Another Variation of Win32.BHO.abo

system · 2008-01-31T22:51:27.000Z

i deleted the desktop image of the hijackthis.txt but when it created a new log, it placed it there again.

The D: drive was partitioned by Compaq. It has 2 folders…Backup and a locked Recovery folder. There are also a handful of other files, but I’m not sure what they are.

system · 2008-01-31T23:39:12.000Z

Open HJT, run a system scan only, checkmark these lines

O4 - HKLM..\Run: [NI.UWFX5_0001_N57M2811] “C:\Documents and Settings\Compaq_Owner\My Documents\error.exe” -nag
O4 - HKLM..\Run: [NI.UWFX6_0001_N57M0912] “C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\WXEVO1Q3\WinFixer2006FreeInstall[1].exe” -nag
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/COMPAQ~1/LOCALS~1/Temp/msoclip1/01/clip_image002.jpg

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File:: C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\WXEVO1Q3\WinFixer2006FreeInstall[1].exe C:\Documents and Settings\Compaq_Owner\My Documents\error.exe
Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dueavlel]

According to combofix, you have the recovery console installed, so we will use it to disable a service.

To access the recovery console follow this link, scroll down to just below #6.

http://www.bleepingcomputer.com/tutorials/tutorial117.html

Once in the console and are at the c:\windows prompt, do the following

When doing this, any thing you see in curly brackets {} means an action, for example {space} means 1 space and {enter} means enter key

listsvc{enter}
disable{space}dueavlel{enter}
ren{space}C:\WINDOWS\system32\drivers\ikuracjg.dat{space}ikuracjg.old{enter}
del{space}C:\WINDOWS\system32\datacle.dll{enter}
restart your computer.

Plese post the new combofix log and let me know how things are going, any problems preforming the above steps.

system · 2008-02-01T00:38:27.000Z

OK here goes.
The only problem I encountered was when combofix shut down my computer I got a “program is not responding” message for hpcmpmgr.exe
Windows ended the program and everything else went fine.

More info on D:
In recovery console it gave me the following options

D:\MiniNT
D:\I386
C:\Windows
(of course I chose 3)

Now, the new ComboFix log:

ComboFix 08-01-31.5 - Compaq_Owner 2008-01-31 19:04:27.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.112 [GMT -5:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Compaq_Owner\Desktop\CFscript.txt

Created a new restore point

FILE
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\WXEVO1Q3\WinFixer2006FreeInstall[1].exe
C:\Documents and Settings\Compaq_Owner\My Documents\error.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\datacle.dll . . . . failed to delete
D:\Autorun.inf . . . . failed to delete
C:\WINDOWS\system32\datacle.dll . . . . failed to delete
D:\Autorun.inf . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.

2008-01-30 18:41 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-30 18:41 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-30 18:41 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-30 18:40 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-30 18:40 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-30 18:40 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-30 18:39 . 2008-01-30 18:39 d-------- C:\Program Files\Alwil Software
2008-01-30 18:39 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-30 18:39 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-30 18:11 . 2008-01-30 18:11 18,884,808 --a------ C:\setupeng.exe
2008-01-29 18:05 . 2008-01-29 18:05 407,680 --a------ C:\aswclnr.exe
2008-01-08 23:20 . 2008-01-13 13:13 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-08 23:20 . 2008-01-08 23:20 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-01 00:09 --------- d-----w C:\Program Files\Plaxo
2008-01-31 04:38 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\LimeWire
2008-01-31 04:28 --------- d-----w C:\Program Files\EMBARQ Online Security
2008-01-31 03:26 --------- d-----w C:\Program Files\Palm
2008-01-31 03:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\F-Secure
2008-01-28 23:36 --------- d-----w C:\Program Files\PC-Doctor for Windows
2007-12-24 21:08 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Viewpoint
2007-12-24 21:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2005-12-29 02:05 497 —ha-w C:\Documents and Settings\Compaq_Owner\hpothb07.dat
2005-09-09 01:32 164 —ha-w C:\Documents and Settings\All Users\hpothb07.dat
2005-08-31 02:21 185 —ha-w C:\Documents and Settings\All Users\Application Data\hpothb07.dat
2005-08-31 02:18 497 —ha-w C:\Documents and Settings\Default User\hpothb07.dat
2005-08-31 02:18 497 —ha-w C:\Documents and Settings\Administrator\hpothb07.dat
2005-08-31 02:18 0 —ha-w C:\Documents and Settings\NetworkService\hpothb07.dat
2005-08-31 02:18 0 —ha-w C:\Documents and Settings\LocalService\hpothb07.dat
2006-06-17 15:00 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys

