Need help on my computer

I’m not very good with these computer stuffs, recently got hacked on an online gaming account and lost alot of stuffs.
I did all i could but scans after scans, i still have these file:///C:/Documents%20and%20Settings/Home/Desktop/virussx.html
any ways, or methods i can be free for safer uses?

C:\WINDOWS\system32\amvo0.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.rnv skipped
C:\WINDOWS\system32\amvo1.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.rol skipped
C:\DOCUME~1\Home\LOCALS~1\Temp\dsr8q.dll Infected: Trojan-PSW.Win32.OnLineGames.rce skipped
C:\DOCUME~1\Home\LOCALS~1\Temp\i2ir.dll Infected: Trojan-PSW.Win32.OnLineGames.qzl skipped
C:\DOCUME~1\Home\LOCALS~1\Temp\l4rq2a7.dll Infected: Worm.Win32.AutoRun.cpq skipped
C:\DOCUME~1\Home\LOCALS~1\Temp\pqub.dll Infected: Trojan-PSW.Win32.OnLineGames.qlx skipped
C:\DOCUME~1\Home\LOCALS~1\Temp\q4olgq.dll Infected: Trojan-PSW.Win32.OnLineGames.ren skipped
C:\DOCUME~1\Home\LOCALS~1\Temp\vlmmrcd5.dll Infected: Worm.Win32.AutoRun.coi skipped
C:\DOCUME~1\Home\LOCALS~1\Temp\z5.dll Infected: Trojan-PSW.Win32.OnLineGames.rio skipped

And some other Objects are locked.They don’t seem to be infected though. It was a scan done by kasper online scanner.

Let’s run this and see what happens.

Download and run this clean up utility. You can use it regularly. When it’s first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

CleanUp

Please download ComboFix from Here or Here to your Desktop.

Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop

[]Please, never rename Combofix unless instructed.
[
]Close any open browsers.
[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.

[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[
]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.


[*]Double click on combofix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the “C:\ComboFix.txt” along with a new HijackThis log for further review.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

ComboFix 08-02-22.3 - Home 2008-02-23 10:54:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.583 [GMT 8:00]
Running from: C:\Documents and Settings\Home\Desktop\ComboFix.exe

  • Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\WINDOWS\system32\amvo1.dll
C:\WINDOWS\system32\winsys.exe
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-01-23 to 2008-02-23 )))))))))))))))))))))))))))))))
.

