INF:Autorun-G [Trj] Trojan Horse?

Viruses and worms
101

Event Record #/Type1881 / Warning
Event Submitted/Written: 12/19/2007 09:03:38 PM
Event ID/Source: 101 / Automatic LiveUpdate Scheduler
Event Description:
Information Level: warning

A LiveUpdate session is already in progress; cannot launch Automatic LiveUpdate.

Event Record #/Type1879 / Warning
Event Submitted/Written: 12/19/2007 08:58:38 PM
Event ID/Source: 101 / Automatic LiveUpdate Scheduler
Event Description:
Information Level: warning

A LiveUpdate session is already in progress; cannot launch Automatic LiveUpdate.

– Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

– System Event Log ------------------------------------------------------------

Event Record #/Type41035 / Warning
Event Submitted/Written: 12/21/2007 08:24:58 AM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 000FB0D85185. The IP address being used is 169.254.189.102.

Event Record #/Type41031 / Warning
Event Submitted/Written: 12/21/2007 08:21:44 AM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 000FB0D85185. The IP address being used is 169.254.189.102.

Event Record #/Type40939 / Warning
Event Submitted/Written: 12/20/2007 08:42:15 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0013CEED33E7. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type40928 / Warning
Event Submitted/Written: 12/20/2007 00:27:44 PM
Event ID/Source: 57 / Ftdisk
Event Description:
The system failed to flush data to the transaction log. Corruption may occur.

Event Record #/Type40820 / Error
Event Submitted/Written: 12/19/2007 08:21:02 PM
Event ID/Source: 1001 / Dhcp
Event Description:
Your computer was not assigned an address from the network (by the DHCP
Server) for the Network Card with network address 0013CEED33E7. The following error
occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

– End of Deckard’s System Scanner: finished at 2007-12-21 09:26:32 ------------

102

I’m sorry for that monster post! I have no idea what you guys are looking for in that DSS but it seems that you can help us!

I think I need to do a nice format before Christmas! :wink:

Thanks a lot for taking the time to help us!

Happy Holidays!

103

Well you used some tools to clean up pretty well.

Open HJT run a system scan only and place a checkmark next to these lines, if present

[b]O2 - BHO: (no name) - {598F4775-6FB6-477B-9842-E0426824E077} - C:\DOCUME~1\Pierre\LOCALS~1\Temp~DP5C.dll (file missing)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)[/b]

Close all other windows and click fix. Close HJT

Please download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\ntdeIect.com
C:\WINDOWS\system32\kav1.dll
C:\WINDOWS\system32\kav0.dll

Return to OTMoveIt, right click on the “Paste List of Files/Folders to be moved” window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new DSS log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

I need some information on this folder. Can you have a look in it an see what it contains. Just click on the folder, the contents should appear in the right hand panel.

C:\autorun.inf

104

Thank you so much oldman for such a fast reply!

I found the 2 O2 – BHO files and successfully fixed them.

With OTMovedIt:

File/Folder C:\ntdeIect.com not found.
C:\WINDOWS\system32\kav1.dll moved successfully.
C:\WINDOWS\system32\kav0.dll moved successfully.

But I am still worried about my external HD. And I might have a few pendrives (USB keys) infected with the same Trojan.

What is the best solution for the precious data I have on my external Hard Drive?

Here is my new DSS, many thanks for your help!

Deckard’s System Scanner v20071014.68
Run by Pierre on 2007-12-22 09:43:26
Computer is in Normal Mode.

– HijackThis (run as Pierre.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:30 AM, on 12/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\PTC - Wildfire 3.0\i486_nt\obj\lmgrd.exe
C:\Program Files\PTC - Wildfire 3.0\i486_nt\obj\lmgrd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PTC - Wildfire 3.0\i486_nt\obj\ptc_d.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\APO Usb Autorun\usb_autorun.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\Pierre\Desktop\Download\dss.exe
C:\PROGRA~1\HIJACK~1\Pierre.exe

105

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shoptoshiba.ca/welcome
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM..\Run: [TPSMain] TPSMain.exe
O4 - HKLM..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM..\Run: [TFncKy] TFncKy.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [WinampAgent] “C:\Program Files\Winamp\Winampa.exe”
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [Acrobat Assistant 7.0] “C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe”
O4 - HKLM..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM..\Run: [EPSON Stylus C67 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE /P23 “EPSON Stylus C67 Series” /O6 “USB001” /M “Stylus C67”
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [Adobe Photo Downloader] “C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.2\apdproxy.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”
O4 - HKLM..\Run: [osCheck] “C:\Program Files\Norton Internet Security\osCheck.exe”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: APO Usb Autorun.lnk = C:\Program Files\APO Usb Autorun\usb_autorun.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196416602312
O16 - DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} (NetCamPlayerWeb11gv2 Control) - http://mariecoton.ourlinksys.com:1024/NetCamPlayerWeb11gv2.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: FLEXlm server for PTC - Macrovision Corporation - C:\Program Files\PTC - Wildfire 3.0\i486_nt\obj\lmgrd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe


End of file - 11461 bytes

106

– Files created between 2007-11-22 and 2007-12-22 -----------------------------

2007-12-21 10:07:25 0 d-------- C:\Program Files\APO Usb Autorun
2007-12-19 20:44:56 0 d-------- C:\Program Files\Share Cracker
2007-12-19 20:44:22 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2007-12-19 20:26:27 0 d-------- C:\Documents and Settings\Pierre\Application Data\Symantec
2007-12-19 20:23:19 0 d-------- C:\Program Files\Windows Sidebar
2007-12-19 20:21:23 0 d-------- C:\Program Files\Norton Internet Security
2007-12-19 20:19:37 0 d-------- C:\Program Files\Symantec
2007-12-19 20:19:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-19 20:08:16 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-19 20:03:59 0 d-------- C:\Program Files\Norton Internet Security 2008
2007-12-18 15:54:16 0 dr-hs---- C:\autorun.inf
2007-12-18 13:47:20 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-12-18 13:47:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2007-12-18 13:47:20 0 d—s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-12-18 13:47:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-12-18 13:47:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-12-18 13:47:19 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-12-18 13:47:19 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-12-18 13:47:19 0 d–h----- C:\Documents and Settings\Administrator\PrintHood
2007-12-18 13:47:19 0 d–h----- C:\Documents and Settings\Administrator\NetHood
2007-12-18 13:47:19 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-12-18 13:47:19 0 d–h----- C:\Documents and Settings\Administrator\Local Settings
2007-12-18 13:47:19 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-12-18 13:47:19 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-12-18 13:47:19 0 d—s---- C:\Documents and Settings\Administrator\Cookies
2007-12-18 13:47:18 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-18 13:47:18 0 d–h----- C:\Documents and Settings\Administrator\Templates
2007-12-18 13:47:18 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-12-18 13:47:17 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-11-26 22:42:07 0 d-------- C:\Documents and Settings\Pierre\Application Data\1ClickDVDCopy

– Find3M Report ---------------------------------------------------------------

2007-12-20 21:53:49 0 d-------- C:\Program Files\Wenlin3
2007-12-19 20:22:53 0 d-------- C:\Program Files\Common Files
2007-12-19 20:05:02 0 d-------- C:\Documents and Settings\Pierre\Application Data\uTorrent
2007-12-16 12:35:26 0 d-------- C:\Documents and Settings\Pierre\Application Data\Skype
2007-12-14 08:29:04 0 d-------- C:\Program Files\Avast4
2007-12-03 13:15:54 0 d-------- C:\Program Files\Java
2007-11-27 07:24:17 0 d-------- C:\Program Files\1Click DVD Copy 5
2007-11-21 21:56:02 0 d-------- C:\Program Files\VideoConverter3
2007-11-20 14:30:24 0 d-------- C:\Program Files\ElcomSoft
2007-10-31 17:14:32 0 d-------- C:\Documents and Settings\Pierre\Application Data\Vso
2007-10-31 17:14:32 34 --a------ C:\Documents and Settings\Pierre\Application Data\pcouffin.log
2007-10-31 17:14:11 47360 --a------ C:\Documents and Settings\Pierre\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2007-10-31 17:14:11 1144 --a------ C:\Documents and Settings\Pierre\Application Data\pcouffin.inf
2007-10-31 17:14:11 7176 --a------ C:\Documents and Settings\Pierre\Application Data\pcouffin.cat
2007-10-31 17:14:11 81920 --a------ C:\Documents and Settings\Pierre\Application Data\ezpinst.exe
2007-10-31 14:09:06 0 d-------- C:\Program Files\FloorPlan3d
2007-10-26 10:19:39 0 d-------- C:\Documents and Settings\Pierre\Application Data\Macromedia
2007-10-01 18:00:48 31944 --a------ C:\Documents and Settings\Pierre\Application Data\GDIPFONTCACHEV1.DAT

