00026}]
\Shell\AutoRun\command - K:\
\Shell\explore\Command - WScript.exe .\__.vbs
\Shell\open\Command - WScript.exe .\__.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5d2bffef-5e98-11dd-a77d-000272b00026}]
\Shell\AutoRun\command - H:\bar311.exe %1
\Shell\Explore\command - H:\bar311.exe %1
\Shell\Open\command - H:\bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5da2e0a4-27a1-11dd-a6fe-001583b3d1f3}]
\Shell\AutoRun\command - H:\fg8m.exe
\Shell\explore\Command - H:\fg8m.exe
\Shell\open\Command - H:\fg8m.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5fcdb8db-3f45-11dd-a72e-000272b00026}]
\Shell\AutoRun\command - ms-dos\ntdlr.com
\Shell\Explore\command - ms-dos\ntdlr.com
\Shell\Open\command - ms-dos\ntdlr.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60b33364-717f-11dd-a798-000272b00026}]
\Shell\AutoRun\command - J:\ms-dos\ntdlr.com
\Shell\Explore\command - J:\ms-dos\ntdlr.com
\Shell\Open\command - J:\ms-dos\ntdlr.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{61e0a632-6b37-11dd-a78f-000272b00026}]
\Shell\AutoRun\command - H:\t1ypkh.exe
\Shell\explore\Command - H:\t1ypkh.exe
\Shell\open\Command - H:\t1ypkh.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{62706f4a-5605-11dd-a76a-000272b00026}]
\Shell\Auto\command - wscript "Sex City.jpg.wsf"
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript "Sex City.jpg.wsf"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{62706f89-5605-11dd-a76a-000272b00026}]
\Shell\AutoRun\command - I:\t.com
\Shell\explore\Command - I:\t.com
\Shell\open\Command - I:\t.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{62706f90-5605-11dd-a76a-000272b00026}]
\Shell\AutoRun\command - N:\bar311.exe %1
\Shell\Explore\command - N:\bar311.exe %1
\Shell\Open\command - N:\bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{62706f9a-5605-11dd-a76a-000272b00026}]
\Shell\Auto\command - J:\exp1orer.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL exp1orer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{62706fa9-5605-11dd-a76a-000272b00026}]
\Shell\AutoRun\command - bar311.exe %1
\Shell\Explore\command - bar311.exe %1
\Shell\Open\command - bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{635ec0b6-76ff-11dd-a7b0-000272b00026}]
\Shell\AutoRun\command - I:\yssjnngm.cmd
\Shell\explore\Command - I:\yssjnngm.cmd
\Shell\open\Command - I:\yssjnngm.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{635ec17e-76ff-11dd-a7b0-000272b00026}]
\Shell\Autoplay\Command - I:\smss.exe
\Shell\AutoRun\command - I:\smss.exe
\Shell\Explore\Command - I:\smss.exe
\Shell\Open\Command - I:\smss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{65f5b2cb-3299-11dd-a716-000272b00026}]
\Shell\Auto\command - J:\setup.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{65f5b305-3299-11dd-a716-000272b00026}]
\Shell\AutoRun\command - I:\ipy.cmd
\Shell\explore\Command - I:\ipy.cmd
\Shell\open\Command - I:\ipy.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{661ade2f-3cd6-11dd-a72a-000272b00026}]
\Shell\AutoRun\command - H:\ut.com
\Shell\explore\Command - H:\ut.com
\Shell\open\Command - H:\ut.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{661ade67-3cd6-11dd-a72a-000272b00026}]
\Shell\AutoRun\command - H:\SilentSoftech.exe
\Shell\explore\command - H:\SilentSoftech.exe
\Shell\open\command - H:\SilentSoftech.exe
\Shell\var1\command - H:\SilentSoftech.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{67130736-18b0-11dd-9f78-000272b00026}]
\Shell\AutoRun\command - H:\SCVHOST.exe
\Shell\Open\command - H:\SCVHOST.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{67130738-18b0-11dd-9f78-000272b00026}]
\Shell\AutoRun\command - d.cmd
\Shell\explore\Command - d.cmd
\Shell\open\Command - d.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6713073a-18b0-11dd-9f78-000272b00026}]
\Shell\AutoRun\command - H:\
\Shell\explore\Command - WScript.exe .\test.vbs
\Shell\open\Command - WScript.exe .\test.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a02750f-5b81-11dd-a777-000272b00026}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe uragon.txt.js "%1"
\Shell\E&xplore\command - wscript.exe uragon.txt.js "%1"
\Shell\verb\command - wscript.exe uragon.txt.js "%1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b3c3691-1c9f-11dd-a6eb-000272b00026}]
\Shell\AutoRun\command - r26x.cmd
\Shell\explore\Command - r26x.cmd
\Shell\open\Command - r26x.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d25565b-8205-11dd-a7c7-000272b00026}]
\Shell\AutoRun\command - bar311.exe %1
\Shell\Explore\command - bar311.exe %1
\Shell\Open\command - bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d25565e-8205-11dd-a7c7-000272b00026}]
\Shell\AutoRun\command - New Folder.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d25566e-8205-11dd-a7c7-000272b00026}]
\Shell\AutoRun\command - I:\bar311.exe %1
\Shell\Explore\command - I:\bar311.exe %1
\Shell\Open\command - I:\bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d2556b6-8205-11dd-a7c7-000272b00026}]
\Shell\AutoRun\command - dhv2u8.cmd
\Shell\explore\Command - dhv2u8.cmd
\Shell\open\Command - dhv2u8.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d2556cd-8205-11dd-a7c7-000272b00026}]
\Shell\AutoRun\command - H:\ms-dos\ntdlr.com
\Shell\Explore\command - H:\ms-dos\ntdlr.com
\Shell\Open\command - H:\ms-dos\ntdlr.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d255727-8205-11dd-a7c7-000272b00026}]
\Shell\AutoPlay\Command - wscript.exe sowar.vbs
\Shell\AutoRun\command - wscript.exe sowar.vbs
\Shell\Explore\Command - wscript.exe sowar.vbs
\Shell\Open\Command - wscript.exe sowar.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d25572d-8205-11dd-a7c7-000272b00026}]
\Shell\AutoRun\command - I:\password_viewer.exe %1
\Shell\Explore\command - I:\password_viewer.exe %1
\Shell\Open\command - I:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d693926-5461-11dd-a768-000272b00026}]
\Shell\AutoRun\command - ipy.cmd
\Shell\explore\Command - ipy.cmd
\Shell\open\Command - ipy.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6db9b296-5f71-11dd-a77e-000272b00026}]
\Shell\Auto\command - Recycled/dllcache32.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - Recycled/dllcache32.exe
\Shell\open\Command - Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6db9b2e9-5f71-11dd-a77e-000272b00026}]
\Shell\AutoRun\command - H:\amn.exe
\Shell\explore\Command - H:\amn.exe
\Shell\open\Command - H:\amn.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e391e6e-7e05-11dd-a7c1-000272b00026}]
\Shell\AutoRun\command - J:\ms-dos\ntdlr.com
\Shell\Explore\command - J:\ms-dos\ntdlr.com
\Shell\Open\command - J:\ms-dos\ntdlr.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e391e6f-7e05-11dd-a7c1-000272b00026}]
\Shell\AutoRun\command - O:\ms-dos\ntdlr.com
\Shell\Explore\command - O:\ms-dos\ntdlr.com
\Shell\Open\command - O:\ms-dos\ntdlr.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e391e94-7e05-11dd-a7c1-000272b00026}]
\Shell\0pen\command - J:\krag.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL krag.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ea875e1-496c-11dd-a746-000272b00026}]
\Shell\AutoRun\command - bar311.exe %1
\Shell\Explore\command - bar311.exe %1
\Shell\Open\command - bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ea875f1-496c-11dd-a746-000272b00026}]
\Shell\AutoRun\command - bar311.exe %1
\Shell\Explore\command - bar311.exe %1
\Shell\Open\command - bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{745dfbcc-507a-11dd-a760-000272b00026}]
\Shell\AutoRun\command - H:\bar311.exe %1
\Shell\Explore\command - H:\bar311.exe %1
\Shell\Open\command - H:\bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{759d576b-1402-11dd-9f6f-001e8c9743e8}]
\Shell\Auto\command - I:\