system · 2008-02-01T00:40:02.000Z

continued…

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{3161E80A-10B1-4011-B569-67B5AFF890B9}]
2007-12-03 20:56 102656 --a------ C:\WINDOWS\system32\datacle.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-03 16:00 15360]
“MsnMsgr”=“C:\Program Files\MSN Messenger\MsnMsgr.exe”
“PlaxoUpdate”=“C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe” [2007-12-11 17:21 227914]
“updateMgr”=“C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe” [2006-03-30 15:45 313472]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-11-12 14:53 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SunJavaUpdateSched”=“C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe” [2004-10-21 23:41 32881]
“hpsysdrv”=“c:\windows\system\hpsysdrv.exe” [1998-05-07 18:04 52736]
“IgfxTray”=“C:\WINDOWS\system32\igfxtray.exe” [2004-08-21 00:55 155648]
“UpdateManager”=“C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe” [2003-08-19 10:01 110592]
“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2004-10-22 00:31 180269]
“iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [2004-06-04 21:38 286720]
“Recguard”=“C:\WINDOWS\SMINST\RECGUARD.EXE” [2004-04-14 22:43 233472]
“VTTimer”=“VTTimer.exe”
“SiSPower”=“SiSPower.dll” [2004-09-24 11:49 49152 C:\WINDOWS\system32\SiSPower.dll]
“AGRSMMSG”=“AGRSMMSG.exe” [2005-03-04 11:01 88209 C:\WINDOWS\AGRSMMSG.exe]
“PS2”=“C:\WINDOWS\system32\ps2.exe”
“LSBWatcher”=“c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe” [2004-10-14 23:54 253952]
“HPDJ Taskbar Utility”=“C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe” [2003-12-04 07:44 176128]
“HPHUPD05”=“C:\Program Files\Hewlett-Packard{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe” [2003-11-12 08:23 49152]
“HP Component Manager”=“C:\Program Files\HP\hpcoretech\hpcmpmgr.exe” [2003-12-22 08:38 241664]
“HPHmon05”=“C:\WINDOWS\system32\hphmon05.exe” [2004-02-02 03:41 495616]
“PrinTray”=“C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe” [2000-05-09 10:38 36864]
“REGSHAVE”=“C:\Program Files\REGSHAVE\REGSHAVE.exe” [2002-02-04 21:32 53248]
“AlcxMonitor”=“ALCXMNTR.EXE” [2004-09-07 22:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2004-10-22 01:01 98304]
“ISUSPM Startup”=“C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe” [2004-04-17 21:41 196608]
“MSKDetectorExe”=“C:\Program Files\McAfee\SpamKiller\MSKDetct.exe” [2004-08-03 17:18 1083392]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 08:00 79224]

C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup
Palm Registration.lnk - C:\Program Files\Palm\register.exe [2008-01-30 22:26:10 2494464]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]

R0 dueavlel;dueavlel;C:\WINDOWS\system32\drivers\ikuracjg.dat

.
Contents of the ‘Scheduled Tasks’ folder
“2008-01-31 23:49:01 C:\WINDOWS\Tasks\HP Usg Daily.job”

C:\Program Files\Hewlett-Packard{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\pexpress\hphped05.exe
“2008-01-26 01:00:01 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (COMPUTER-Compaq_Owner).job”
c:\program files\mcafee.com\vso\mcmnhdlr.exe
“2006-12-03 03:33:06 C:\WINDOWS\Tasks\WebReg .job”
C:\Program Files\Hewlett-Packard\digital imaging\bin\hpqwrg.exe
.

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 19:09:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
.

.
Completion time: 2008-01-31 19:13:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-01 00:13:02
ComboFix2.txt 2008-01-31 21:50:58
ComboFix3.txt 2008-01-31 16:44:56
.
2008-01-09 08:08:57 — E O F —

system · 2008-02-01T02:21:32.000Z

ok so after all that i did another Avast Boot Scan and it detected 2 files

C:\WINDOWS\ikuracjg.old infected by Win32:Agent-PSI (Rtk)
moved to chest

C:\WINDOWS\System32\drivers\cjphnmli.dat infected by Win32:Agent-NGL (trj)
moved to chest

the file C:\WINDOWS\System32\datacle.dll is still present in the folder, but Avast no longer detects it as being infected. Good news???

system · 2008-02-01T05:50:31.000Z

Well it does look better. I see one new file avast picked up, along with the renamed file, which avast also got.