107

– Registry Dump ---------------------------------------------------------------

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
08/25/2007 11:51 AM 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
12/19/2007 08:22 PM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CeEKEY”=“C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe” [08/26/2005 09:49 AM]
“Apoint”=“C:\Program Files\Apoint2K\Apoint.exe” [03/23/2004 10:40 PM]
“TPNF”=“C:\Program Files\TOSHIBA\TouchPad\TPTray.exe” [08/26/2005 10:11 AM]
“NDSTray.exe”=“NDSTray.exe”
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [09/25/2007 01:11 AM]
“Tvs”=“C:\Program Files\Toshiba\Tvs\TvsTray.exe” [04/06/2005 07:25 AM]
“TPSMain”=“TPSMain.exe” [06/01/2005 08:16 AM C:\WINDOWS\system32\TPSMain.exe]
“ZoomingHook”=“ZoomingHook.exe” [06/07/2005 12:58 AM C:\WINDOWS\system32\ZoomingHook.exe]
“SmoothView”=“C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe” [04/27/2005 07:13 AM]
“HWSetup”=“C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe” [05/02/2004 04:45 AM]
“PadTouch”=“C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe” [07/16/2005 01:52 AM]
“SVPWUTIL”=“C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe” [05/02/2004 04:45 AM]
“AGRSMMSG”=“AGRSMMSG.exe” [12/22/2004 01:10 AM C:\WINDOWS\agrsmmsg.exe]
“TCtryIOHook”=“TCtrlIOHook.exe” [08/22/2005 04:49 PM C:\WINDOWS\system32\TCtrlIOHook.exe]
“TFncKy”=“TFncKy.exe”
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [07/09/2001 11:50 AM]
“WinampAgent”=“C:\Program Files\Winamp\Winampa.exe” [04/02/2003 10:20 AM]
“IMJPMIG8.1”=“C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe” [08/04/2004 08:00 PM]
“MSPY2002”=“C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe” [08/04/2004 08:00 PM]
“PHIME2002ASync”=“C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe” [08/04/2004 08:00 PM]
“PHIME2002A”=“C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe” [08/04/2004 08:00 PM]
“Acrobat Assistant 7.0”=“C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe” [01/12/2006 08:52 PM]
“LVCOMSX”=“C:\WINDOWS\system32\LVCOMSX.EXE” [12/09/2005 03:32 PM]
“avast!”=“C:\PROGRA~1\Avast4\ashDisp.exe” [12/04/2007 09:00 PM]
“RemoteControl”=“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [11/02/2004 08:24 PM]
“LogitechCameraAssistant”=“C:\Program Files\Logitech\Video\CameraAssistant.exe” [12/07/2005 10:26 AM]
“LogitechVideo[inspector]”=“C:\Program Files\Logitech\Video\InstallHelper.exe” [12/07/2005 10:33 AM]
“LogitechCameraService(E)”=“C:\WINDOWS\system32\ElkCtrl.exe” [11/01/2004 05:22 PM]
“EPSON Stylus C67 Series”=“C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.exe” [01/25/2005 04:00 AM]
“IgfxTray”=“C:\WINDOWS\system32\igfxtray.exe” [01/13/2007 09:47 AM]
“HotKeysCmds”=“C:\WINDOWS\system32\hkcmd.exe” [01/13/2007 09:47 AM]
“Persistence”=“C:\WINDOWS\system32\igfxpers.exe” [01/13/2007 09:46 AM]
“Adobe Photo Downloader”=“C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.2\apdproxy.exe” [08/30/2007 06:32 AM]
“QuickTime Task”=“C:\Program Files\QuickTime\QTTask.exe” [06/29/2007 06:24 AM]
“ccApp”=“C:\Program Files\Common Files\Symantec Shared\ccApp.exe” [08/25/2007 01:07 PM]
“osCheck”=“C:\Program Files\Norton Internet Security\osCheck.exe” [08/25/2007 12:53 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [08/04/2004 08:00 PM]