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{798dd9ca-65b2-11dd-a786-000272b00026}]
\Shell\AutoRun\command - xc9f3l6.cmd
\Shell\explore\Command - xc9f3l6.cmd
\Shell\open\Command - xc9f3l6.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7da876ce-70b8-11dd-a797-000272b00026}]
\Shell\AutoRun\command - I:\jay.exe
\Shell\explore\Command - I:\jay.exe
\Shell\open\Command - I:\jay.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7da876ef-70b8-11dd-a797-000272b00026}]
\Shell\AutoRun\command - I:\bar311.exe %1
\Shell\Explore\command - I:\bar311.exe %1
\Shell\Open\command - I:\bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f4cbe63-6f28-11dd-a795-001583b3d1f3}]
\Shell\AutoRun\command - I:\password_viewer.exe %1
\Shell\Explore\command - I:\password_viewer.exe %1
\Shell\Open\command - I:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f4cbe6f-6f28-11dd-a795-001583b3d1f3}]
\Shell\AutoRun\command - I:\32.com
\Shell\explore\Command - I:\32.com
\Shell\open\Command - I:\32.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f4cbe7e-6f28-11dd-a795-001583b3d1f3}]
\Shell\Autoplay\Command - xmss.exe
\Shell\AutoRun\command - xmss.exe
\Shell\Explore\Command - xmss.exe
\Shell\Open\Command - xmss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f4cbe92-6f28-11dd-a795-001583b3d1f3}]
\Shell\AutoRun\command - H:\bar311.exe %1
\Shell\Explore\command - H:\bar311.exe %1
\Shell\Open\command - H:\bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f4cbe98-6f28-11dd-a795-001583b3d1f3}]
\Shell\0pen\command - H:\krag.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL krag.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{835414a7-4af6-11dd-a74a-000272b00026}]
\Shell\AutoRun\command - H:\ms-dos\ntdlr.com
\Shell\Explore\command - H:\ms-dos\ntdlr.com
\Shell\Open\command - H:\ms-dos\ntdlr.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{835414ae-4af6-11dd-a74a-000272b00026}]
\Shell\AutoRun\command - H:\bud3.bat
\Shell\explore\Command - H:\bud3.bat
\Shell\open\Command - H:\bud3.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{835414e5-4af6-11dd-a74a-000272b00026}]
\Shell\AutoRun\command - xn1i9x.com
\Shell\explore\Command - xn1i9x.com
\Shell\open\Command - xn1i9x.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{87979bb8-1a87-11dd-a6e7-000272b00026}]
\Shell\Auto\command - I:\exp1orer.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL exp1orer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f63ab55-5145-11dd-a762-000272b00026}]
\Shell\0pen\command - H:\krag.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL krag.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f63ab56-5145-11dd-a762-000272b00026}]
\Shell\AutoRun\command - mnl6on3.com
\Shell\explore\Command - mnl6on3.com
\Shell\open\Command - mnl6on3.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9590741d-735e-11dd-a79c-000272b00026}]
\Shell\AutoRun\command - I:\zPharaoh.exe
\Shell\explore\command - I:\zPharaoh.exe
\Shell\open\command - I:\zPharaoh.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9b098a1e-6040-11dd-a77f-000272b00026}]
\Shell\AutoRun\command - password_viewer.exe %1
\Shell\Explore\command - password_viewer.exe %1
\Shell\Open\command - password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9b735b6a-4fb4-11dd-a75f-000272b00026}]
\Shell\AutoRun\command - H:\bar311.exe %1
\Shell\Explore\command - H:\bar311.exe %1
\Shell\Open\command - H:\bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d5991bc-1be0-11dd-a6ea-000272b00026}]
\Shell\AutoRun\command - N:\63.com
\Shell\explore\Command - N:\63.com
\Shell\open\Command - N:\63.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9e7bbaf8-756a-11dd-a7ae-000272b00026}]
\Shell\AutoRun\command - N:\password_viewer.exe %1
\Shell\Explore\command - N:\password_viewer.exe %1
\Shell\Open\command - N:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9fb72e40-0eb3-11dd-9f61-001e8c9743e8}]
\Shell\Auto\command - H:\Recycled/dllcache32.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - H:\Recycled/dllcache32.exe
\Shell\open\Command - H:\Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9fb72e52-0eb3-11dd-9f61-001e8c9743e8}]
\Shell\Auto\command - K:\exp1orer.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL exp1orer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2b7e6bd-4cd6-11dd-a753-000272b00026}]
\Shell\auto\command - Knight.exe open
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open
\Shell\explore\command - Knight.exe open
\Shell\find\command - Knight.exe open
\Shell\install\command - Knight.exe open
\Shell\open\command - Knight.exe open

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a605f8d1-3abb-11dd-a724-000272b00026}]
\Shell\Auto\command - H:\Recycled/dllcache32.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - H:\Recycled/dllcache32.exe
\Shell\open\Command - H:\Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a605f8d6-3abb-11dd-a724-000272b00026}]
\shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL winhost.exe
\shell\Scan\Command - winhost.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a605f918-3abb-11dd-a724-000272b00026}]
\Shell\AutoRun\command - bar311.exe %1
\Shell\Explore\command - bar311.exe %1
\Shell\Open\command - bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a609907f-17ef-11dd-9f77-000272b00026}]
\Shell\AutoRun\command - rqb0v2ot.bat
\Shell\explore\Command - rqb0v2ot.bat
\Shell\open\Command - rqb0v2ot.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a70cf873-7aeb-11dd-a7b7-001583b3d1f3}]
\Shell\AutoRun\command - I:\r.bat
\Shell\explore\Command - I:\r.bat
\Shell\open\Command - I:\r.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a70cf87e-7aeb-11dd-a7b7-000272b00026}]
\Shell\AutoRun\command - tyktjfww.exe
\Shell\explore\Command - tyktjfww.exe
\Shell\open\Command - tyktjfww.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a70cf8aa-7aeb-11dd-a7b7-000272b00026}]
\Shell\AutoRun\command - I:\bar311.exe %1
\Shell\Explore\command - I:\bar311.exe %1
\Shell\Open\command - I:\bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7ef931d-77bf-11dd-a7b1-000272b00026}]
\Shell\AutoRun\command - I:\r26x.cmd
\Shell\explore\Command - I:\r26x.cmd
\Shell\open\Command - I:\r26x.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aad674b9-6357-11dd-a783-000272b00026}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0305e0e-642c-11dd-a784-001583b3d1f3}]
\Shell\AutoRun\command - bar311.exe %1
\Shell\Explore\command - bar311.exe %1
\Shell\Open\command - bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0506d3c-69a6-11dd-a78d-000272b00026}]
\Shell\AutoRun\command - I:\USBNB.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0506d5c-69a6-11dd-a78d-000272b00026}]
\Shell\AutoRun\command - I:\
\Shell\explore\Command - WScript.exe .\__.vbs
\Shell\open\Command - WScript.exe .\__.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1592984-2930-11dd-a700-000272b00026}]
\Shell\AutoRun\command - h2.com
\Shell\explore\Command - h2.com
\Shell\open\Command - h2.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1592a7b-2930-11dd-a700-000272b00026}]
\Shell\AutoRun\command - bar311.exe %1
\Shell\Explore\command - bar311.exe %1
\Shell\Open\command - bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbea0f39-2df0-11dd-a70b-000272b00026}]
\Shell\AutoRun\command - 3g.com
\Shell\explore\Command - 3g.com
\Shell\open\Command - 3g.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c0057ce7-7d46-11dd-a7c0-000272b00026}]
\Shell\AutoRun\command - J:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c0057d34-7d46-11dd-a7c0-000272b00026}]
\Shell\AutoRun\command - scvhosts.exe
\Shell\Open\command - scvhosts.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c39fb2b9-3e65-11dd-a72c-001583b3d1f3}]
\Shell\AutoRun\command - g2lbn.cmd
\Shell\explore\Command - g2lbn.cmd
\Shell\open\Command - g2lbn.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c8842632-4ee6-11dd-a75e-000272b00026}]
\Shell\AutoRun\command - H:\bar311.exe %1
\Shell\Explore\command - H:\bar311.exe %1
\Shell\Open\command - H:\bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cadd0c72-788e-11dd-a7b2-001583b3d1f3}]
\Shell\AutoPlay\Command - wscript.exe sowar.vbs
\Shell\AutoRun\command - wscript.exe sowar.vbs
\Shell\Explore\Command - wscript.exe sowar.vbs
\Shell\Open\Command - wscript.exe sowar.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cadd0c75-788e-11dd-a7b2-001583b3d1f3}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cadd0c76-788e-11dd-a7b2-001583b3d1f3}]
\Shell\AutoRun\command - O:\2.cmd
\Shell\explore\Command - O:\2.cmd
\Shell\open\Command - O:\2.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cd8026bf-3c42-11dd-a728-000272b00026}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cd8026ea-3c42-11dd-a728-000272b00026}]
\Shell\Autoplay\Command - H:\smss.exe
\Shell\AutoRun\command - H:\smss.exe
\Shell\Explore\Command - H:\smss.exe
\Shell\Open\Command - H:\smss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d67849e2-5854-11dd-a76e-000272b00026}]
\Shell\AutoRun\command - 3g.com
\Shell\explore\Command - 3g.com
\Shell\open\Command - 3g.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6784a9e-5854-11dd-a76e-000272b00026}]
\Shell\AutoRun\command - H:\p83gjy.exe
\Shell\explore\Command - H:\p83gjy.exe
\Shell\open\Command - H:\p83gjy.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d94f7b83-0db2-11dd-9f5e-001e8c9743e8}]
\Shell\Auto\command - H:\

