Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

windows cannot find RECYCLER virus


  • Please log in to reply
15 replies to this topic

#1 killa57

killa57

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 30 January 2009 - 11:38 PM

Okay hi i need help with this virus according to garmanma on another thread he said "There is a recycler virus spread through the autorun.inf in flash and thumb drives"

heres the thread i made earlier on "Windows XP Home and Professional" hopefully im on the right section that im posting this on. So what do i do?
THREAD CLICK HEAR

heres the screenshot of what im getting everytime i try to open my c: drive and e:drive or the f:drive
Screenshot here

Edited by killa57, 31 January 2009 - 12:59 AM.


BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:33 AM

Posted 31 January 2009 - 11:24 AM

Hello killa57.

Let's see what we can do..

Download and Run FlashDisinfector
You have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Download and Run OTMoveIT
  • Please download OTMoveIt3 by OldTimer to your desktop. If you have already used the program, there is no need to download a new one.
  • Double-click OTMoveIt3.exe to run it. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Copy the lines in the codebox below. Do not copy the word "code".
    :files
    c:\recycler\
    d:\recycler\
    e:\recycler\
    f:\recycler\
    g:\recycler\
  • Return to OTMoveIt3, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Close all open windows expect OTMoveIt.
  • Click the Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3.
Note: If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key. Navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest ".log" file present, and copy/paste the contents of that document back here in your next post.

Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Refer to the steps given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from here, using another machine if needed. Simple double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.
With Regards,
The Panda

#3 killa57

killa57
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 31 January 2009 - 10:07 PM

Thank you very much for your help PropagandaPanda i really apriciate your time for helping me with my problem :thumbsup:



========== FILES ==========
c:\RECYCLER\S-1-5-21-220523388-343818398-725345543-1005\Dc38\Kodak EasyShare printer dock moved successfully.
c:\RECYCLER\S-1-5-21-220523388-343818398-725345543-1005\Dc38\Kodak EasyShare moved successfully.
c:\RECYCLER\S-1-5-21-220523388-343818398-725345543-1005\Dc38 moved successfully.
c:\RECYCLER\S-1-5-21-220523388-343818398-725345543-1005\Dc37 moved successfully.
c:\RECYCLER\S-1-5-21-220523388-343818398-725345543-1005\Dc29\mixed pictures moved successfully.
c:\RECYCLER\S-1-5-21-220523388-343818398-725345543-1005\Dc29 moved successfully.
c:\RECYCLER\S-1-5-21-220523388-343818398-725345543-1005\Dc28 moved successfully.
c:\RECYCLER\S-1-5-21-220523388-343818398-725345543-1005\Dc2\Pictures of Vanessa moved successfully.
c:\RECYCLER\S-1-5-21-220523388-343818398-725345543-1005\Dc2\gordo moved successfully.
c:\RECYCLER\S-1-5-21-220523388-343818398-725345543-1005\Dc2 moved successfully.
c:\RECYCLER\S-1-5-21-220523388-343818398-725345543-1005 moved successfully.
c:\RECYCLER\S-1-5-21-220523388-343818398-725345543-1004\Dc6 moved successfully.
c:\RECYCLER\S-1-5-21-220523388-343818398-725345543-1004\Dc5.Team moved successfully.
c:\RECYCLER\S-1-5-21-220523388-343818398-725345543-1004\Dc3 moved successfully.
c:\RECYCLER\S-1-5-21-220523388-343818398-725345543-1004 moved successfully.
c:\RECYCLER moved successfully.
Folder d:\recycler not found.
e:\RECYCLER\S-1-5-21-220523388-343818398-725345543-1005\De80 moved successfully.
e:\RECYCLER\S-1-5-21-220523388-343818398-725345543-1005\De178 moved successfully.
e:\RECYCLER\S-1-5-21-220523388-343818398-725345543-1005\De177 moved successfully.
e:\RECYCLER\S-1-5-21-220523388-343818398-725345543-1005\De176 moved successfully.
e:\RECYCLER\S-1-5-21-220523388-343818398-725345543-1005\De110 moved successfully.
e:\RECYCLER\S-1-5-21-220523388-343818398-725345543-1005\De109 moved successfully.
e:\RECYCLER\S-1-5-21-220523388-343818398-725345543-1005\De108 moved successfully.
e:\RECYCLER\S-1-5-21-220523388-343818398-725345543-1005\De107 moved successfully.
e:\RECYCLER\S-1-5-21-220523388-343818398-725345543-1005\De106 moved successfully.
e:\RECYCLER\S-1-5-21-220523388-343818398-725345543-1005\De105 moved successfully.
e:\RECYCLER\S-1-5-21-220523388-343818398-725345543-1005\De104 moved successfully.
e:\RECYCLER\S-1-5-21-220523388-343818398-725345543-1005\De103 moved successfully.
e:\RECYCLER\S-1-5-21-220523388-343818398-725345543-1005\De102 moved successfully.
e:\RECYCLER\S-1-5-21-220523388-343818398-725345543-1005\De101 moved successfully.
e:\RECYCLER\S-1-5-21-220523388-343818398-725345543-1005 moved successfully.
e:\RECYCLER\S-1-5-21-220523388-343818398-725345543-1004 moved successfully.
e:\RECYCLER moved successfully.
f:\RECYCLER\S-1-5-21-220523388-343818398-725345543-1005 moved successfully.
f:\RECYCLER\S-1-5-21-220523388-343818398-725345543-1004 moved successfully.
f:\RECYCLER moved successfully.
Folder g:\recycler not found.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01312009_205115


