│[AutoRun]
│open=LaunchU3.exe
│icon=LaunchU3.exe,0
│
│[Definitions]
│Launchpad=LaunchPad.ex
│
│[CopyFiles]
│FileNumber=1
│File1=LaunchPad.zip
│

F:>dir /ah
O volume na unidade F é U3 System
O número de série do volume é CACD-3554

Directório de F:\

Ficheiro não encontrado

F:>

you have u3 enabled flash drive. nothing to worry about the autorun.inf its oki. you can scan your pen drive using avast or malware bytes antimalware. nothing to worry.

Thanks.

Any idea where I can get info on the meaning of the OTL report?

Otherwise many thanks for your help. This thread has been going on and on…

Thanks again

qim

no problem.

if otl is old timer then the one person whom I know to read otl log is http://forum.avast.com/index.php?action=profile;u=11091 send him a message.

nmb

Thanks.

Hi there, I am in the process of reading the thread to see what the problem is - could you update me

To ensure that I get all the information this log will need to be uploaded to Mediafire and post the sharing link.

Download OTS to your Desktop

[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users

[*]Under Additional Scans check the following:
[*]Reg - Shell Spawning
[*]File - Lop Check
[*]File - Purity Scan
[*]Evnt - EvtViewer (last 10)
[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Hi Essexboy

I got a bit confused because your OTS is apparently a newer version of what I tried before. I have done the scan but unfortunately left out the pe-drive, and so, maybe I should start again…

Thanks for your help

qim

Yep, this is a deeper scanning version of the tool by the same author

OTL is Old Timers Listit which is a HJT replacement but on steriods
OTS is Old Timers Scanner which is OTL on steroids

Just realized that and amended my last post. I am going to try again with the flash-drive

qim

Here it goes:
http://www.mediafire.com/?rqakdyihjmo

However, it does not seem to mention the file in the pen-drive which the earlier OTL did…

AMENDMENT: Yes, it does:

G:\AutorizacionDeDespachoIndividual.QUEIROZ.doc [ÐÏࡱá | ] → G:\AutorizacionDeDespachoIndividual.QUEIROZ.doc [ FAT ] → [2009/07/27 12:26:50 | 00,023,040 | ---- | M] ()

Mysteries…

Thanks

qim

During this run you will lose your taskbar and the system will ask for a reboot on completion - this is normal

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-857417043-2124973893-2320036816-1005\] > -> HKEY_USERS\S-1-5-21-857417043-2124973893-2320036816-1005\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\"{C4069E3A-68F1-403E-B40E-20066696354B}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-857417043-2124973893-2320036816-1005\] > -> HKEY_USERS\S-1-5-21-857417043-2124973893-2320036816-1005\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value error.]
< Drives with AutoRun files > -> 
NY -> F:\autorun.inf  -> F:\autorun.inf [ CDFS ]
NY -> G:\AutorizacionDeDespachoIndividual.QUEIROZ.doc  -> G:\AutorizacionDeDespachoIndividual.QUEIROZ.doc [ FAT ]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \{dad3f9e9-cd88-11dc-a4c8-00130243e846} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dad3f9e9-cd88-11dc-a4c8-00130243e846}\Shell -> 
YN -> \{dad3f9e9-cd88-11dc-a4c8-00130243e846}\Shell\\"" -> [AutoRun]
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dad3f9e9-cd88-11dc-a4c8-00130243e846}\Shell\AutoRun\command -> 
[Registry - Additional Scans - Safe List]
< Registry Shell Spawning - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command
YN -> regfile [merge] -> Reg Error: Key error.
YN -> txtfile [edit] -> Reg Error: Key error.
[Files/Folders - Modified Within 30 Days]
NY -> qun90ed.url -> C:\Documents and Settings\Qimi\Desktop\qun90ed.url
[Files - No Company Name]
NY -> cfplogvw.INI -> C:\WINDOWS\cfplogvw.INI
NY -> BrMuSNMP.dll -> C:\WINDOWS\System32\BrMuSNMP.dll
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Am I not supposed to check any boxes? Or the same boxes as last time? Does this mean that you found some intruders?