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db4a36bd-11de-11dd-9f67-001e8c9743e8}]
\Shell\AutoRun\command - J:\bar311.exe %1
\Shell\Explore\command - J:\bar311.exe %1
\Shell\Open\command - J:\bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd137702-418c-11dd-a733-000272b00026}]
\Shell\Auto\command - I:\setup.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{debd40ae-1333-11dd-9f6b-001e8c9743e8}]
\Shell\AutoRun\command - I:\39lpji.com
\Shell\explore\Command - I:\39lpji.com
\Shell\open\Command - I:\39lpji.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{debd40e7-1333-11dd-9f6b-001e8c9743e8}]
\Shell\auto\command - I:\Knight.exe open
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open
\Shell\explore\command - I:\Knight.exe open
\Shell\find\command - I:\Knight.exe open
\Shell\install\command - I:\Knight.exe open
\Shell\open\command - I:\Knight.exe open

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e31c6b1e-0b50-11dd-9f59-001e8c9743e8}]
\Shell\AutoRun\command - bar311.exe %1
\Shell\Explore\command - bar311.exe %1
\Shell\Open\command - bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e31c6b26-0b50-11dd-9f59-001e8c9743e8}]
\Shell\AutoRun\command - I:\SSCVIHOST.exe
\Shell\Open\command - I:\SSCVIHOST.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7ab3c4b-2b8d-11dd-a708-000272b00026}]
\Shell\AutoRun\command - dhv2u8.cmd
\Shell\explore\Command - dhv2u8.cmd
\Shell\open\Command - dhv2u8.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e8c7e534-628a-11dd-a782-000272b00026}]
\Shell\0pen\command - krag.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL krag.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e966e1bd-1a4a-11dd-9f7b-001583b3d1f3}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe antz.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f3d73eb4-0a89-11dd-9f57-001e8c9743e8}]
\Shell\AutoRun\command - H:\bar311.exe %1
\Shell\Explore\command - H:\bar311.exe %1
\Shell\Open\command - H:\bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f52b4852-7250-11dd-a79a-000272b00026}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL exiplorer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f52b48ca-7250-11dd-a79a-000272b00026}]
\Shell\AutoRun\command - I:\scvhost.exe
\Shell\Open\command - I:\scvhost.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f72fa7f0-73fc-11dd-a7ab-000272b00026}]
\Shell\AutoRun\command - N:\bar311.exe %1
\Shell\Explore\command - N:\bar311.exe %1
\Shell\Open\command - N:\bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f72fa830-73fc-11dd-a7ab-000272b00026}]
\Shell\AutoRun\command - N:\h8txw.exe
\Shell\explore\Command - N:\h8txw.exe
\Shell\open\Command - N:\h8txw.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fa60f29f-7bb5-11dd-a7ba-000272b00026}]
\Shell\AutoRun\command - I:\password_viewer.exe %1
\Shell\Explore\command - I:\password_viewer.exe %1
\Shell\Open\command - I:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fa60f2ea-7bb5-11dd-a7ba-000272b00026}]
\Shell\AutoRun\command - b3b9u.com
\Shell\explore\Command - b3b9u.com
\Shell\open\Command - b3b9u.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fb7842ba-3759-11dd-a71e-000272b00026}]
\Shell\AutoRun\command - setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fdcf2b81-11a7-11dd-9f66-001e8c9743e8}]
\Shell\AutoRun\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fdcf2b82-11a7-11dd-9f66-001e8c9743e8}]
\Shell\AutoRun\command - G:\noautorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe9c5c12-40c7-11dd-a732-000272b00026}]
\Shell\AutoRun\command - I:\bar311.exe %1
\Shell\Explore\command - I:\bar311.exe %1
\Shell\Open\command - I:\bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fee483ff-4a35-11dd-a747-000272b00026}]
\Shell\AutoRun\command - I:\bar311.exe %1
\Shell\Explore\command - I:\bar311.exe %1
\Shell\Open\command - I:\bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff3ac035-52ed-11dd-a766-000272b00026}]
\Shell\AutoRun\command - H:\wak.cmd
\Shell\explore\Command - H:\wak.cmd
\Shell\open\Command - H:\wak.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ffd62473-7ed3-11dd-a7c2-000272b00026}]
\Shell\Autoplay\Command - smss.exe
\Shell\AutoRun\command - smss.exe
\Shell\Explore\Command - smss.exe
\Shell\Open\Command - smss.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-msnsc - C:\WINDOWS\system32\msnsc.exe
Notify-AutorunsDisabled - (no file)
Notify-fipsbqlkjih - fipsbqlkjih.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\dhen\Application Data\Mozilla\Firefox\Profiles\gp3ibbmu.default\
FF -: plugin - C:\Documents and Settings\dhen\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll
FF -: plugin - C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF -: plugin - C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-15 00:38:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"D:\Programs\Webserver\MySQl\bin\mysqld-nt\" --defaults-file=\"D:\Programs\Webserver\MySQl\my.ini\" MySQL"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sikuqbzz]
"ImagePath"="system32\drivers\tjwzvmzz.dat"
.
------------------------ Other Running Processes ------------------------
.
D:\Programs\WServer\Apache2\bin\Apache.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\Programs\WServer\Apache2\bin\Apache.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\rundll32.exe
D:\Programs\Webserver\MySQl\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-09-15 0:44:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-14 16:43:52

Pre-Run: 60,092,768,256 bytes free
Post-Run: 60,149,583,872 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /TUTag=RIBSBA /Kernel=TUKernel.exe
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional (TuneUp Backup)" /noexecute=optin /fastdetect /TUTag=RIBSBA-BAK

896

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:33 PM

Posted 14 September 2008 - 03:16 PM

Hi,

Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.


It looks like you are already dealing with malware for a long time :thumbsup:
This means you have probably infected a lot of other computers in a meanwhile as well, since you are also dealing with a flashdrive infection. And according to the huge amount of mountpoints2 being created, it means that this infection is already present for a while.

Please disable Deepfreezer while performing the following steps, because if you don't disable deepfreezer, the removal the tools made will be back undone after reboot.
Also, I don't understand why you have Deepfreezer installed while this system is so severly infected. If you had your Deepfreezer enabled in the first place and you got infected, then a simple reboot would have made it back undone. So please explain why you use deepfreezer if you don't enable it.

* Download next removal tool to your desktop:
http://www.techsupportforum.com/sectools/s...Disinfector.exe
If you have any flashdrives being used previously, since this is a flashdrive infection, insert your flashdrive as well, because above tool will disinfect it as well.
Then doubleclick the Flash_Disinfector.exe to run the tool.
Your desktop and icons will disappear afterwards. This is normal.
When the tool has finished, reboot your computer.

I also see a lot of policies being created here by a tool, but disabled anyway, so they can be removed. In that case, the next instructions will remove the extra policies which are no default ones and disabled anyway.


* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\Windows\system32\drivers\tjwzvmzz.dat
C:\25.tmp
C:\17.tmp
C:\14.tmp
C:\13.tmp
C:\23.tmp
C:\24.tmp
C:\21.tmp
C:\18.tmp
C:\28.tmp
C:\12.tmp
C:\WINDOWS\winhost_app.dll
Dirlook::
C:\Documents and Settings\Administrator\ff_temp
C:\Documents and Settings\Administrator\7zS183B.tmp
Driver::
sikuqbzz
uoU86
Ekw62
jsP28
Fyv85
Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL"=-
"NoAdminPage"=-
"NoConfigPage"=-
"NoDevMgrPage"=-
"NoFileSysPage"=-
"NoVirtMemPage"=-
"NoPwdPage"=-
"DisableLockWorkstation"=-
"DisableChangePassword"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableLockWorkstation"=-
"DisableChangePassword"=-
"NoSecCPL"=-
"NoConfigPage"=-
"NoDevMgrPage"=-
"NoFileSysPage"=-
"NoVirtMemPage"=-
"NoPwdPage"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"=-
"RestrictRun"=-
"EnforceShellExtensionSecurity"=-
"NoPrinters"=-
"NoBandCustomize"=-
"NoWinKeys"=-
"NoInstrumentation"=-
"HideDesktop"=-
"NoLogOff"=-
"NoWorkgroupContents"=-
"NoAddPrinter"=-
"NoDeletePrinter"=-
"NoPrinterTabs"=-
"ClearDocsOnExit"=-
"NoExpandedNewMenu"=-
"NoCommonGroups"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogOff"=-
"NoPrinterTabs"=-
"RestrictRun"=-
"AutoUpdate"=-
"NoViewOnDrive"=-
"NoFavoritesMenu"=-
"NoBandCustomize"=-
"NoAutoUpdate"=-
"NoSMConfigurePrograms"=-
"NoToolbarsCustomize"=-
"NoUserNameInStartMenu"=-
"DisableTaskMgr"=-
"EnforceShellExtensionSecurity"=-
"NoPrinters"=-
"NoWinKeys"=-
"NoInstrumentation"=-
"HideDesktop"=-
"NoWorkgroupContents"=-
"NoAddPrinter"=-
"NoDeletePrinter"=-
"ClearDocsOnExit"=-
"NoExpandedNewMenu"=-
"NoCommonGroups"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ekw62.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Fyv85.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\jsP28.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\uoU86.sys]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03e1111a-6d91-11dd-a792-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03e1112e-6d91-11dd-a792-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03e111eb-6d91-11dd-a792-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{052009f0-68dc-11dd-a78c-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{052009f5-68dc-11dd-a78c-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{05522994-4d55-11dd-a759-001583b3d1f3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{05ca4378-31de-11dd-a711-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{086f23c2-12ae-11dd-9f69-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{086f242d-12ae-11dd-9f69-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0cb2a327-5d11-11dd-a77a-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f673a75-489f-11dd-a745-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f673abc-489f-11dd-a745-001583b3d1f3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1574c589-4276-11dd-a735-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16d356fa-38e8-11dd-a721-001583b3d1f3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{18f878e7-1b12-11dd-a6e8-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{19a981e5-3432-11dd-a719-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{19a9825b-3432-11dd-a719-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1e4957f5-3502-11dd-a71a-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1fad8190-7c88-11dd-a7bc-001583b3d1f3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1ffc0210-7965-11dd-a7b3-001583b3d1f3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2269e65a-0df3-11dd-9f5f-001e8c9743e8}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{238e880d-232a-11dd-a6f8-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24889669-56bf-11dd-a76b-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24889696-56bf-11dd-a76b-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28152c36-35ca-11dd-a71b-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2821a6a6-1b1b-11dd-a6e9-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ba133e3-6743-11dd-a78a-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ba13416-6743-11dd-a78a-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d23db39-3d9c-11dd-a72b-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d23dbd4-3d9c-11dd-a72b-001583b3d1f3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2f3b23b5-5aca-11dd-a776-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{31e58f6f-39b9-11dd-a722-001583b3d1f3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{35e139c2-2484-11dd-a6fa-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{35e139de-2484-11dd-a6fa-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{35e13a75-2484-11dd-a6fa-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39aaa043-1984-11dd-9f7a-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3aaeceac-43e2-11dd-a738-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3dd42ef8-158a-11dd-9f72-001e8c9743e8}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{40cb1892-7307-11dd-a79b-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41b18d9e-2c5d-11dd-a709-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41b18ddd-2c5d-11dd-a709-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41b18e1d-2c5d-11dd-a709-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{42a34139-310e-11dd-a710-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a9a7a1c-749a-11dd-a7ad-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{595dc360-4652-11dd-a73e-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5a2bf94a-8136-11dd-a7c6-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5a2bf9af-8136-11dd-a7c6-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5cd78aa2-1fc9-11dd-a6f1-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5cd78acf-1fc9-11dd-a6f1-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5d2bffef-5e98-11dd-a77d-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5da2e0a4-27a1-11dd-a6fe-001583b3d1f3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5fcdb8db-3f45-11dd-a72e-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60b33364-717f-11dd-a798-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{61e0a632-6b37-11dd-a78f-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{62706f4a-5605-11dd-a76a-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{62706f89-5605-11dd-a76a-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{62706f90-5605-11dd-a76a-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{62706f9a-5605-11dd-a76a-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{62706fa9-5605-11dd-a76a-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{635ec0b6-76ff-11dd-a7b0-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{635ec17e-76ff-11dd-a7b0-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{65f5b2cb-3299-11dd-a716-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{65f5b305-3299-11dd-a716-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{661ade2f-3cd6-11dd-a72a-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{661ade67-3cd6-11dd-a72a-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{67130736-18b0-11dd-9f78-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{67130738-18b0-11dd-9f78-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6713073a-18b0-11dd-9f78-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a02750f-5b81-11dd-a777-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b3c3691-1c9f-11dd-a6eb-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d25565b-8205-11dd-a7c7-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d25565e-8205-11dd-a7c7-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d25566e-8205-11dd-a7c7-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d2556b6-8205-11dd-a7c7-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d2556cd-8205-11dd-a7c7-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d255727-8205-11dd-a7c7-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d25572d-8205-11dd-a7c7-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d693926-5461-11dd-a768-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6db9b296-5f71-11dd-a77e-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6db9b2e9-5f71-11dd-a77e-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e391e6e-7e05-11dd-a7c1-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e391e6f-7e05-11dd-a7c1-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e391e94-7e05-11dd-a7c1-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ea875e1-496c-11dd-a746-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ea875f1-496c-11dd-a746-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{745dfbcc-507a-11dd-a760-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{759d576b-1402-11dd-9f6f-001e8c9743e8}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{798dd9ca-65b2-11dd-a786-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7da876ce-70b8-11dd-a797-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7da876ef-70b8-11dd-a797-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f4cbe63-6f28-11dd-a795-001583b3d1f3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f4cbe6f-6f28-11dd-a795-001583b3d1f3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f4cbe7e-6f28-11dd-a795-001583b3d1f3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f4cbe92-6f28-11dd-a795-001583b3d1f3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f4cbe98-6f28-11dd-a795-001583b3d1f3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{835414a7-4af6-11dd-a74a-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{835414ae-4af6-11dd-a74a-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{835414e5-4af6-11dd-a74a-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{87979bb8-1a87-11dd-a6e7-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f63ab55-5145-11dd-a762-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f63ab56-5145-11dd-a762-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9590741d-735e-11dd-a79c-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9b098a1e-6040-11dd-a77f-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9b735b6a-4fb4-11dd-a75f-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d5991bc-1be0-11dd-a6ea-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9e7bbaf8-756a-11dd-a7ae-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9fb72e40-0eb3-11dd-9f61-001e8c9743e8}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9fb72e52-0eb3-11dd-9f61-001e8c9743e8}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2b7e6bd-4cd6-11dd-a753-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a605f8d1-3abb-11dd-a724-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a605f8d6-3abb-11dd-a724-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a605f918-3abb-11dd-a724-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a609907f-17ef-11dd-9f77-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a70cf873-7aeb-11dd-a7b7-001583b3d1f3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a70cf87e-7aeb-11dd-a7b7-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a70cf8aa-7aeb-11dd-a7b7-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7ef931d-77bf-11dd-a7b1-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aad674b9-6357-11dd-a783-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0305e0e-642c-11dd-a784-001583b3d1f3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0506d3c-69a6-11dd-a78d-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0506d5c-69a6-11dd-a78d-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1592984-2930-11dd-a700-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1592a7b-2930-11dd-a700-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbea0f39-2df0-11dd-a70b-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c0057d34-7d46-11dd-a7c0-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c39fb2b9-3e65-11dd-a72c-001583b3d1f3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c8842632-4ee6-11dd-a75e-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cadd0c72-788e-11dd-a7b2-001583b3d1f3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cadd0c76-788e-11dd-a7b2-001583b3d1f3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cd8026ea-3c42-11dd-a728-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d67849e2-5854-11dd-a76e-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6784a9e-5854-11dd-a76e-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d94f7b83-0db2-11dd-9f5e-001e8c9743e8}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db4a36bd-11de-11dd-9f67-001e8c9743e8}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd137702-418c-11dd-a733-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{debd40ae-1333-11dd-9f6b-001e8c9743e8}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{debd40e7-1333-11dd-9f6b-001e8c9743e8}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e31c6b1e-0b50-11dd-9f59-001e8c9743e8}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e31c6b26-0b50-11dd-9f59-001e8c9743e8}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7ab3c4b-2b8d-11dd-a708-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e8c7e534-628a-11dd-a782-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e966e1bd-1a4a-11dd-9f7b-001583b3d1f3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f3d73eb4-0a89-11dd-9f57-001e8c9743e8}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f52b4852-7250-11dd-a79a-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f52b48ca-7250-11dd-a79a-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f72fa7f0-73fc-11dd-a7ab-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f72fa830-73fc-11dd-a7ab-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fa60f29f-7bb5-11dd-a7ba-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fa60f2ea-7bb5-11dd-a7ba-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fb7842ba-3759-11dd-a71e-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fdcf2b81-11a7-11dd-9f66-001e8c9743e8}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fdcf2b82-11a7-11dd-9f66-001e8c9743e8}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe9c5c12-40c7-11dd-a732-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fee483ff-4a35-11dd-a747-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff3ac035-52ed-11dd-a766-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ffd62473-7ed3-11dd-a7c2-000272b00026}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 jase07