Malwarebytes' Anti-Malware 1.33
Database version: 1712
Windows 5.1.2600 Service Pack 3

1/31/2009 09:02:24 PM
mbam-log-2009-01-31 (21-02-24).txt

Scan type: Quick Scan
Objects scanned: 58635
Time elapsed: 7 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:33 AM

Posted 01 February 2009 - 12:57 PM

Hello.

Oops. I can't spell. Or rather, the virus cannot and I did :thumbsup: .

Please run this script with OTMoveIt.

c:\recycled\
d:\recycled\
e:\recycled\
f:\recycled\
g:\recycled\
Post back that log.

Create and Run Batch Script
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "code".
    reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2" /s >Log.txt 2>&1
    start notepad log
    del %0
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input fix.bat
  • Hit OK.
When done properly, the icon should look like Posted Image.

Double click Fix.bat. If you are using Windows Vista, right click the icon and select "Run as Administrator".

You will see a log open. Post back with that too.

With Regards,
The Panda

Edited by PropagandaPanda, 01 February 2009 - 12:57 PM.


#5 killa57

killa57
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 01 February 2009 - 09:11 PM

no problem its okay im not a very good at spelling my self :thumbsup:



Error: Unable to interpret <c:\recycled\> in the current context!
Error: Unable to interpret <d:\recycled\> in the current context!
Error: Unable to interpret <e:\recycled\> in the current context!
Error: Unable to interpret <f:\recycled\> in the current context!
Error: Unable to interpret <g:\recycled\> in the current context!

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02012009_200454




! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\Shell
<NO NAME> REG_SZ Autorun

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\Shell\AutoRun
<NO NAME> REG_SZ Auto&Play

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\Shell\AutoRun\command
<NO NAME> REG_SZ C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-9-4-13-100014179-100026554-100002888-6089.com e:\

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\Shell\Open

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\Shell\Open\command
<NO NAME> REG_SZ RECYCLER\S-9-4-13-100014179-100026554-100002888-6089.com e:\

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell
<NO NAME> REG_SZ Autorun

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell\AutoRun
<NO NAME> REG_SZ Auto&Play

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell\AutoRun\command
<NO NAME> REG_SZ C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-9-4-13-100014179-100026554-100002888-6089.com f:\

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell\Open

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell\Open\command
<NO NAME> REG_SZ RECYCLER\S-9-4-13-100014179-100026554-100002888-6089.com f:\