So we know at least one of the commands from within the recovery console worked.

We’ll have a look at that autorun, then try to unload the last driver.

From this link http://cid-32d8666f4048075b.skydrive.live.com/browse.aspx/Malware%20files

download, save to your desktop, and run this program

QueryMountPoints

after you download it, double click it to run, please post the results.

Now we see how successful we where in disabling the evil driver. We’ll use use avenger again. Follow the previous Avenger operating instructions, but with the following script

Drivers to unload: dueavlel
Files to delete:
C:\WINDOWS\System32\datacle.dll
C:\WINDOWS\system32\drivers\ikuracjg.dat

Please post the avenger results along with the querymountpoint results, a new combofix log and a new HJT log.

TedNelly · 2008-02-01T06:28:59.000Z

Just a couple of things I’m sure 1975maggie would have mentioned

Sun Java Console is out of Date
Sun Java Runtime Environment 6 Update 4
Sun Microsystems, Inc.
Download Sun Java Runtime Environment from the USA

Are you using a Firewall??

system · 2008-02-01T06:38:52.000Z

Thanks tednelly, just getting to that. zippie31 , here are the instructions for replacing and removing your old java.

Open an Internet Explorer (only) window and go to http://java.sun.com/javase/downloads/index.jsp > Scroll down to “Java Runtime Environment (JRE) 6 Update 4…allows end-users to run Java applications”.

Click the download button on the right.

If Information Bar pop-ups up, right-click on it and say it’s OK to display the blocked content.

You do not have to install the Java Web Start ActiveX Control

Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u4-windows-i586-p.exe to your desktop; do not Run it.

When the download is complete, Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.

Do NOT delete C:\Program Files[b]JavaVM[/b] <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.

system · 2008-02-01T13:40:21.000Z

OK. Before I get started with this, I did 2 more boot scans with Avast and now I’m all clean. I was able to manually delete the datacle.dll file. Does this change anything that I need to do?
Thanks 1975maggie for all your help so far!!!

system · 2008-02-01T15:53:05.000Z

You can run the avenger script if you want. It should unload the driver now. I’m pretty sure it’s diabled and the file “C:\WINDOWS\system32\drivers\ikuracjg.dat” is gone as we renamed it and avast caught the renamed file. I don’t know if it was replaced though. You can check for the file.

There may also be a line to fix in HJt, the 02 line that refers to “C:\WINDOWS\System32\datacle.dll”

The java update is important, as old java can be an entry point for malware.

You may want to consider this

If you are using windows firewall, please note that it doesn’t provide outbound protection. A third party firewall will.

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0

If you want to post the logs we’ll have a look, if you are satisfied then you can clean up the tools you downloaded.

download OTMOVEIT2 from here

http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe

Double click OTMoveIt and you should see a CleanUp! button, press that button, you may get prompted by your firewall that OTMoveIt wants to contact the internet, allow this, a cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself

Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean.

Select Start > All Programs > Accessories > System tools > System Restore.
On the dialogue box that appears select Create a Restore Point
Click NEXT
Enter a name e.g. Clean
Click CREATE

You now have a clean restore point, to get rid of the bad ones:

Select Start > All Programs > Accessories > System tools > Disk Cleanup.
In the Drop down box that appears select your main drive e.g. C
Click OK
The System will do some calculation and the display a dialogue box with TABS
Select the More Options Tab.
At the bottom will be a system restore box with a CLEANUP button click this
Accept the Warning and select OK again, the program will close and you are done

system · 2008-02-01T18:25:11.000Z

all right
in answer to the firewall question, i did have a firewall with my old security software untill I uninstalled it 2 days ago (because it obviously did such a fine job of protecting me!!) After finishing this post, that’s my next stop. I will download something.

I ran the avenger script, I will post the log momentarily.
Then I ran HJT and fixedthe 02 line referring to datacle.dll
I will post that log also.
After that I downloaded JRE and uninstalled "Java 2 Runtime Environment SE v1.42_03
Then I deleted the Java folder from C:\windows\program files
Installed the new Java
Ran combofix and will post that log

system · 2008-02-01T18:27:08.000Z

Avenger log:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\wajirlym

Script file located at: ??\C:\WINDOWS\iiugkwmr.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

Beginning to process script file:

Registry key \Registry\Machine\System\CurrentControlSet\Services\dueavelel not found!
Unload of driver dueavelel failed!