jase07
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 15 September 2008 - 02:31 AM

Hi again miekiemoes and thank you. I'm very sad to hear that my unit is severly infected, actually in the past week this is more severly infected that any program won't run and will just pop up an error, saying that a file is missing or corrupt but i got passed that..

Anyway, let me first introduce to you this unit. This is a part of a workstation, a file server, a local web server, etc, which serves the rest of the computer units in the network. Many times, as a file server, someone will come and ask to open their flash drives, MMC and any other storage device, but of course i do this with caution, that maybe explains a lot of mointpoints was created, also all the files on the network are saved in this station, usually document files, images, worksheets and alike.

Another is the Deepfreeze, actually this unit is not frozen in anyway, the Deepfreeze installed in here is a console which controls the frozen units on the workstation...

If there is one thing I do not want to do with this unit, that is to reformat it because a lot of programs and files and the system as well will be lost and start over again so as much as possible i don't want to do that. And even we cannot remove all the infections as long as they will not harm this unit and they will remain disabled, I am willing to take that risk :thumbsup: .

so here is my combofix log, by the way, after combofix finished and about to reboot my computer, in the shutting down screen, i got a BSOD, i haven't seen what's on it because it rebooted quickly.

ComboFix 08-09-14.02 - dhen 2008-09-15 14:24:36.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1505 [GMT 8:00]
Running from: C:\Documents and Settings\dhen\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\dhen\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\12.tmp
C:\13.tmp
C:\14.tmp
C:\17.tmp
C:\18.tmp
C:\21.tmp
C:\23.tmp
C:\24.tmp
C:\25.tmp
C:\28.tmp
C:\Windows\system32\drivers\tjwzvmzz.dat
C:\WINDOWS\winhost_app.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EKW62
-------\Legacy_SIKUQBZZ
-------\Legacy_UOU86
-------\Service_Ekw62
-------\Service_Fyv85
-------\Service_jsP28
-------\Service_sikuqbzz
-------\Service_uoU86


((((((((((((((((((((((((( Files Created from 2008-08-15 to 2008-09-15 )))))))))))))))))))))))))))))))
.

2008-09-11 23:50 . 2008-09-11 23:54 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-11 23:50 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-11 23:50 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-08 17:36 . 2008-09-08 18:01 164 --a------ C:\WINDOWS\mix-fx.ini
2008-09-07 03:42 . 2008-09-07 03:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-09-07 03:31 . 2008-09-07 03:31 <DIR> d-------- C:\Program Files\Bonjour
2008-09-07 03:26 . 2008-09-07 03:26 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-08-27 11:30 . 2008-08-27 11:30 <DIR> d-------- C:\Documents and Settings\dhen\Application Data\Malwarebytes
2008-08-27 11:30 . 2008-08-27 11:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-27 09:00 . 2008-08-27 09:03 4,856 --a------ C:\WINDOWS\system32\tmp.reg
2008-08-27 04:13 . 2008-08-27 04:13 <DIR> d-------- C:\_OTMoveIt
2008-08-27 01:50 . 2008-08-27 03:23 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-08-27 01:04 . 2008-04-15 05:52 <DIR> d-------- C:\Documents and Settings\Administrator\ff_temp
2008-08-27 01:04 . 2008-04-15 05:52 <DIR> d-------- C:\Documents and Settings\Administrator\7zS183B.tmp
2008-08-27 01:04 . 2008-08-27 09:06 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-26 20:42 . 2008-08-26 20:42 <DIR> d-------- C:\Documents and Settings\dhen\Application Data\AntsSoft
2008-08-24 15:23 . 2008-08-24 15:23 <DIR> d-------- C:\Program Files\Xilisoft
2008-08-23 18:43 . 2008-08-23 18:43 <DIR> d-------- C:\Program Files\KoolMoves
2008-08-21 20:29 . 2008-08-21 20:38 <DIR> d-------- C:\Program Files\IrfanView
2008-08-21 18:12 . 2008-08-21 18:12 <DIR> d-------- C:\Documents and Settings\dhen\temp
2008-08-21 18:12 . 2008-08-27 23:23 <DIR> d-------- C:\Documents and Settings\dhen\Application Data\TeamViewer
2008-08-20 22:09 . 2008-08-20 22:09 <DIR> d-------- C:\Program Files\Common Files\Canon
2008-08-19 23:49 . 2008-08-19 23:49 <DIR> d-------- C:\Program Files\SourceTec
2008-08-19 23:49 . 2008-08-19 23:49 <DIR> d-------- C:\Program Files\Common Files\SourceTec
2008-08-19 13:20 . 2008-08-19 13:20 <DIR> d-------- C:\Documents and Settings\dhen\Application Data\Hewlett-Packard
2008-08-19 00:25 . 2008-08-19 00:25 <DIR> d-------- C:\Documents and Settings\dhen\Application Data\Nokia
2008-08-19 00:25 . 2008-08-19 00:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-08-19 00:24 . 2008-08-19 00:24 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-08-19 00:24 . 2008-08-19 00:47 <DIR> d-------- C:\Program Files\Nokia
2008-08-19 00:24 . 2008-08-19 00:24 <DIR> d-------- C:\Program Files\DIFX
2008-08-19 00:24 . 2008-08-19 00:24 <DIR> d-------- C:\Documents and Settings\dhen\Application Data\PC Suite
2008-08-19 00:24 . 2007-02-22 11:15 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-08-19 00:24 . 2007-02-22 11:15 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-08-19 00:24 . 2007-02-22 11:15 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-08-19 00:24 . 2007-02-22 11:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-08-19 00:24 . 2007-02-22 11:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-08-19 00:24 . 2007-02-22 11:15 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-08-19 00:22 . 2008-08-19 00:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-14 19:16 --------- d-----w C:\Documents and Settings\dhen\Application Data\uTorrent
2008-09-14 18:52 --------- d-----w C:\Documents and Settings\dhen\Application Data\FileZilla
2008-09-13 15:04 --------- d-----w C:\Documents and Settings\dhen\Application Data\Vso
2008-09-13 01:13 --------- d-----w C:\Documents and Settings\dhen\Application Data\AVG7
2008-09-09 18:47 --------- d-----w C:\Program Files\GetRight
2008-09-08 05:55 --------- d-----w C:\Documents and Settings\dhen\Application Data\U3
2008-09-08 05:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\CanonIJPLM
2008-09-06 19:29 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-27 18:30 --------- d-----w C:\Program Files\Google
2008-08-27 16:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-26 17:50 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-20 18:23 --------- d-----w C:\Program Files\Faronics
2008-08-08 04:26 --------- d-----w C:\Program Files\MSECache
2008-07-25 10:33 --------- d-----w C:\Program Files\Noel Danjou
2008-07-15 16:01 --------- d-----w C:\Program Files\iriver
2008-07-15 06:54 --------- d-----w C:\Documents and Settings\dhen\Application Data\FMZilla
2008-04-27 13:43 47,360 ----a-w C:\Documents and Settings\dhen\Application Data\pcouffin.sys
2008-05-18 02:24 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051820080519\index.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\Administrator\7zS183B.tmp ----