2008-02-23 02:44 . 2008-02-23 02:44 d-------- C:\Program Files\CleanUp!
2008-02-23 02:25 . 2008-02-23 02:35 d-------- C:\Program Files\CABAL Online (SG MY)
2008-02-23 02:08 . 2008-02-23 02:08 d-------- C:\Program Files\ZMatrix
2008-02-23 02:08 . 2008-02-23 02:08 d-------- C:\Documents and Settings\Home\Application Data.ZMatrix
2008-02-23 02:08 . 2008-02-23 02:08 68 --a------ C:\WINDOWS\ZMatrixSS.ini
2008-02-22 19:45 . 2008-02-22 19:45 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-02-22 19:45 . 2008-02-22 19:45 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-02-22 19:44 . 2008-02-22 19:44 d-------- C:\Program Files\Kaspersky Lab
2008-02-22 19:44 . 2008-02-23 10:55 3,732,768 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-22 19:44 . 2008-02-23 02:02 46,508 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-22 19:44 . 2008-02-23 02:03 1,568 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-22 19:44 . 2008-02-23 02:02 1,196 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-02-22 16:24 . 2008-02-22 16:24 d-------- C:\kav
2008-02-22 15:17 . 2008-02-23 02:03 71,680 --a------ C:\WINDOWS\system32\amvo0.dll.vir
2008-02-22 14:42 . 2008-02-22 14:42 d-------- C:\Program Files\ZoneAlarmSB
2008-02-22 14:41 . 2008-02-22 14:41 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-02-22 14:41 . 2008-02-22 14:42 4,212 —h----- C:\WINDOWS\system32\zllictbl.dat
2008-02-22 14:40 . 2008-02-22 19:39 d-------- C:\WINDOWS\system32\ZoneLabs
2008-02-22 14:40 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-02-22 14:39 . 2008-02-22 19:37 d-------- C:\WINDOWS\Internet Logs
2008-02-22 13:25 . 2008-02-22 13:25 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-22 13:24 . 2008-02-23 02:23 d-------- C:\Program Files\SUPERAntiSpyware
2008-02-22 13:24 . 2008-02-22 13:24 d-------- C:\Documents and Settings\Home\Application Data\SUPERAntiSpyware.com
2008-02-22 13:22 . 2008-02-22 13:22 d-------- C:\Program Files\Panda Security
2008-02-22 12:50 . 2008-02-22 12:50 d-------- C:\Program Files\Lavasoft
2008-02-22 12:50 . 2008-02-22 12:51 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-22 12:26 . 2008-02-22 12:26 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-22 12:26 . 2008-02-23 10:53 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-22 11:47 . 2008-02-22 11:47 d-------- C:\Documents and Settings\Home\Application Data\PrevxCSI
2008-02-21 14:08 . 2008-02-23 02:21 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-21 14:07 . 2008-02-21 14:07 d-------- C:\Program Files\Trojan Remover
2008-02-21 14:07 . 2008-02-21 14:07 d-------- C:\Documents and Settings\Home\Application Data\Simply Super Software
2008-02-21 14:07 . 2008-02-21 14:07 d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-02-21 14:07 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-02-21 14:07 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-02-21 14:07 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-02-21 14:07 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-02-21 14:07 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-02-20 17:58 . 2008-02-22 19:40 106,757 -r-hs---- C:\oufddh.exe
2008-02-20 01:21 . 2008-02-20 01:21 d-------- C:\Program Files\Investintech.com Inc
2008-02-15 19:42 . 2008-02-15 19:40 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-15 19:40 . 2008-02-15 19:42 d-------- C:\Documents and Settings\Home.housecall6.6
2008-02-12 18:16 . 2008-02-22 19:40 106,757 --a------ C:\WINDOWS\system32\amvo.exe.vir
2008-02-12 02:51 . 2008-02-12 02:51 d-------- C:\Program Files\Ventrilo
2008-02-08 18:37 . 2008-02-08 18:37 219,664 --a------ C:\WINDOWS\system32\klogon.dll
2008-02-08 18:35 . 2008-02-08 18:35 23,604 --a------ C:\WINDOWS\system32\drivers\klopp.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-23 02:52 --------- d-----w C:\Program Files\lg_fwupdate
2008-02-22 18:16 --------- d-----w C:\Program Files\Yahoo!
2008-02-22 18:15 --------- d-----w C:\Program Files\VentSrv
2008-02-22 18:15 --------- d-----w C:\Program Files\Nokia
2008-02-22 18:15 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-22 18:08 --------- d-----w C:\Documents and Settings\Home\Application Data.ZMatrix
2008-02-22 14:02 --------- d-----w C:\Documents and Settings\Home\Application Data\U3
2008-02-21 18:19 --------- d-----w C:\Program Files\Warcraft III
2008-02-21 14:14 --------- d-----w C:\Documents and Settings\Home\Application Data\LimeWire
2008-02-21 06:20 --------- d-----w C:\Program Files\LimeWire
2008-02-05 10:26 --------- d-----w C:\Documents and Settings\Home\Application Data\dvdcss
2008-01-27 11:18 --------- d-----w C:\Program Files\World of Warcraft
2008-01-20 02:54 --------- d-----w C:\Program Files\MessengerDiscovery
2008-01-19 18:42 --------- d-----w C:\Program Files\MSN Messenger
2008-01-06 10:13 --------- d-----w C:\Program Files\Common Files\LightScribe
2007-12-14 03:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-12-02 10:58 127,034 -c----r C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
2007-11-25 15:43 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
2007-11-25 14:55 81,920 -c----r C:\WINDOWS\bwUnin-6.1.4.68-8876480L.exe
2007-11-24 16:43 92,064 -c–a-w C:\Documents and Settings\Home\mqdmmdm.sys
2007-11-24 16:43 9,232 -c–a-w C:\Documents and Settings\Home\mqdmmdfl.sys
2007-11-24 16:43 79,328 -c–a-w C:\Documents and Settings\Home\mqdmserd.sys
2007-11-24 16:43 66,656 -c–a-w C:\Documents and Settings\Home\mqdmbus.sys
2007-11-24 16:43 6,208 -c–a-w C:\Documents and Settings\Home\mqdmcmnt.sys
2007-11-24 16:43 5,936 -c–a-w C:\Documents and Settings\Home\mqdmwhnt.sys
2007-11-24 16:43 4,048 -c–a-w C:\Documents and Settings\Home\mqdmcr.sys
2007-11-24 16:43 25,600 -c–a-w C:\Documents and Settings\Home\usbsermptxp.sys
2007-11-24 16:43 22,768 -c–a-w C:\Documents and Settings\Home\usbsermpt.sys
2004-10-01 07:00 40,960 -c–a-w C:\Program Files\Uninstall_CDS.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-02-22 14:42 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}