And do I reboot before copying the log?

qim

Copy all of the text in the code box and then paste it into the area that says “Paste fix here” and then click the Run Fix button.
Nothing needs to be done to the other boxes - I am removing the mountpoint - a few orphan malware files and some remnants of Norton

Ok here it is:

I notice you got rid of an icon I had on the desktop with qu90ed. I need that. Where did it go?

My system folders were changed to be visible. I have checked thebox again.

Here is the log:

All Processes Killed
[Registry - Safe List]
Registry value HKEY_USERS\S-1-5-21-857417043-2124973893-2320036816-1005\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{C4069E3A-68F1-403E-B40E-20066696354B} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{C4069E3A-68F1-403E-B40E-20066696354B}\ not found.
Registry value HKEY_USERS\S-1-5-21-857417043-2124973893-2320036816-1005\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
Registry value HKEY_USERS.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ deleted successfully.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ not found.
Registry value HKEY_USERS\S-1-5-21-857417043-2124973893-2320036816-1005\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ not found.
File move failed. F:\autorun.inf scheduled to be moved on reboot.
G:\AutorizacionDeDespachoIndividual.QUEIROZ.doc moved successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{dad3f9e9-cd88-11dc-a4c8-00130243e846}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{dad3f9e9-cd88-11dc-a4c8-00130243e846}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{dad3f9e9-cd88-11dc-a4c8-00130243e846}\Shell\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{dad3f9e9-cd88-11dc-a4c8-00130243e846}\Shell not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{dad3f9e9-cd88-11dc-a4c8-00130243e846}\Shell\AutoRun\command\ not found.
[Registry - Additional Scans - Safe List]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\merge\command\‘’ updated successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\edit\command\‘’ updated successfully.
[Files/Folders - Modified Within 30 Days]
C:\Documents and Settings\Qimi\Desktop\qun90ed.url moved successfully.
[Files - No Company Name]
C:\WINDOWS\cfplogvw.INI moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\BrMuSNMP.dll
C:\WINDOWS\System32\BrMuSNMP.dll NOT unregistered.
C:\WINDOWS\System32\BrMuSNMP.dll moved successfully.
[Empty Temp Folders]

User: Administrator
->Temp folder emptied: 3418 bytes
->Temporary Internet Files folder emptied: 15096894 bytes
->Java cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Guest
->Temp folder emptied: 357246 bytes
->Temporary Internet Files folder emptied: 2240717 bytes

User: LocalService
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 61898 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 49286 bytes

User: Qimi
->Temp folder emptied: 19048628 bytes
File delete failed. C:\Documents and Settings\Qimi\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 36558070 bytes
->Java cache emptied: 94572970 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 4375057 bytes
File delete failed. C:\WINDOWS\temp_avast4_\Webshlock.txt scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_4d0.dat scheduled to be deleted on reboot.
Windows Temp folder emptied: 16384 bytes
RecycleBin emptied: 103741 bytes

Total Files Cleaned = 164.64 mb

< End of fix log >
OTS by OldTimer - Version 3.0.20.3 fix logfile created on 10062009_213011

Files\Folders moved on Reboot…
File move failed. F:\autorun.inf scheduled to be moved on reboot.
File\Folder C:\WINDOWS\temp_avast4_\Webshlock.txt not found!
C:\WINDOWS\temp\Perflib_Perfdata_4d0.dat moved successfully.

Registry entries deleted on Reboot…

Bad choice of name that as it is similar to a malware site

Go to C:\OTS\moved files it will be located there - just copy it back to your desktop

What problems are you experiencing now ?

Thanks

It was only a shortut with a reminder. I’ve redone it. All is well. I looked at EventViewer: there are anumber of services that were cut off suddenly about the time I ran OTS. I guess that was to be expected. At the moment everything looks fine.

From what I gathered there was no malware, just needed a bit of tydying up, is that it? What about that Word file? It was strange to have an autorun next to it, but then maybe the drive needs a pointer as a way-in and now if we look again there will be another one.

Thank ou very much for all your help It was much appreciated.

regards

qim

No problem .Run OTS and hit the cleanup button. It will remove all the programmes we have used plus itself

Cheers

bibi