Could not process line:
dueavelel
Status: 0xc0000034

File C:\WINDOWS\System32\datacle.dll not found!
Deletion of file C:\WINDOWS\System32\datacle.dll failed!

Could not process line:
C:\WINDOWS\System32\datacle.dll
Status: 0xc0000034

File C:\WINDOWS\System32\drivers\ikuracjg.dat not found!
Deletion of file C:\WINDOWS\System32\drivers\ikuracjg.dat failed!

Could not process line:
C:\WINDOWS\System32\drivers\ikuracjg.dat
Status: 0xc0000034

Completed script processing.

Finished! Terminate.

system · 2008-02-01T18:29:17.000Z

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:41:04 PM, on 2/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
HJT log:

C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Compaq_Owner\Desktop\HiJackThis.exe

system · 2008-02-01T18:30:04.000Z

HJT log continued:

–
End of file - 9732 bytes

system · 2008-02-01T18:31:31.000Z

combofix log:

ComboFix 08-01-31.5 - Compaq_Owner 2008-02-01 13:07:59.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.109 [GMT -5:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.

2008-02-01 13:03 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-01 13:02 . 2008-02-01 13:03 d-------- C:\Program Files\Java
2008-02-01 13:02 . 2008-02-01 13:02 d-------- C:\Program Files\Common Files\Java
2008-01-30 18:41 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-30 18:41 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-30 18:41 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-30 18:40 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-30 18:40 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-30 18:40 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-30 18:39 . 2008-01-30 18:39 d-------- C:\Program Files\Alwil Software
2008-01-30 18:39 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-30 18:39 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-30 18:11 . 2008-01-30 18:11 18,884,808 --a------ C:\setupeng.exe
2008-01-29 18:05 . 2008-01-29 18:05 407,680 --a------ C:\aswclnr.exe
2008-01-08 23:20 . 2008-01-13 13:13 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-08 23:20 . 2008-01-08 23:20 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-01 18:11 --------- d-----w C:\Program Files\Plaxo
2008-01-31 04:38 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\LimeWire
2008-01-31 04:28 --------- d-----w C:\Program Files\EMBARQ Online Security
2008-01-31 03:26 --------- d-----w C:\Program Files\Palm
2008-01-31 03:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\F-Secure
2008-01-28 23:36 --------- d-----w C:\Program Files\PC-Doctor for Windows
2007-12-24 21:08 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Viewpoint
2007-12-24 21:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2005-12-29 02:05 497 —ha-w C:\Documents and Settings\Compaq_Owner\hpothb07.dat
2005-09-09 01:32 164 —ha-w C:\Documents and Settings\All Users\hpothb07.dat
2005-08-31 02:21 185 —ha-w C:\Documents and Settings\All Users\Application Data\hpothb07.dat
2005-08-31 02:18 497 —ha-w C:\Documents and Settings\Default User\hpothb07.dat
2005-08-31 02:18 497 —ha-w C:\Documents and Settings\Administrator\hpothb07.dat
2005-08-31 02:18 0 —ha-w C:\Documents and Settings\NetworkService\hpothb07.dat
2005-08-31 02:18 0 —ha-w C:\Documents and Settings\LocalService\hpothb07.dat
2006-06-17 15:00 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-03 16:00 15360]
“MsnMsgr”=“C:\Program Files\MSN Messenger\MsnMsgr.exe”
“PlaxoUpdate”=“C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe” [2007-12-11 17:21 227914]
“updateMgr”=“C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe” [2006-03-30 15:45 313472]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-11-12 14:53 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“hpsysdrv”=“c:\windows\system\hpsysdrv.exe” [1998-05-07 18:04 52736]
“IgfxTray”=“C:\WINDOWS\system32\igfxtray.exe” [2004-08-21 00:55 155648]
“UpdateManager”=“C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe” [2003-08-19 10:01 110592]
“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2004-10-22 00:31 180269]
“iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [2004-06-04 21:38 286720]
“Recguard”=“C:\WINDOWS\SMINST\RECGUARD.EXE” [2004-04-14 22:43 233472]
“VTTimer”=“VTTimer.exe”
“SiSPower”=“SiSPower.dll” [2004-09-24 11:49 49152 C:\WINDOWS\system32\SiSPower.dll]
“AGRSMMSG”=“AGRSMMSG.exe” [2005-03-04 11:01 88209 C:\WINDOWS\AGRSMMSG.exe]
“PS2”=“C:\WINDOWS\system32\ps2.exe”
“LSBWatcher”=“c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe” [2004-10-14 23:54 253952]
“HPDJ Taskbar Utility”=“C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe” [2003-12-04 07:44 176128]
“HPHUPD05”=“C:\Program Files\Hewlett-Packard{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe” [2003-11-12 08:23 49152]
“HP Component Manager”=“C:\Program Files\HP\hpcoretech\hpcmpmgr.exe” [2003-12-22 08:38 241664]
“HPHmon05”=“C:\WINDOWS\system32\hphmon05.exe” [2004-02-02 03:41 495616]
“PrinTray”=“C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe” [2000-05-09 10:38 36864]
“REGSHAVE”=“C:\Program Files\REGSHAVE\REGSHAVE.exe” [2002-02-04 21:32 53248]
“AlcxMonitor”=“ALCXMNTR.EXE” [2004-09-07 22:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2004-10-22 01:01 98304]
“ISUSPM Startup”=“C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe” [2004-04-17 21:41 196608]
“MSKDetectorExe”=“C:\Program Files\McAfee\SpamKiller\MSKDetct.exe” [2004-08-03 17:18 1083392]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 08:00 79224]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe” [2007-12-14 03:42 144784]