C:\Documents and Settings\Pierre\Start Menu\Programs\Startup
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 8:16:50 PM]
APO Usb Autorun.lnk - C:\Program Files\APO Usb Autorun\usb_autorun.exe [11/3/2006 4:39:34 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [9/1/2005 7:52:49 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
“NoSMHelp”=01000000
“NoLogoff”=01000000
“NoRecentDocsMenu”=01000000
“NoActiveDesktop”=01000000
“NoRecentDocsHistory”=01000000
“NoRecentDocsNetHood”=01000000
“NoSMMyDocs”=01000000
“NoSMMyPictures”=01000000
“NoNetworkConnections”=01000000
“NoUserNameInStartMenu”=01000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{29247ffa-88c8-11db-af63-000fb0d85185}]
1\Command- .\RECYCLER\RECYCLER\autorun.exe
2\Command- .\RECYCLER\RECYCLER\autorun.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{c360622a-8510-11db-af5c-000fb0d85185}]
1\Command- .\RECYCLER\RECYCLER\autorun.exe
2\Command- .\RECYCLER\RECYCLER\autorun.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{d933d886-3f6c-11dc-b01e-000fb0d85185}]
AutoRun\command- F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{f4912d06-e358-11db-afb5-000fb0d85185}]
1\Command- F:.\RECYCLER\RECYCLER\autorun.exe
2\Command- F:.\RECYCLER\RECYCLER\autorun.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe

Newly Created Service - COMHOST

– End of Deckard’s System Scanner: finished at 2007-12-22 09:44:00 ------------

108

Hi could you please post the nformation I asked for earlier

I need some information on this folder. Can you have a look in it an see what it contains. Just click on the folder, the contents should appear in the right hand panel.

C:\autorun.inf

We’ll remove it if we have to, but I would like to know it’s contents first. Then we will look at your other usb devices.

F:\ is your usb hard drive?

109

Hi oldman and everybody else. I’m back!

I formatted 2 computers and I’m just about do to a third one also infected by the same virus. It’s a very painstaking job…

I am still looking for the autorun.inf file but I really can’t find it. Even in the Dos window it said: " ‘autorun’ is not recognized as an internal or external command, operable program or batch file."

Would you please teach me how to destroy this Trojan on ALL the USB pen and HD. I don’t want to see that monster anymore!

My usb HD is always kicked to F: after I install Demon to mount some .iso. It never created any problem for me.

Let me know if you need any additional information!

Thanks a lot for you very needed help!

110

Okay let’s see if we can track down the autorun.inf

Click on the link below and down load the following file and save it to your desk top.

queerymountpoints.bat

Plug in your usb device and double click the file you just downloaded. A notepad file named mountpoints.txt will appear on your desktop when it has finished. Please post the contents of that file in your next reply.

http://cid-32d8666f4048075b.skydrive.live.com/browse.aspx/Malware%20files

111

Thanks oldman,

You surely know a lot about malware! Thanks a lot for your help!

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{52e59b38-fb96-11d8-b2af-806d6172696f}]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{5641170a-b112-11dc-a15f-806d6172696f}]
“BaseClass”=“Drive”
“_LabelFromReg”=“Master”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{5641170b-b112-11dc-a15f-806d6172696f}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,cf,5f,5f,5f,5f,cf,cf,5f,5f,
5f,cf,cf,cf,5f,5f,5f,cf,cf,cf,5f,5f,5f,cf,cf,cf,5f,5f,5f,cf,cf,cf,5f,5f,cf,
5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,60,00,00,00,08,03,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{5641170b-b112-11dc-a15f-806d6172696f}_Autorun]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{5641170b-b112-11dc-a15f-806d6172696f}_Autorun\DefaultIcon]
@=“D:\QuickCam\Quickcam.ico”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{64c2efba-1a1f-11da-8b7f-806d6172696f}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,01,00,01,01,ee,ff,ff,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,60,00,00,00,09,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{64c2efba-1a1f-11da-8b7f-806d6172696f}_Autorun]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{64c2efba-1a1f-11da-8b7f-806d6172696f}_Autorun\DefaultIcon]
@=“D:\SETUP.EXE,1”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{64c2efbb-1a1f-11da-8b7f-806d6172696f}]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{a21413e4-b14e-11dc-a16d-000fb0d85185}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,
5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,01,00,00,00,08,07,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{a21413e4-b14e-11dc-a16d-000fb0d85185}\shell]
@=“None”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{a21413e4-b14e-11dc-a16d-000fb0d85185}\shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{a21413e4-b14e-11dc-a16d-000fb0d85185}\shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{a325b46a-b160-11dc-933c-806d6172696f}]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{ec7430f8-1a66-11da-b418-806d6172696f}]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume{5641170a-b112-11dc-a15f-806d6172696f}]
“Data”=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,
47,00,45,00,23,00,56,00,6f,00,6c,00,75,00,6d,00,65,00,23,00,31,00,26,00,33,
00,30,00,61,00,39,00,36,00,35,00,39,00,38,00,26,00,30,00,26,00,53,00,69,00,
67,00,6e,00,61,00,74,00,75,00,72,00,65,00,42,00,33,00,37,00,44,00,42,00,33,
00,37,00,44,00,4f,00,66,00,66,00,73,00,65,00,74,00,37,00,45,00,30,00,30,00,
4c,00,65,00,6e,00,67,00,74,00,68,00,31,00,32,00,39,00,35,00,30,00,39,00,44,
00,30,00,30,00,30,00,23,00,7b,00,35,00,33,00,66,00,35,00,36,00,33,00,30,00,
64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,31,00,64,00,30,00,2d,00,39,
00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,00,63,00,39,00,31,00,65,00,
66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,
65,00,7b,00,35,00,36,00,34,00,31,00,31,00,37,00,30,00,61,00,2d,00,62,00,31,
00,31,00,32,00,2d,00,31,00,31,00,64,00,63,00,2d,00,61,00,31,00,35,00,66,00,
2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,
00,7d,00,5c,00,00,00,4d,00,61,00,73,00,74,00,65,00,72,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,4e,00,
54,00,46,00,53,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,08,00,00,00,01,10,00,
00,ff,00,05,00,ff,00,00,00,36,00,00,00,5a,eb,ee,14,00,00,00,00,00,00,00,30,
00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,
00
“Generation”=dword:00000001