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY DFDFDFDFDFDFDFDFDF5FDF5F5F5F5FDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5FDF5F5F5F5F5FDF5F5F5F5F5FDFDF5F5F5F5FDFDFDFDFDFDFDFDF5FDFDFDF5F5F5F5F5F5F5F5F5F5F000000000000000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\H
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0024b58a-75bd-11dd-a67a-0016b65751d5}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5F01000101EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF002000000009000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0feb8f41-adbf-11dd-87d7-0016b65751d5}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FDF5F5F5F5FDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5FDF5F5F5F5F5FCF5F5F5F5F5FCFCF5F5F5F5FCFCFCFCFCF010101EEFFFFFFFFFFFFFFFFFFFFFFFFFF000010000008000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0feb8f41-adbf-11dd-87d7-0016b65751d5}\shell
<NO NAME> REG_SZ None

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0feb8f41-adbf-11dd-87d7-0016b65751d5}\shell\Autoplay
MUIVerb REG_SZ @shell32.dll,-8504

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0feb8f41-adbf-11dd-87d7-0016b65751d5}\shell\Autoplay\DropTarget
CLSID REG_SZ {f26a669a-bcbb-4e37-abf9-7325da15f931}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0feb8f8f-adbf-11dd-87d7-0016b65751d5}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 010001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000010000008000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0feb8f8f-adbf-11dd-87d7-0016b65751d5}\shell
<NO NAME> REG_SZ None

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0feb8f8f-adbf-11dd-87d7-0016b65751d5}\shell\Autoplay
MUIVerb REG_SZ @shell32.dll,-8504

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0feb8f8f-adbf-11dd-87d7-0016b65751d5}\shell\Autoplay\DropTarget
CLSID REG_SZ {f26a669a-bcbb-4e37-abf9-7325da15f931}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{39251d47-8a5a-11dd-879f-0016b65751d5}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FDF5F5F5F5FDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5FDF5F5F5F5F5FCF5F5F5F5F5FCFCF5F5F5F5FCFCFCFCFCF010101EEFFFFFFFFFFFFFFFFFFFFFFFFFF000010000008000000
_LabelFromReg REG_SZ USB

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{39251d47-8a5a-11dd-879f-0016b65751d5}\shell
<NO NAME> REG_SZ None

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{39251d47-8a5a-11dd-879f-0016b65751d5}\shell\Autoplay
MUIVerb REG_SZ @shell32.dll,-8504

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{39251d47-8a5a-11dd-879f-0016b65751d5}\shell\Autoplay\DropTarget
CLSID REG_SZ {f26a669a-bcbb-4e37-abf9-7325da15f931}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5659aef0-b851-11dd-9b4c-0016b65751d5}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FDF5F5F5F5FDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5FDF5F5F5F5F5FCF5F5F5F5F5FCFCF5F5F5F5FCFCFCFCFCF010101EEFFFFFFFFFFFFFFFFFFFFFFFFFF000010000008000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5659aef0-b851-11dd-9b4c-0016b65751d5}\shell
<NO NAME> REG_SZ None

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5659aef0-b851-11dd-9b4c-0016b65751d5}\shell\Autoplay
MUIVerb REG_SZ @shell32.dll,-8504

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5659aef0-b851-11dd-9b4c-0016b65751d5}\shell\Autoplay\DropTarget
CLSID REG_SZ {f26a669a-bcbb-4e37-abf9-7325da15f931}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{774a203a-714d-11dd-a68b-0016b65751d5}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FDF5F5F5F5FDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5FDF5F5F5F5F5FCF5F5F5F5F5FCFCF5F5F5F5FCFCFCFCFCF010101EEFFFFFFFFFFFFFFFFFFFFFFFFFF000010000008000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{779f6698-70b3-11dd-a677-806d6172696f}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FCF5F5F5F5FCFCF5F5F5FCF0101005F5FEEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00200000000C000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{779f6698-70b3-11dd-a677-806d6172696f}\shell
<NO NAME> REG_SZ None

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{779f6698-70b3-11dd-a677-806d6172696f}\shell\Autoplay
MUIVerb REG_SZ @shell32.dll,-8504

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{779f6698-70b3-11dd-a677-806d6172696f}\shell\Autoplay\DropTarget
CLSID REG_SZ {f26a669a-bcbb-4e37-abf9-7325da15f931}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{779f6698-70b3-11dd-a677-806d6172696f}\_Autorun