C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup
Palm Registration.lnk - C:\Program Files\Palm\register.exe [2008-01-30 22:26:10 2494464]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]

S4 dueavlel;dueavlel;C:\WINDOWS\system32\drivers\ikuracjg.dat

system · 2008-02-01T18:32:17.000Z

combofix log continued:

.
Contents of the ‘Scheduled Tasks’ folder
“2008-02-01 15:49:01 C:\WINDOWS\Tasks\HP Usg Daily.job”

C:\Program Files\Hewlett-Packard{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\pexpress\hphped05.exe
“2008-01-26 01:00:01 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (COMPUTER-Compaq_Owner).job”
c:\program files\mcafee.com\vso\mcmnhdlr.exe
“2006-12-03 03:33:06 C:\WINDOWS\Tasks\WebReg .job”
C:\Program Files\Hewlett-Packard\digital imaging\bin\hpqwrg.exe
.

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-01 13:12:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
.

.
Completion time: 2008-02-01 13:15:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-01 18:15:25
ComboFix2.txt 2008-02-01 00:13:07
ComboFix3.txt 2008-01-31 21:50:58
ComboFix4.txt 2008-01-31 16:44:56
.
2008-01-09 08:08:57 — E O F —

system · 2008-02-03T03:35:50.000Z

Hi zippie31, how’s everything?

The driver/service is crippled, we can remove it completely or just leave it. It shouldn’t be able to run at all, because the reg key that it ran from is gone and the file is gone.

you can run the querymountpoints if you want, it will show us what is in the autorun.inf. The program runs in seconds.

system · 2008-02-03T13:13:08.000Z

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2##HPDBLOCKS#BLOCKS]
“BaseClass”=“Drive”
“_CommentFromDesktopINI”=“”
“_LabelFromDesktopINI”=“”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\H]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\I]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\J]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\K]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\L]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{00cb0d9a-7ee2-11d9-ac5b-00038a000015}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,
cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,cf,cf,cf,5f,cf,cf,cf,5f,5f,5f,5f,5f,5f,5f,5f,
5f,5f,00,00,10,00,00,00,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{03d1950c-6ca0-11dc-ae72-00112fb6d8ea}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,
cf,5f,5f,5f,5f,01,01,00,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,08,02,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{03d1950c-6ca0-11dc-ae72-00112fb6d8ea}\shell]
@=“None”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{03d1950c-6ca0-11dc-ae72-00112fb6d8ea}\shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{03d1950c-6ca0-11dc-ae72-00112fb6d8ea}\shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{18576c36-2368-11d9-9931-806d6172696f}]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{18576c37-2368-11d9-9931-806d6172696f}]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{18576c38-2368-11d9-9931-806d6172696f}]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{35e11ff2-73fc-11da-ad39-00112fb6d8ea}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,08,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{35e11ff2-73fc-11da-ad39-00112fb6d8ea}\shell]
@=“None”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{35e11ff2-73fc-11da-ad39-00112fb6d8ea}\shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