[HKEY_CLASSES_ROOT\clsid{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
“{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}”= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-02-22 14:42 262144]

[HKEY_CLASSES_ROOT\clsid{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“MsnMsgr”=“C:\Program Files\Windows Live\Messenger\MsnMsgr.exe” [2007-10-18 11:34 5724184]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-08-04 01:06 1667584]
“CTSyncU.exe”=“C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe” [2006-06-12 14:32 700416]
“PcSync”=“C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe” [2006-06-27 16:21 1449984]
“BitComet”=“C:\Program Files\BitComet\BitComet.exe” [2007-09-10 20:33 6338360]
“LogitechSoftwareUpdate”=“C:\Program Files\Logitech\Video\ManifestEngine.exe” [2004-06-01 18:46 196608]
“LDM”=“C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe”
“Yahoo! Pager”=“C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe” [2007-08-30 17:43 4670704]
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2007-04-12 23:44 8429568]
“nwiz”=“nwiz.exe” [2007-04-12 23:44 1626112 C:\WINDOWS\system32\nwiz.exe]
“SW20”=“C:\WINDOWS\system32\sw20.exe” [2006-12-15 10:58 208896]
“SW24”=“C:\WINDOWS\system32\sw24.exe” [2006-12-15 10:58 69632]
“WinSys2”=“C:\WINDOWS\system32\winsys2.exe” [2006-12-15 10:59 217088]
“NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2007-04-12 23:44 81920]
“RTHDCPL”=“RTHDCPL.EXE” [2007-03-21 14:49 16126464 C:\WINDOWS\RTHDCPL.exe]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11 132496]
“RemoteControl”=“C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe” [2004-11-02 20:24 32768]
“InCD”=“C:\Program Files\Ahead\InCD\InCD.exe” [2006-11-02 14:55 1397760]
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 10:50 155648]
“LGODDFU”=“C:\Program Files\lg_fwupdate\fwupdate.exe” [2005-04-12 10:11 229376]
“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2007-10-22 04:21 185632]
“PCSuiteTrayApplication”=“C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe” [2006-06-15 12:36 229376]
“LVCOMSX”=“C:\WINDOWS\system32\LVCOMSX.EXE” [2004-05-21 19:11 221184]
“LogitechVideoRepair”=“C:\Program Files\Logitech\Video\ISStart.exe” [2004-06-01 11:09 458752]
“LogitechVideoTray”=“C:\Program Files\Logitech\Video\LogiTray.exe” [2004-06-01 11:03 217088]
“BluetoothAuthenticationAgent”=“bthprops.cpl” [2004-08-04 08:56 110592 C:\WINDOWS\system32\bthprops.cpl]
“TrojanScanner”=“C:\Program Files\Trojan Remover\Trjscan.exe” [2008-02-20 17:48 863824]
“AVP”=“C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe” [2008-02-08 18:36 227856]