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{779f6698-70b3-11dd-a677-806d6172696f}\_Autorun\DefaultIcon
<NO NAME> REG_SZ G:\win\setup\iPlayer.ico

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7a38f96b-ddfe-11dd-81f1-0016b65751d5}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 010001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000010000008000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7a38f96b-ddfe-11dd-81f1-0016b65751d5}\shell
<NO NAME> REG_SZ None

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7a38f96b-ddfe-11dd-81f1-0016b65751d5}\shell\Autoplay
MUIVerb REG_SZ @shell32.dll,-8504

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7a38f96b-ddfe-11dd-81f1-0016b65751d5}\shell\Autoplay\DropTarget
CLSID REG_SZ {f26a669a-bcbb-4e37-abf9-7325da15f931}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7a38faa0-ddfe-11dd-81f1-0016b65751d5}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 0101FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000010000000000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{902b1ec9-8d7d-11dd-87aa-0016b65751d5}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FDF5F5F5F5FDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5FDF5F5F5F5F5FCF5F5F5F5F5FCFCF5F5F5F5FCFCFCFCFCF010101EEFFFFFFFFFFFFFFFFFFFFFFFFFF000010000008000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{902b1ec9-8d7d-11dd-87aa-0016b65751d5}\shell
<NO NAME> REG_SZ None

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{902b1ec9-8d7d-11dd-87aa-0016b65751d5}\shell\Autoplay
MUIVerb REG_SZ @shell32.dll,-8504

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{902b1ec9-8d7d-11dd-87aa-0016b65751d5}\shell\Autoplay\DropTarget
CLSID REG_SZ {f26a669a-bcbb-4e37-abf9-7325da15f931}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a5943e74-6e52-11dd-ad2e-806d6172696f}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FCF5F5F5F5FCFCF5F5F5FCF00FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00E00000000C000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a5943e74-6e52-11dd-ad2e-806d6172696f}\shell
<NO NAME> REG_SZ None

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a5943e74-6e52-11dd-ad2e-806d6172696f}\shell\Autoplay
MUIVerb REG_SZ @shell32.dll,-8504

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a5943e74-6e52-11dd-ad2e-806d6172696f}\shell\Autoplay\DropTarget
CLSID REG_SZ {f26a669a-bcbb-4e37-abf9-7325da15f931}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a5943e74-6e52-11dd-ad2e-806d6172696f}\_Autorun

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a5943e74-6e52-11dd-ad2e-806d6172696f}\_Autorun\DefaultIcon
<NO NAME> REG_SZ D:\WIN\SETUP\pcfriend.ico

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a5943ea3-6e52-11dd-ad2e-0016b65751d5}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5F01000101EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF002000000009000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a5943ea3-6e52-11dd-ad2e-0016b65751d5}\_Autorun

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a5943ea3-6e52-11dd-ad2e-0016b65751d5}\_Autorun\DefaultIcon
<NO NAME> REG_SZ G:\boot\slax.ico

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a5a31a21-6d94-11dd-a296-a5fdc5718e61}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FDF5F5F5F5FDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5FDF5F5F5F5F5FCF5F5F5F5F5FCFCF5F5F5F5FCFCFCFCFCFDFDFDF5FDFDF005F5F5F5F5F5F5F5F5F5F000100000008000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a5a31a22-6d94-11dd-a296-a5fdc5718e61}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FDF5F5F5F5FDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5FDF5F5F5F5F5FCF5F5F5F5F5FCFCF5F5F5F5FCFCFCFCFCFDFDFDF5FDFDF005F5F5F5F5F5F5F5F5F5F000100000008000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b10b5eba-cf12-11dd-81e6-806d6172696f}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FCF5F5F5F5FCFCF5F5F5FCF0101005F5FEEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00200000000C000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b10b5eba-cf12-11dd-81e6-806d6172696f}\shell
<NO NAME> REG_SZ None

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b10b5eba-cf12-11dd-81e6-806d6172696f}\shell\Autoplay
MUIVerb REG_SZ @shell32.dll,-8504