system · 2008-02-03T13:32:22.000Z

QueryMountPoints log continued:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{35e11ff2-73fc-11da-ad39-00112fb6d8ea}\shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{509d3a6e-23ac-11d9-b2c1-eb8014c5f208}]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{52f9df9b-94ee-11d9-ac6f-00038a000011}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,
cf,5f,5f,5f,5f,01,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,08,02,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{52f9df9b-94ee-11d9-ac6f-00038a000011}\shell]
@=“None”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{52f9df9b-94ee-11d9-ac6f-00038a000011}\shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{52f9df9b-94ee-11d9-ac6f-00038a000011}\shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{59f1f644-a41c-11dc-ae96-00112fb6d8ea}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,08,06,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{5c698ae5-8342-11db-ade1-00112fb6d8ea}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,
cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,cf,cf,cf,5f,cf,cf,cf,5f,5f,5f,5f,5f,5f,5f,5f,
5f,5f,00,00,10,00,00,00,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{5c698ae6-8342-11db-ade1-00112fb6d8ea}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,
cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,01,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,08,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{5c698ae7-8342-11db-ade1-00112fb6d8ea}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,
cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,01,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,08,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{5c747fa4-e714-11db-ae0d-00112fb6d8ea}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,
cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,cf,cf,cf,5f,cf,cf,cf,5f,5f,5f,5f,5f,5f,5f,5f,
5f,5f,00,00,10,00,00,00,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{5c747fa4-e714-11db-ae0d-00112fb6d8ea}\shell]
@=“None”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{5c747fa4-e714-11db-ae0d-00112fb6d8ea}\shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{5c747fa4-e714-11db-ae0d-00112fb6d8ea}\shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{5e620d25-decb-11da-ad68-00112fb6d8ea}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,
cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,01,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,08,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{5e620d25-decb-11da-ad68-00112fb6d8ea}\shell]
@=“None”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{5e620d25-decb-11da-ad68-00112fb6d8ea}\shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

system · 2008-02-03T14:05:39.000Z

still cotinued:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{5e620d25-decb-11da-ad68-00112fb6d8ea}\shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7757e10a-1699-11da-acff-00112fb6d8ea}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,
cf,5f,5f,5f,5f,01,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,08,02,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7757e10a-1699-11da-acff-00112fb6d8ea}\shell]
@=“None”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7757e10a-1699-11da-acff-00112fb6d8ea}\shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7757e10a-1699-11da-acff-00112fb6d8ea}\shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7b10c70e-83e2-11db-ade2-00112fb6d8ea}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,
cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,cf,cf,cf,5f,cf,cf,cf,5f,5f,5f,5f,5f,5f,5f,5f,
5f,5f,00,00,10,00,00,00,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7b10c70e-83e2-11db-ade2-00112fb6d8ea}\shell]
@=“None”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7b10c70e-83e2-11db-ade2-00112fb6d8ea}\shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7b10c70e-83e2-11db-ade2-00112fb6d8ea}\shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7d536d54-23b5-11d9-b2d1-88e28bf35287}]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7ef3c9b0-7ea5-11d9-ac56-806d6172696f}]
“BaseClass”=“Drive”
“_CommentFromDesktopINI”=“”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7ef3c9b1-7ea5-11d9-ac56-806d6172696f}]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7ef3c9b2-7ea5-11d9-ac56-806d6172696f}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,01,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,60,00,00,00,0a,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7ef3c9b2-7ea5-11d9-ac56-806d6172696f}_Autorun]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7ef3c9b2-7ea5-11d9-ac56-806d6172696f}_Autorun\DefaultIcon]
@=“E:\Autorun.exe”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7ef3c9b3-7ea5-11d9-ac56-806d6172696f}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,08,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7ef3c9b4-7ea5-11d9-ac56-806d6172696f}]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7ef3c9b5-7ea5-11d9-ac56-806d6172696f}]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7ef3c9b6-7ea5-11d9-ac56-806d6172696f}]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{8362bb8e-3cb0-11dc-ae3e-00112fb6d8ea}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,
cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,01,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,08,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{860e4bd8-23b2-11d9-b2cd-a1b80f873a89}]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{8b5749a0-cfc6-11dc-aeb1-00112fb6d8ea}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,
cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,01,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,08,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{8b5749a0-cfc6-11dc-aeb1-00112fb6d8ea}\shell]
@=“None”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{8b5749a0-cfc6-11dc-aeb1-00112fb6d8ea}\shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{8b5749a0-cfc6-11dc-aeb1-00112fb6d8ea}\shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{a2136814-1492-11da-acf5-00112fb6d8ea}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,
cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,01,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,08,00,00,00

Announcements