2005-11-30 03:43 33393 --a------ C:\Documents and Settings\Administrator\7zS183B.tmp\config.ini
2005-11-12 09:10 857034 --a------ C:\Documents and Settings\Administrator\7zS183B.tmp\adt.xpi
2005-11-12 09:10 76294 --a------ C:\Documents and Settings\Administrator\7zS183B.tmp\UninstallFirefox.zip
2005-11-12 09:10 716558 --a------ C:\Documents and Settings\Administrator\7zS183B.tmp\talkback.xpi
2005-11-12 09:10 6416 --a------ C:\Documents and Settings\Administrator\7zS183B.tmp\license.txt
2005-11-12 09:10 637904 --a------ C:\Documents and Settings\Administrator\7zS183B.tmp\en-US.xpi
2005-11-12 09:10 207492 --a------ C:\Documents and Settings\Administrator\7zS183B.tmp\setup.exe
2005-11-12 09:10 1698442 --a------ C:\Documents and Settings\Administrator\7zS183B.tmp\setuprsc.dll
2005-11-12 09:10 15843 --a------ C:\Documents and Settings\Administrator\7zS183B.tmp\install.ini
2005-11-12 09:10 13742442 --a------ C:\Documents and Settings\Administrator\7zS183B.tmp\browser.xpi
2005-11-12 09:10 1341141 --a------ C:\Documents and Settings\Administrator\7zS183B.tmp\xpcom.xpi

---- Directory of C:\Documents and Settings\Administrator\ff_temp ----

2008-04-15 05:52 869 --a------ C:\Documents and Settings\Administrator\ff_temp\install_status.log
2008-04-15 05:52 68203 --a------ C:\Documents and Settings\Administrator\ff_temp\xpcom.ns\bin\xpcom_compat.dll
2008-04-15 05:52 60516 --a------ C:\Documents and Settings\Administrator\ff_temp\xpcom.ns\bin\components\jar50.dll
2008-04-15 05:52 5822 --a------ C:\Documents and Settings\Administrator\ff_temp\install_wizard.log
2008-04-15 05:52 413789 --a------ C:\Documents and Settings\Administrator\ff_temp\xpcom.ns\bin\js3250.dll
2008-04-15 05:52 401510 --a------ C:\Documents and Settings\Administrator\ff_temp\xpcom.ns\bin\xpcom_core.dll
2008-04-15 05:52 28777 --a------ C:\Documents and Settings\Administrator\ff_temp\xpcom.ns\bin\plc4.dll
2008-04-15 05:52 24676 --a------ C:\Documents and Settings\Administrator\ff_temp\xpcom.ns\bin\plds4.dll
2008-04-15 05:52 165990 --a------ C:\Documents and Settings\Administrator\ff_temp\xpcom.ns\bin\components\xpinstal.dll
2008-04-15 05:52 155748 --a------ C:\Documents and Settings\Administrator\ff_temp\xpcom.ns\bin\nspr4.dll


------- Sigcheck -------

2006-01-13 10:03 360448 2a4818aea80acd2c95d7d92d2f3155f8 C:\WINDOWS\system32\drivers\tcpip.sys

2006-01-13 09:46 1075200 2deaca71a7fd77205f59d48d76b2f565 C:\WINDOWS\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-01-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-01-03 13508608]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-01-03 86016]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-06-28 580096]
"BigDog303"="C:\WINDOWS\VM303_STI.EXE" [2005-10-25 61440]
"VirtualDrive"="C:\Program Files\FarStone\VirtualDrive\vdtask.exe" [2002-01-09 184320]
"nwiz"="nwiz.exe" [2008-01-03 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-05-27 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2006-01-13 44544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2008-04-30 1183744]
Monitor Apache Servers.lnk - D:\Programs\WServer\Apache2\bin\ApacheMonitor.exe [2005-04-16 41042]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fipsbqlkjih]
fipsbqlkjih.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.imc"= imc32.acm
"msacm.l3codecp"= l3codecp.acm
"VIDC.i263"= i263_32.drv

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\CafeManila\\CafeManila.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11983:TCP"= 11983:TCP:@xpsp2res.dll,-22004
"1650:TCP"= 1650:TCP:@xpsp2res.dll,-22004
"35401:TCP"= 35401:TCP:@xpsp2res.dll,-22004
"31716:TCP"= 31716:TCP:@xpsp2res.dll,-22004
"5307:TCP"= 5307:TCP:@xpsp2res.dll,-22004

R1 cdawdm;CDAWDM;C:\WINDOWS\system32\DRIVERS\CDAWDM.sys [2001-12-21 46735]
R2 DF5Server;Deep Freeze Server Service;C:\Program Files\Faronics\Deep Freeze Enterprise Server\DF5ServerService.exe [2008-08-21 958836]
R2 IJPLMSVC;PIXMA Extended Survey Program;C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [2007-04-13 101528]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l151x86.sys [2007-11-01 36864]
R3 FsHotKey;FsHotKey;C:\WINDOWS\system32\drivers\FsHotKey.sys [2001-12-31 3855]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{052009ef-68dc-11dd-a78c-000272b00026}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{06c9a6aa-50d0-11dd-a761-000272b00026}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{07c4c33c-6a63-11dd-a78e-000272b00026}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c0057ce7-7d46-11dd-a7c0-000272b00026}]
\Shell\AutoRun\command - J:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cadd0c75-788e-11dd-a7b2-001583b3d1f3}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cd8026bf-3c42-11dd-a728-000272b00026}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fdcf2b81-11a7-11dd-9f66-001e8c9743e8}]
\Shell\AutoRun\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fdcf2b82-11a7-11dd-9f66-001e8c9743e8}]
\Shell\AutoRun\command - G:\noautorun.exe
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-15 14:33:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"D:\Programs\Webserver\MySQl\bin\mysqld-nt\" --defaults-file=\"D:\Programs\Webserver\MySQl\my.ini\" MySQL"
.
------------------------ Other Running Processes ------------------------
.
D:\Programs\WServer\Apache2\bin\Apache.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\Programs\WServer\Apache2\bin\Apache.exe
C:\WINDOWS\system32\rundll32.exe
D:\Programs\Webserver\MySQl\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\CAFEMA~1\CafeManila.exe
.
**************************************************************************
.
Completion time: 2008-09-15 14:39:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-15 06:39:34
ComboFix2.txt 2008-09-14 16:44:08

Pre-Run: 59,313,270,784 bytes free
Post-Run: 59,323,252,736 bytes free

220


=============================================================

HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:30:50 PM, on 9/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Programs\WServer\Apache2\bin\Apache.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Faronics\Deep Freeze Enterprise Server\DF5ServerService.exe
D:\Programs\WServer\Apache2\bin\Apache.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\VM303_STI.EXE
D:\Programs\Webserver\MySQl\bin\mysqld-nt.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.1:5555
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [VirtualDrive] C:\Program Files\FarStone\VirtualDrive\vdtask.exe /AutoRestore
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Locate Spot on Map by GPS - C:\Program Files\Opanda\IExif 2.3\IExifMap.htm
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: View Exif/GPS/IPTC with IExif - C:\Program Files\Opanda\IExif 2.3\IExifCom.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/BookWorm/Images/stg_drm.ocx
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/BookWorm/Images/armhelper.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C560AD6-A5B1-477E-9088-9B8CEA8D6685}: NameServer = 208.68.222.222,192.168.0.1
O20 - Winlogon Notify: fipsbqlkjih - fipsbqlkjih.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Apache Software Foundation - D:\Programs\WServer\Apache2\bin\Apache.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Deep Freeze Server Service (DF5Server) - Faronics Corporation - C:\Program Files\Faronics\Deep Freeze Enterprise Server\DF5ServerService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: MySQL - Unknown owner - D:\Programs\Webserver\MySQl\bin\mysqld-nt (file missing)
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

--
End of file - 8020 bytes

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:33 PM

Posted 15 September 2008 - 03:07 AM

Hi,

Anyway, let me first introduce to you this unit. This is a part of a workstation, a file server, a local web server, etc, which serves the rest of the computer units in the network. Many times, as a file server, someone will come and ask to open their flash drives, MMC and any other storage device, but of course i do this with caution, that maybe explains a lot of mointpoints was created, also all the files on the network are saved in this station, usually document files, images, worksheets and alike.