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b10b5eba-cf12-11dd-81e6-806d6172696f}\shell\Autoplay\DropTarget
CLSID REG_SZ {f26a669a-bcbb-4e37-abf9-7325da15f931}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b16f293a-c876-11dd-9b62-0016b65751d5}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FDF5F5F5F5FDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5FDF5F5F5F5F5F005F5F5F5F5FCFCF5F5F5F5F010100EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000010000008020000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b16f293a-c876-11dd-9b62-0016b65751d5}\shell
<NO NAME> REG_SZ None

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b16f293a-c876-11dd-9b62-0016b65751d5}\shell\Autoplay
MUIVerb REG_SZ @shell32.dll,-8504

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b16f293a-c876-11dd-9b62-0016b65751d5}\shell\Autoplay\DropTarget
CLSID REG_SZ {f26a669a-bcbb-4e37-abf9-7325da15f931}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b5e56f23-ba51-11dd-9b56-0016b65751d5}
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d3c7be88-6d67-11dd-8644-806d6172696f}
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d3c7be89-6d67-11dd-8644-806d6172696f}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FCF5F5F5F5FCFCF5F5F5FCFCFCF5F5F5FCFCFCF5F5F5FCFCFCF5F5F5FCFCFCF5F5FCF5F5F5F5F5FCF5F5F5F5F5FDFDF5F5F5F5FCFCFCFCFCFCFCFCF5FCFCFDF5F5F5F5F5F5F5F5F5F5F002000000000000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d3c7be89-6d67-11dd-8644-806d6172696f}\_Autorun

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d3c7be89-6d67-11dd-8644-806d6172696f}\_Autorun\Action
<NO NAME> REG_SZ Install TaxCut

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d3c7be89-6d67-11dd-8644-806d6172696f}\_Autorun\DefaultIcon
<NO NAME> REG_SZ D:\tcauto.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d3c7be8b-6d67-11dd-8644-806d6172696f}
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d7f9c2ce-ccb9-11dd-9b64-0016b65751d5}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FDF5F5F5F5FDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5FDF5F5F5F5F5F005F5F5F5F5FCFCF5F5F5F5F010100EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000010000008010000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d7f9c2ce-ccb9-11dd-9b64-0016b65751d5}\shell
<NO NAME> REG_SZ None

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d7f9c2ce-ccb9-11dd-9b64-0016b65751d5}\shell\Autoplay
MUIVerb REG_SZ @shell32.dll,-8504

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d7f9c2ce-ccb9-11dd-9b64-0016b65751d5}\shell\Autoplay\DropTarget
CLSID REG_SZ {f26a669a-bcbb-4e37-abf9-7325da15f931}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{da085910-b844-11dd-9b48-0016b65751d5}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FCF5F5F5F5FCFCF5F5F5FCF0101005F5FEEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00200000000C000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{da085910-b844-11dd-9b48-0016b65751d5}\shell
<NO NAME> REG_SZ None

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{da085910-b844-11dd-9b48-0016b65751d5}\shell\Autoplay
MUIVerb REG_SZ @shell32.dll,-8504

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{da085910-b844-11dd-9b48-0016b65751d5}\shell\Autoplay\DropTarget
CLSID REG_SZ {f26a669a-bcbb-4e37-abf9-7325da15f931}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{daeb9896-73e4-11dd-a65a-806d6172696f}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FCF5F5F5F5FCFCF5F5F5FCF0101005F5FEEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00200000000C000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{daeb9896-73e4-11dd-a65a-806d6172696f}\shell
<NO NAME> REG_SZ None

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{daeb9896-73e4-11dd-a65a-806d6172696f}\shell\Autoplay
MUIVerb REG_SZ @shell32.dll,-8504

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{daeb9896-73e4-11dd-a65a-806d6172696f}\shell\Autoplay\DropTarget
CLSID REG_SZ {f26a669a-bcbb-4e37-abf9-7325da15f931}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dbbf25a2-b747-11dd-9b29-806d6172696f}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FCF5F5F5F5FCFCF5F5F5FCF0101005F5FEEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00200000000C000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dbbf25a2-b747-11dd-9b29-806d6172696f}\shell
<NO NAME> REG_SZ None