112

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume{5641170b-b112-11dc-a15f-806d6172696f}]
“Data”=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,49,00,44,00,45,00,23,00,43,00,\

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume{a21413e4-b14e-11dc-a16d-000fb0d85185}]
“Data”=hex:36,0b,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume{a325b46a-b160-11dc-933c-806d6172696f}]
“Data”=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,43,00,53,00,49,00,23,00,\

“Generation”=dword:00000001

Mountpoints Report
Sun 12/30/2007 16:40:15.54

No Autorun files found in C:\WINDOWS

No Autorun files found in C:\WINDOWS\System32

Drives searched for autorun.inf
C:, D:, F:,

Results of Search

Thanks a lot for your precious help!!!

113

Try this.

Open the Folder Options in the Control Panel. On the View tab make sure Show Hidden Files and Folders is checked and Hide Protected Operating System Files and hide known extentions are not checked. Click OK.

Open windows explorer, click on the C:\ drive in the left panel. The autorun.inf should be be visible in the right hand panel.

Find it, open it with notepad and post it’s contents here.

114

Hi. My thumb drive was infected with this virus too. (The drive was formatted before I first plugged it in.)

Before I plugged it into my laptop, I pressed shift to prevent auto-run. So a window popped up asking me what action do I want to take. I closed it, and scanned the drive with Avast! which detected the virus. I moved it into the virus chest.

Then I removed the drive and plugged it in again, without pressing shift this time. But it sort of hanged so I just plugged it out and reinserted it, pressing shift.

The window asking me what to do popped up again. I scanned the drive and found that there was still a file inside. So I reformatted the drive. What I’m worried about now is whether my laptop is still infected. I’ve ran 3 thorough tests but no threats were detected. Please advise.

115

Was the drive plugged in when you ran the mountpoint batch ?

116

Also I now notice that the batch does not look at C for auto runs I will rewrite it

117

Thanks essexboy.

@fishblob

Could you please start your own thread as some logs will be required and it will get quiet confusing with to people sharing this thread.
We’ll have a look then.

Thanks

118

Hi oldman,

well, everything that you tell me to check/uncheck was already done after the format.

I tried a search with the search function in Windows but unsuccessfully found it.

It’s hiding on the c drive and the f drive…

That mustn’t be a good sign…

Thanks for everything!

119

Hi Pedro

Okay just to clarify was your usb HD plugged in when you ran queerymountpoints.bat ?

This file is really hidden. So try this

Click start button, click run. In the box that appears type cmd click ok

At the command prompt that appears type the following line , note the spaces in the command signified by {space} and yes those are minus signs in front of the letters.

attrib{space}-r{space}-s{space}-h{space}C:\autorun.inf

hit enter

Now check in windows explorer for the file. If it’s there, please open it with notepad and post the contents here.

120

As i mention b4 this virus generated by kavo ‘gengs’…
avast still not detect this…
to solve the virus from been generated time by time… try to installed spyware terminator and make full scan…
this will help remove the kavo and stop the computer rom generated back the inf and ntdelect.com infront of any disk…
for missing folder option what is need to open registry and searh for nofolderoption if i not mistaken and delete the key…
if u cant open ur reg find out some software to open it back such as tune up 07 or others…
and for the mouse prob just cont as advice b4 from other mmbrs…