Wow.. I don't know what to say here. This is bad! Your computer is infected, where you were dealing with a flashdrive infection, so this means that every computer in your network may also be infected... or at least everyone who used their flashdrive on your computer, because your computer was responsible for infecting the flashdrives, so if inserted into another computer, they get infected as well. I suggest you don't use these flashdrives anymore, since I have no clue how many different ones you have used on this computer, but all are infected anyway.
And the fact that your infected computer is a part of a workstation, a file server, then it means that you have infected the other computers as well anyway. :thumbsup:
I really really hope that Deepfreeze was enabled on the other computers, because otherwise it would have been a disaster.

If there is one thing I do not want to do with this unit, that is to reformat it because a lot of programs and files and the system as well will be lost and start over again so as much as possible i don't want to do that. And even we cannot remove all the infections as long as they will not harm this unit and they will remain disabled, I am willing to take that risk

ehm, not sure if you understand how important it is that a unit is clean.. ESPECIALLY since this one acts as a server! This computer is the cause why a lot of other computers are infected. This is irresponsible. Not sure either if you understand what this malware does. It collects all passwords and may collect other important info. So if you're using this computer for work (which I assume), then you're taking big risks here. The same goes for the other computers in the same network as they may be infected as well (if deepfreeze was disabled too).
The choice is yours ofcourse how you want to deal with this and even if the malware is removed here, I wouldn't trust this computer anymore.... as this is an important computer in the network.
In anyway, you need to change all passwords since they may be known.
I don't know if you are the "owner" of the network, if it's your company or whatever this network is used for (for work etc etc). If not, then the first important thing you should do is to notify your supervisors about this. This is really important.

I understand that you have a lot of programs you don't want to loose, but what I don't understand is the fact, since this computer is so important, why don't you create backups? Please read this: http://miekiemoes.blogspot.com/2008/07/bac...frequently.html

To be honest, I don't feel good with this situation here as it is against my principles of cleaning this up manually, because this is irresponsible in your situation. But then again, it's your decision.

In anyway, the active malware appears to be gone here (as I see from your logs).. but that doesn't mean that your system is clean again.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O4 - HKUS\S-1-5-19\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'NETWORK SERVICE')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O20 - Winlogon Notify: fipsbqlkjih - fipsbqlkjih.dll (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then, Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 jase07

jase07
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 15 September 2008 - 11:52 AM

Wow.. I don't know what to say here. This is bad! Your computer is infected, where you were dealing with a flashdrive infection, so this means that every computer in your network may also be infected... or at least everyone who used their flashdrive on your computer, because your computer was responsible for infecting the flashdrives, so if inserted into another computer, they get infected as well. I suggest you don't use these flashdrives anymore, since I have no clue how many different ones you have used on this computer, but all are infected anyway.
And the fact that your infected computer is a part of a workstation, a file server, then it means that you have infected the other computers as well anyway. :)
I really really hope that Deepfreeze was enabled on the other computers, because otherwise it would have been a disaster.


I really think that i got the threats from a flashdrive, a password_viewer.exe that was executed by one of my attendants.
Deepfreeze works as it is intended to do, i haven't got any threat from the rest of the units on the network. :)
I am also taking extra care when thawing other units for program updates.
I also have scan first policy which will scan the flashdrive before reading and writing on it (although some of my attendants won't work that way)

In anyway, you need to change all passwords since they may be known.
I don't know if you are the "owner" of the network, if it's your company or whatever this network is used for (for work etc etc). If not, then the first important thing you should do is to notify your supervisors about this. This is really important.

To be honest, I don't feel good with this situation here as it is against my principles of cleaning this up manually, because this is irresponsible in your situation. But then again, it's your decision.


I owned the network sir. i have already changed all known passwords, thank you for reminding me...
If it's still okay for you to continue this process, I am more willing to do so...

so here is the kapersky log (scanner took so long :thumbsup:)

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, September 16, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, September 15, 2008 09:30:09
Records in database: 1235094
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
L:\

Scan statistics:
Files scanned: 248306
Threat name: 26
Infected objects: 54
Suspicious objects: 0
Duration of the scan: 02:24:03


File name / Threat name / Threats count
C:\docs\13\RECYCLER\S-1-5-21-1844237615-573735546-1801674531-1003\D@311\New Folder\__.reg Infected: Trojan.Win32.Zapchast.ee 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\avp[1].exe.bac_a01264 Infected: Backdoor.Win32.Agent.iga 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\bhos[1].exe.bac_a01264 Infected: Trojan-Downloader.Win32.Agent.peb 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\ciuj550.exe.bac_a01264 Infected: Trojan-Dropper.Win32.Agent.fcu 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\ciuj587.exe.bac_a01264 Infected: Trojan-Downloader.Win32.Agent.pkw 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\ciuj616.exe.bac_a01264 Infected: Trojan-Downloader.Win32.Agent.peb 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\ciuj628.exe.bac_a01264 Infected: Backdoor.Win32.Agent.iga 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\ciuj631.exe.bac_a01264 Infected: Trojan-Downloader.Win32.Agent.peb 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\cuzins.exe.bac_a01264 Infected: IM-Worm.Win32.Sohanad.nq 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\dj 3d.mp3.bac_a01264 Infected: Trojan-Downloader.WMA.Wimad.n 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\dyctuzul[1].txt.bac_a01264 Infected: Trojan-Downloader.Win32.Small.vus 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\dyctuzul[2].txt.bac_a01264 Infected: Trojan-Downloader.Win32.Small.vwt 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\eag[1].exe.bac_a01264 Infected: Trojan-Dropper.Win32.Agent.fcu 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\fipsbqlkjih.dll.bac_a01264 Infected: Email-Worm.Win32.Locksky.dm 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\good ituation ub40.mp3.bac_a01264 Infected: Trojan-Downloader.WMA.Wimad.n 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\good situation uv40.mp3.bac_a01264 Infected: Trojan-Downloader.WMA.Wimad.n 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\grtyuji[1].exe.bac_a01264 Infected: Trojan-Downloader.Win32.Agent.pkw 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\nagulat ka manila mafia.mp3.bac_a01264 Infected: Trojan-Downloader.WMA.Wimad.n 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\New Folder.exe.bac_a01264 Infected: IM-Worm.Win32.Sohanad.nq 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\NEYO - Sexy love.mp3.bac_a01264 Infected: Trojan-Downloader.WMA.Wimad.n 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\taktak nyo manila mafia.mp3.bac_a01264 Infected: Trojan-Downloader.WMA.Wimad.n 1
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\twilight world swing out.mp3.bac_a01264 Infected: Trojan-Downloader.WMA.Wimad.n 1
C:\Documents and Settings\dhen\.housecall6.6\Quarantine\1020DC95.mdl.bac_a03524 Infected: Worm.SymbOS.HatiHati.a 1
C:\Documents and Settings\dhen\.housecall6.6\Quarantine\autorun.inf.bac_a03524 Infected: Worm.Win32.AutoRun.bma 1
C:\Documents and Settings\dhen\.housecall6.6\Quarantine\cmdow.exe.bac_a03524 Infected: not-a-virus:RiskTool.Win32.HideWindows 1
C:\Documents and Settings\dhen\.housecall6.6\Quarantine\Dc1.exe.bac_a03524 Infected: Backdoor.Win32.Hupigon.bbfr 1
C:\Documents and Settings\dhen\.housecall6.6\Quarantine\Dd1.exe.bac_a03524 Infected: Backdoor.Win32.Hupigon.bbfr 1
C:\Documents and Settings\dhen\.housecall6.6\Quarantine\Df3.exe.bac_a03524 Infected: Backdoor.Win32.Hupigon.bbfr 1
C:\Documents and Settings\dhen\.housecall6.6\Quarantine\ewan.htm.bac_a03524 Infected: Worm.Win32.Fujack.k 1
C:\Documents and Settings\dhen\.housecall6.6\Quarantine\gesetup.exe.bac_a03524 Infected: not-a-virus:Monitor.Win32.GoldenEye.401 1
C:\Documents and Settings\dhen\.housecall6.6\Quarantine\gesetup.exe.bac_a03524 Infected: Trojan.Win32.Hooker.j 1
C:\Documents and Settings\dhen\.housecall6.6\Quarantine\Guardian,app.bac_a03524 Infected: Worm.SymbOS.HatiHati.a 1
C:\Documents and Settings\dhen\.housecall6.6\Quarantine\Guardian.exe.bac_a03524 Infected: Worm.SymbOS.HatiHati.a 1
C:\Documents and Settings\dhen\.housecall6.6\Quarantine\iepv_setup.exe.bac_a01736 Infected: not-a-virus:PSWTool.Win32.NetPass.e 1
C:\Documents and Settings\dhen\.housecall6.6\Quarantine\iepv_setup.exe.bac_a03524 Infected: not-a-virus:PSWTool.Win32.NetPass.e 1
C:\Documents and Settings\dhen\.housecall6.6\Quarantine\WinXP keyChanger.exe.bac_a03524 Infected: not-a-virus:PSWTool.Win32.RAS.a 2
C:\Documents and Settings\dhen\.housecall6.6\Quarantine\winXP keyfinder.zip.bac_a03524 Infected: not-a-virus:PSWTool.Win32.RAS.g 1
C:\Documents and Settings\dhen\.housecall6.6\Quarantine\winXP keyfinder.zip.bac_a03524 Infected: not-a-virus:PSWTool.Win32.RAS.a 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 1
C:\QooBox\Quarantine\catchme2008-09-15_142908.39.zip Infected: Rootkit.Win32.Agent.aap 3
C:\WINDOWS\psshutdown.exe Infected: not-a-virus:RiskTool.Win32.PsKill.au 1
C:\_OTMoveIt\MovedFiles\09042008_011141\WINDOWS\system32\kxvo.exe Infected: Worm.Win32.AutoRun.cib 1
D:\util\Anti - Spy\Registry Tools\regtools.vbs Infected: not-a-virus:RiskTool.VBS.DisReg.a 1
D:\util\Images\backup_files_12-30-07.iso Infected: not-a-virus:RiskTool.Win32.HideWindows 1
D:\util\LATEST MESSENGERS\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 1
D:\util\Networkings\Radmin\RADMIN 2.2.EXE Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 3
D:\util\Softwares\Remote Admin 2.2\RADMIN22.EXE Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 3