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dbbf25a2-b747-11dd-9b29-806d6172696f}\shell\Autoplay
MUIVerb REG_SZ @shell32.dll,-8504

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dbbf25a2-b747-11dd-9b29-806d6172696f}\shell\Autoplay\DropTarget
CLSID REG_SZ {f26a669a-bcbb-4e37-abf9-7325da15f931}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e9558d32-79f8-11dd-8781-806d6172696f}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FCF5F5F5F5FCFCF5F5F5FCF0101005F5FEEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00200000000C000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e9558d32-79f8-11dd-8781-806d6172696f}\shell
<NO NAME> REG_SZ None

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e9558d32-79f8-11dd-8781-806d6172696f}\shell\Autoplay
MUIVerb REG_SZ @shell32.dll,-8504

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e9558d32-79f8-11dd-8781-806d6172696f}\shell\Autoplay\DropTarget
CLSID REG_SZ {f26a669a-bcbb-4e37-abf9-7325da15f931}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f2e814a8-a476-11dd-87c8-0016b65751d5}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FDF5F5F5F5FDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5FDF5F5F5F5F5FCF5F5F5F5F5FCFCF5F5F5F5FCFCFCFCFCF010101EEFFFFFFFFFFFFFFFFFFFFFFFFFF000010000008000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f2e814a8-a476-11dd-87c8-0016b65751d5}\shell
<NO NAME> REG_SZ None

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f2e814a8-a476-11dd-87c8-0016b65751d5}\shell\Autoplay
MUIVerb REG_SZ @shell32.dll,-8504

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f2e814a8-a476-11dd-87c8-0016b65751d5}\shell\Autoplay\DropTarget
CLSID REG_SZ {f26a669a-bcbb-4e37-abf9-7325da15f931}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{0024b58a-75bd-11dd-a67a-0016b65751d5}
Data REG_BINARY 000000005C005C003F005C00530043005300490023004300640052006F006D002600560065006E005F0045004C00420059002600500072006F0064005F0043004C004F004E0045004400520049005600450026005200650076005F0031002E0034002300310026003200610066006400370064003600310026003100260030003000300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005C005C003F005C0056006F006C0075006D0065007B00300030003200340062003500380061002D0037003500620064002D0031003100640064002D0061003600370061002D003000300031003600620036003500370035003100640035007D005C00000049006E00760061006C00690064000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000049006E00760061006C006900640000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000001000000013000000BDADDBBABDADDBBABDADDBBABDADDBBABDADDBBA0000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000
Generation REG_DWORD 0x1

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{7a38faa0-ddfe-11dd-81f1-0016b65751d5}
Data REG_BINARY 360B00005C005C003F005C00530054004F0052004100470045002300520065006D006F007600610062006C0065004D0065006400690061002300380026003200330030003300300061006200360026003000260052004D0023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005C005C003F005C0056006F006C0075006D0065007B00370061003300380066006100610030002D0064006400660065002D0031003100640064002D0038003100660031002D003000300031003600620036003500370035003100640035007D005C00000049006E00760061006C00690064000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000049006E00760061006C00690064000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F000040110000000400000001900000BDADDBBABDADDBBABDADDBBABDADDBBABDADDBBA0000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Generation REG_DWORD 0x1

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{a5a31a21-6d94-11dd-a296-a5fdc5718e61}
Data REG_BINARY 000000005C005C003F005C00530054004F005200410047004500230056006F006C0075006D006500230031002600330030006100390036003500390038002600300026005300690067006E006100740075007200650045004400380044003900310030004F00660066007300650074003200390046004100410033003200300030004C0065006E00670074006800340033003300450041004200350034003000300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005C005C003F005C0056006F006C0075006D0065007B00610035006100330031006100320031002D0036006400390034002D0031003100640064002D0061003200390036002D006100350066006400630035003700310038006500360031007D005C00000044005200560032005F0056004F004C0032000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004E0054004600530000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000800000001100000FF000500FF000000160000004EF96C40000000000000003000200000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000
Generation REG_DWORD 0x1