C:\Documents and Settings\Home\Start Menu\Programs\Startup
ZMatrix.lnk - C:\Program Files\ZMatrix\matrix.exe [2003-05-25 17:46:31 114688]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2002-12-02 21:08:34 147456]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2002-12-02 20:56:10 40960]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-12-02 18:58:19 67128]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-18 04:05:56 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”= %windir%\system32\sessmgr.exe:@xpsp2res.dll,-22019
“C:\Program Files\World of Warcraft\BackgroundDownloader.exe”=
“C:\Program Files\VoipStunt.com\VoipStunt\VoipStunt.exe”=
“C:\Documents and Settings\Home\Desktop\lancraft.exe”=
“C:\Program Files\VentSrv\ventrilo_srv.exe”=
“C:\Program Files\BitComet\BitComet.exe”=
“C:\Program Files\WIZET\MapleStory\MapleStory.exe”=
“C:\Program Files\Ares\Ares.exe”=
“C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe”=
“C:\Program Files\Yahoo!\Messenger\YServer.exe”=
“C:\Program Files\MessengerDiscovery\MessengerDiscovery Live.exe”=
“C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe”=
“C:\Program Files\Windows Live\Messenger\msnmsgr.exe”=
“C:\Program Files\Windows Live\Messenger\livecall.exe”=
“C:\Program Files\LimeWire\LimeWire.exe”=
“C:\kav\kav7.0\english\setup.exe”=
“C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“3724:TCP”= 3724:TCP:Blizzard Downloader: 3724
“10426:TCP”= 10426:TCP:BitComet 10426 TCP
“10426:UDP”= 10426:UDP:BitComet 10426 UDP

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 XDva037;XDva037;C:\WINDOWS\system32\XDva037.sys
S3 PID_0920;Logitech QuickCam Express(PID_0920);C:\WINDOWS\system32\DRIVERS\LV532AV.SYS [2004-05-22 03:15]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{552908b6-5f30-11dc-8466-806d6172696f}]
\Shell\AutoRun\command - D:\autoplay.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{91d37fe2-ad7f-11dc-b221-0019db66a464}]
\Shell\Auto\command - sxs.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{cf7078e8-85a5-11dc-b1c2-0019db66a464}]
\Shell\Auto\command - F:\sss.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{e81952a6-ae32-11dc-b222-0019db66a464}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{e81952a7-ae32-11dc-b222-0019db66a464}]
\Shell\AutoRun\command - G:\oufddh.exe
\Shell\explore\Command - G:\oufddh.exe
\Shell\open\Command - G:\oufddh.exe

Newly Created Service - XDVA037
.


catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-23 10:55:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0


.
Completion time: 2008-02-23 10:56:23
ComboFix-quarantined-files.txt 2008-02-23 02:56:21

Logfile of HijackThis v1.99.1
Scan saved at 11:06:28 AM, on 2/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\winsys2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\MessengerDiscovery\MessengerDiscovery Live.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Home\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://sg.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://sg.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM..\Run: [WinSys2] C:\WINDOWS\system32\winsys2.exe
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [RemoteControl] “C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [LGODDFU] “C:\Program Files\lg_fwupdate\fwupdate.exe”
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent
O4 - HKLM..\Run: [trojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM..\Run: [AVP] “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe”
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [CTSyncU.exe] “C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe”
O4 - HKCU..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU..\Run: [BitComet] “C:\Program Files\BitComet\BitComet.exe” /tray
O4 - HKCU..\Run: [LogitechSoftwareUpdate] “C:\Program Files\Logitech\Video\ManifestEngine.exe” boot
O4 - HKCU..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU..\Run: [Yahoo! Pager] “C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE” -quiet
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/WebfettiInitialSetup1.0.0.15-3.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

Combofix may have flagged a legitamate file. We will deal with that afterwards. If we do it now combofix will probably remove it again.

E: drive is…?

Do you have any usb devices, and how many?

Download and run this program.

Download “Clean Autoruns”:From HERE

http://forums.techguy.org/attachments/103397d1176780296/clean-autoruns.zip

Save and extract its contents to the desktop. It is a folder containing a Batch file, Clean autoruns.bat, Written by Mosaic1. Once extracted, open the folder and double click on the Clean autoruns.bat to run the fix.
If any autoruns are found, the fix will move them to a backup folder.
If any autoruns are found on the root of your drives, it will kill explorer so that the registry entries in the MountPoint(s) key are fixed.
It will produce two files, Part1.txt and Part2.txt , that will show the state before and after the cleaning.

Please post those.