The selected area was scanned.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:33 PM

Posted 15 September 2008 - 12:18 PM

Hi,

The good news is that the infection is not active anymore. The only thing that Kaspersky flags are quarantined items by the Trendmicro housecall online scan, and quarantined items from other tools you used.

These are OK and no threat:

C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 1
C:\WINDOWS\psshutdown.exe Infected: not-a-virus:RiskTool.Win32.PsKill.au 1
D:\util\Anti - Spy\Registry Tools\regtools.vbs Infected: not-a-virus:RiskTool.VBS.DisReg.a 1
D:\util\Images\backup_files_12-30-07.iso Infected: not-a-virus:RiskTool.Win32.HideWindows 1
D:\util\LATEST MESSENGERS\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 1
D:\util\Networkings\Radmin\RADMIN 2.2.EXE Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 3
D:\util\Softwares\Remote Admin 2.2\RADMIN22.EXE Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 3

So you can safely ignore them.

Delete the following folders related with Housecall online where the quarantined items are present:

C:\Documents and Settings\Administrator\.housecall6.6
C:\Documents and Settings\dhen\.housecall6.6

Delete this folder as well:

C:\_OTMoveIt

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders (also the C:\qoobox folder where Kaspersky found a threat in its quarantine) and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Also empty your recycle bin afterwards.

Then let me know in your next reply how things are now.

Edit.. Not sure if you have created this folder:

C:\docs

This because Kaspersky flags a file in there:

C:\docs\13\RECYCLER\S-1-5-21-1844237615-573735546-1801674531-1003\D@311\New Folder\__.reg

The strange part is... not sure what RECYCLER is doing there as a subfolder of that C:\docs folder.
What's this docs folder supposed to be?

Edited by miekiemoes, 15 September 2008 - 12:20 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 jase07

jase07
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 15 September 2008 - 12:42 PM

Hi,

The good news is that the infection is not active anymore.


:thumbsup: Glad to read this.



Delete the following folders related with Housecall online where the quarantined items are present:

C:\Documents and Settings\Administrator\.housecall6.6
C:\Documents and Settings\dhen\.housecall6.6

Delete this folder as well:

C:\_OTMoveIt

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders (also the C:\qoobox folder where Kaspersky found a threat in its quarantine) and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Also empty your recycle bin afterwards.


I successfully followed all the steps but I cannot find the folder qoobox in the root drive, i've already changed folder settings to "show hidden files" and even "show system files". Is it bad that the folder cannot be located while the scanner found it?


Edit.. Not sure if you have created this folder:

C:\docs

This because Kaspersky flags a file in there:

C:\docs\13\RECYCLER\S-1-5-21-1844237615-573735546-1801674531-1003\D@311\New Folder\__.reg

The strange part is... not sure what RECYCLER is doing there as a subfolder of that C:\docs folder.
What's this docs folder supposed to be?


This is the shared folder, it ranges from C:\docs\pcunit01 to \pcunit30, all the My Document's folder of 30 units are redirected into these folders, as I've said in the earlier post, this is a file server.. Does recycler places that naturally in this case?

Edited by jase07, 15 September 2008 - 12:43 PM.


#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:33 PM

Posted 15 September 2008 - 12:47 PM

Hi,

I successfully followed all the steps but I cannot find the folder qoobox in the root drive, i've already changed folder settings to "show hidden files" and even "show system files". Is it bad that the folder cannot be located while the scanner found it?

I guess you have misunderstood my previous post. Performing the command Combofix /u in order to uninstall Combofix will delete the C:\Qoobox folder as well, so that explains why you can't find it anymore.

This is the shared folder, it ranges from C:\docs\pcunit01 to \pcunit30, all the My Document's folder of 30 units are redirected into these folders, as I've said in the earlier post, this is a file server.. Does recycler places that naturally in this case?

I have no clue. this all depends how it was set up. If it's possible, navigate manually to the C:\docs\13\RECYCLER\S-1-5-21-1844237615-573735546-1801674531-1003\D@311\New Folder\__.reg file and delete it from there.
It's only a regfile though, so even if you leave it, it can't do anything.

Let me know in your next reply how things are now.

Edited by miekiemoes, 15 September 2008 - 12:48 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 jase07

jase07
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 15 September 2008 - 01:14 PM

C:\docs\13\RECYCLER\ is empty. Maybe it was been emptied when i emptied my Recyle Bin.

well, the reason why I asked for help is to fix the redirecting of my images and advertisements to inonto.com and a .dll file (which was already missing before this topic was posted) that keeps on inserting itself into the winlogon registry.. these are all gone.... BUT to my surprise, I was infected more than I expected and I am always thankful to this site and to you miekiemoes (sorry to call you "sir" in the previous post) that all of them are(hopefully, really) gone.

All things are running smoothly now and I can't say if there are still infections left but I trust this site when they now it is..
Thank you very much..

Edited by jase07, 15 September 2008 - 01:33 PM.


#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:33 PM

Posted 15 September 2008 - 01:58 PM

(sorry to call you "sir" in the previous post)

No problem, most people call me "sir" since they don't expect a female helping them :thumbsup:

Anyway, glad to hear everything runs Ok again.

I suggest you enable Deepfreeze again and leave it enabled. (only disable it for important updates).

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 jase07

jase07
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 16 September 2008 - 03:23 AM

Hi miekiemoes, I have been lurking around your blogs since you first posted it, great blog, very educational, I am sure I'm gonna get something very usefull.

Anyway, like what I posted earlier, this is the only unit that is not frozen, I can't be frozen since a lot of files come around this unit. The deepfreeze you've seen is the console which controls the frozen units..

Again, Thank you..

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:33 PM

Posted 16 September 2008 - 06:06 AM

You're most welcome :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:33 PM

Posted 17 September 2008 - 04:27 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users