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{a5a31a22-6d94-11dd-a296-a5fdc5718e61}
Data REG_BINARY 000000005C005C003F005C00530054004F005200410047004500230056006F006C0075006D006500230031002600330030006100390036003500390038002600300026005300690067006E006100740075007200650045004400380044003900310030004F006600660073006500740037004500300030004C0065006E0067007400680032003900460041003900330036003000300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005C005C003F005C0056006F006C0075006D0065007B00610035006100330031006100320032002D0036006400390034002D0031003100640064002D0061003200390036002D006100350066006400630035003700310038006500360031007D005C00000044005200560032005F0056004F004C0031000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004E0054004600530000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000800000001100000FF000500FF000000160000005EE9D414000000000000003000200000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000
Generation REG_DWORD 0x1

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d3c7be89-6d67-11dd-8644-806d6172696f}
Data REG_BINARY 000000005C005C003F005C0049004400450023004300640052006F006D005F004E00450043005F004400560044002B002D00520057005F004E0044002D00330034003500300041005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F0031003000320042005F005F005F005F00230035002600340061003100370061006600300026003000260030002E0030002E00300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005C005C003F005C0056006F006C0075006D0065007B00640033006300370062006500380039002D0036006400360037002D0031003100640064002D0038003600340034002D003800300036006400360031003700320036003900360066007D005C00000049006E00760061006C00690064000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000049006E00760061006C00690064000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000100000007F010000BDADDBBABDADDBBABDADDBBABDADDBBABDADDBBA0000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000
Generation REG_DWORD 0x1

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d3c7be8b-6d67-11dd-8644-806d6172696f}
Data REG_BINARY 000000005C005C003F005C00530054004F005200410047004500230056006F006C0075006D006500230031002600330030006100390036003500390038002600300026005300690067006E0061007400750072006500440030004600340037003300380043004F006600660073006500740037004500300030004C0065006E00670074006800310032003900460044003200460043003000300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005C005C003F005C0056006F006C0075006D0065007B00640033006300370062006500380062002D0036006400360037002D0031003100640064002D0038003600340034002D003800300036006400360031003700320036003900360066007D005C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004E0054004600530000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000800000001100000FF000500FF000000160000001693A8C0000000000000003000200000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000
Generation REG_DWORD 0x1

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:33 AM

Posted 02 February 2009 - 11:58 AM

Hello killa57.

Please run this script with OTMoveIt and post back the log:
:Files
c:\recycled\
d:\recycled\
e:\recycled\
f:\recycled\
g:\recycled\

:reg
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a5943ea3-6e52-11dd-ad2e-0016b65751d5}]
Any syptoms after? Can you open all your drives now?

With Regards,
The Panda

#7 killa57

killa57
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 02 February 2009 - 12:51 PM

Error: Unable to interpret <Files> in the current context!
Error: Unable to interpret <c:\recycled\> in the current context!
Error: Unable to interpret <d:\recycled\> in the current context!
Error: Unable to interpret <e:\recycled\> in the current context!
Error: Unable to interpret <f:\recycled\> in the current context!
Error: Unable to interpret <g:\recycled\> in the current context!
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a5943ea3-6e52-11dd-ad2e-0016b65751d5}\\ deleted successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02022009_114539


yes im able to open all the drives after the first time i ran OTmoveit. i did get a virus alert from avg heres what it said
"Exploit Rogue spyware scanner";"sg12scanner.com/sysgd09_2/3/10253";"";"2/1/2009, 9:21:15 PM";"File";"C:\Program Files\Internet Explorer\iexplore.exe"

is this bad?

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:33 AM

Posted 02 February 2009 - 05:34 PM

Hello.

i did get a virus alert from avg heres what it said
"Exploit Rogue spyware scanner";"sg12scanner.com/sysgd09_2/3/10253";"";"2/1/2009, 9:21:15 PM";"File";"C:\Program Files\Internet Explorer\iexplore.exe"

Looks like you were visiting a site that contained some rouge ads.

Anyways, let's get an online scan.

F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

With Regards,
The Panda

#9 killa57

killa57
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 02 February 2009 - 08:11 PM

Scanning Report
Monday, February 02, 2009 18:25:52 - 19:08:45
Computer name: KILLA57
Scanning type: Scan system for malware, rootkits
Target: C:\ E:\ F:\


--------------------------------------------------------------------------------

Result: 14 malware found
Client-IRC.Win32.mIRC (spyware)
System
INI/Vundo.A (virus)
C:\WINDOWS\SYSTEM32\PPYJQXYB.INI (Submitted)
TrackingCookie.2o7 (spyware)
System
TrackingCookie.Adinterax (spyware)
System
TrackingCookie.Adrevolver (spyware)
System
TrackingCookie.Advertising (spyware)
System
TrackingCookie.Atdmt (spyware)
System
TrackingCookie.Atwola (spyware)
System
TrackingCookie.Doubleclick (spyware)
System
TrackingCookie.Questionmarket (spyware)
System
TrackingCookie.Revsci (spyware)
System
TrackingCookie.Specificclick (spyware)
System
TrackingCookie.Yieldmanager (spyware)
System
W32/Zlob.gen123 (virus)
C:\_OTMOVEIT\MOVEDFILES\01312009_205115\RECYCLER\S-1-5-21-220523388-343818398-725345543-1004\DC3\AGENT.OMZ.FIX.EXE (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 31250
System: 8989
Not scanned: 6
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 14
Submitted: 2
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 3.0.0
F-Secure Hydra: 3.6.8511, 2009-02-02
F-Secure AVP: 7.0.171, 2009-02-02
F-Secure Pegasus: 1.20.0, 1969-11-31
F-Secure Blacklight: 0.0.0
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:33 AM

Posted 02 February 2009 - 08:16 PM

Hello killa57.

Looks like you are clean :thumbsup: .

Please delete this file manually:
C:\WINDOWS\SYSTEM32\PPYJQXYB.INI

Run Cleanup! with OTMoveIt
Let's clear out the tools we've used.
  • Double click the OTMoveIt2.exe icon on your desktop to start the program.
  • Click Posted Image.
  • A pop-up box will appear asking "Begin Removal Process?". Click Yes.
  • Click Yes when asked to reboot.
Set New System Restore Point
Now you should set a Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, tools cannot access it to delete these bad files, which sometimes can reinfect your system. Setting a new restore point after cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click System Restore.
  • Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name then click Create.
  • Then, click on Start > Run and type:
    cleanmgr
  • Click OK > More Options tab.
  • Click Clean Up in the System Restore section to remove all previous restore points except the newly created one.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any further questions or concerns?

With Regards,
The Panda

#11 killa57

killa57
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 02 February 2009 - 09:29 PM

thanks you for helping me with my problems but i encontered another problem i hope i solved it

i could not find the file C:\WINDOWS\SYSTEM32\PPYJQXYB.INI
but when i pasted it on the address bar on the the top it opened the file so i know its was there i tried searching and looking for it even in hiddedn files but i couldn't find it i used OTMoveIt i put the code

:Files
C:\WINDOWS\SYSTEM32\PPYJQXYB.INI

and it removed it for me. Was that wise of me to do that?
and i proceded with the rest of the instructions

now that i have done that i pasted this C:\WINDOWS\SYSTEM32\PPYJQXYB.INI on the address bar again and it said file not found so im assuming its not there no more and deleted off the computer

Thank you for your time in helping me again i really appreciate it

Edited by killa57, 02 February 2009 - 09:31 PM.


#12 ChainQLel2

ChainQLel2

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:33 PM

Posted 03 February 2009 - 05:14 AM

hello,

I also have this problem. please help me.

if have tried your ways nad it still not solve

thank you in advance

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:33 AM

Posted 03 February 2009 - 08:29 AM

Hello ChainQLel2.

In the furture, please start your own topic.
-----
Killa,

Ah. The file probably had hidden and system attributes. That took care of it. However, in the future, please avoid using tools like OTMoveIt to remove files yourself, as it is a powerful tool.

With Regards,
The Panda

#14 killa57

killa57
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 03 February 2009 - 11:46 AM

Thank You Panda for the quick response and help that i received with my problems i really appreciate the help.

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:33 AM

Posted 03 February 2009 - 11:57 AM

No problem.

The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users