When doing the combofix below, the same instructions regarding security programs applies.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File:: C:\WINDOWS\system32\amvo0.dll.vir C:\WINDOWS\system32\amvo.exe.vir

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

Part 1:
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,00,
01,00,01,01,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,01,00,00,00,09,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell]
@=“AutoRun”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell\AutoRun]
@=“Auto&Play”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell\AutoRun\command]
@=“C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{18aaf67c-76cf-11dc-b19e-0019db66a464}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,08,06,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{18aaf67c-76cf-11dc-b19e-0019db66a464}\shell]
@=“None”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{18aaf67c-76cf-11dc-b19e-0019db66a464}\shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{18aaf67c-76cf-11dc-b19e-0019db66a464}\shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{43dfb5c7-603b-11dc-aee2-0019db66a464}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,08,07,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{43dfb5c7-603b-11dc-aee2-0019db66a464}\shell]
@=“None”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{43dfb5c7-603b-11dc-aee2-0019db66a464}\shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{43dfb5c7-603b-11dc-aee2-0019db66a464}\shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{552908b6-5f30-11dc-8466-806d6172696f}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,01,00,01,01,ee,ff,ff,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,60,00,00,00,09,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{552908b6-5f30-11dc-8466-806d6172696f}\Shell]
@=“AutoRun”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{552908b6-5f30-11dc-8466-806d6172696f}\Shell\AutoRun]
@=“Auto&Play”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{552908b6-5f30-11dc-8466-806d6172696f}\Shell\AutoRun\command]
@=“D:\autoplay.exe”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{552908b6-5f30-11dc-8466-806d6172696f}_Autorun]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{552908b6-5f30-11dc-8466-806d6172696f}_Autorun\DefaultIcon]
@=“D:\appicon.ico”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{552908b8-5f30-11dc-8466-806d6172696f}]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{5c39e901-5f25-11dc-aedc-0019db66a464}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,
cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,df,df,df,5f,df,df,01,01,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,01,00,00,00,08,00,00,00
“_LabelFromReg”=“SantaVanta”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{5df9e44e-6f23-11dc-b18c-0019db66a464}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,
cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,cf,cf,cf,5f,cf,cf,cf,5f,5f,5f,5f,5f,5f,5f,5f,
5f,5f,00,00,10,00,00,00,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{5df9e44e-6f23-11dc-b18c-0019db66a464}\shell]
@=“None”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{5df9e44e-6f23-11dc-b18c-0019db66a464}\shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{5df9e44e-6f23-11dc-b18c-0019db66a464}\shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{5df9e44f-6f23-11dc-b18c-0019db66a464}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,
cf,5f,5f,5f,5f,01,01,00,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,08,02,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7b3621b8-a85c-11dc-b216-0019db66a464}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,01,00,00,00,08,07,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7b3621b8-a85c-11dc-b216-0019db66a464}\shell]
@=“None”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7b3621b8-a85c-11dc-b216-0019db66a464}\shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7b3621b8-a85c-11dc-b216-0019db66a464}\shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7b3621c3-a85c-11dc-b216-0019db66a464}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,
cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,01,01,01,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,08,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7b3621c3-a85c-11dc-b216-0019db66a464}\shell]
@=“None”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7b3621c3-a85c-11dc-b216-0019db66a464}\shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7b3621c3-a85c-11dc-b216-0019db66a464}\shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7b3621c7-a85c-11dc-b216-0019db66a464}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,
cf,5f,5f,5f,5f,01,01,00,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,08,02,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7b3621c7-a85c-11dc-b216-0019db66a464}\shell]
@=“None”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7b3621c7-a85c-11dc-b216-0019db66a464}\shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7b3621c7-a85c-11dc-b216-0019db66a464}\shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{8ec2a3f6-888f-11dc-b1cf-0019db66a464}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,
cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,01,01,01,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,08,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{8ec2a3f6-888f-11dc-b1cf-0019db66a464}\shell]
@=“None”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{8ec2a3f6-888f-11dc-b1cf-0019db66a464}\shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{8ec2a3f6-888f-11dc-b1cf-0019db66a464}\shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{91d37fe2-ad7f-11dc-b221-0019db66a464}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,09,07,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{91d37fe2-ad7f-11dc-b221-0019db66a464}\Shell]
@=“AutoRun”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{91d37fe2-ad7f-11dc-b221-0019db66a464}\Shell\Auto]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{91d37fe2-ad7f-11dc-b221-0019db66a464}\Shell\Auto\command]
@=“sxs.exe”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{91d37fe2-ad7f-11dc-b221-0019db66a464}\Shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{91d37fe2-ad7f-11dc-b221-0019db66a464}\Shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{91d37fe2-ad7f-11dc-b221-0019db66a464}\Shell\AutoRun]
“Extended”=“”
@=“Auto&Play”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{91d37fe2-ad7f-11dc-b221-0019db66a464}\Shell\AutoRun\command]
@=“C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{9ac1c448-916d-11dc-b1db-0019db66a464}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,
cf,5f,5f,5f,5f,01,01,00,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,08,01,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{9ac1c448-916d-11dc-b1db-0019db66a464}\shell]
@=“None”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{9ac1c448-916d-11dc-b1db-0019db66a464}\shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{9ac1c448-916d-11dc-b1db-0019db66a464}\shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{c78b2b50-b6d8-11dc-b238-0019db66a464}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,08,03,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{c78b2b50-b6d8-11dc-b238-0019db66a464}\shell]
@=“None”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{c78b2b50-b6d8-11dc-b238-0019db66a464}\shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{c78b2b50-b6d8-11dc-b238-0019db66a464}\shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{cf7078e8-85a5-11dc-b1c2-0019db66a464}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,09,04,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{cf7078e8-85a5-11dc-b1c2-0019db66a464}\Shell]
@=“AutoRun”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{cf7078e8-85a5-11dc-b1c2-0019db66a464}\Shell\Auto]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{cf7078e8-85a5-11dc-b1c2-0019db66a464}\Shell\Auto\command]
@=“F:\sss.exe”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{cf7078e8-85a5-11dc-b1c2-0019db66a464}\Shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{cf7078e8-85a5-11dc-b1c2-0019db66a464}\Shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{cf7078e8-85a5-11dc-b1c2-0019db66a464}\Shell\AutoRun]
“Extended”=“”
@=“Auto&Play”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{cf7078e8-85a5-11dc-b1c2-0019db66a464}\Shell\AutoRun\command]
@=“C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sss.exe”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{d2f649b6-61a6-11dc-b167-806d6172696f}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,01,00,01,01,ee,ff,ff,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,60,00,00,00,09,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{d2f649b6-61a6-11dc-b167-806d6172696f}_Autorun]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{d2f649b6-61a6-11dc-b167-806d6172696f}_Autorun\DefaultIcon]
@=“D:\appicon.ico”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{e81952a6-ae32-11dc-b222-0019db66a464}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,01,00,01,01,ee,ff,ff,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,20,00,00,00,09,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{e81952a6-ae32-11dc-b222-0019db66a464}\Shell]
@=“AutoRun”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{e81952a6-ae32-11dc-b222-0019db66a464}\Shell\AutoRun]
@=“Auto&Play”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{e81952a6-ae32-11dc-b222-0019db66a464}\Shell\AutoRun\command]
@=“F:\LaunchU3.exe -a”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{e81952a6-ae32-11dc-b222-0019db66a464}_Autorun]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{e81952a6-ae32-11dc-b222-0019db66a464}_Autorun\DefaultIcon]
@=“F:\LaunchU3.exe,0”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{e81952a7-ae32-11dc-b222-0019db66a464}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,09,04,00,00
“_LabelFromReg”=“Capricorn”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{e81952a7-ae32-11dc-b222-0019db66a464}\Shell]
@=“Open”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{e81952a7-ae32-11dc-b222-0019db66a464}\Shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{e81952a7-ae32-11dc-b222-0019db66a464}\Shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{e81952a7-ae32-11dc-b222-0019db66a464}\Shell\AutoRun]
“Extended”=“”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{e81952a7-ae32-11dc-b222-0019db66a464}\Shell\AutoRun\command]
@=“G:\oufddh.exe”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{e81952a7-ae32-11dc-b222-0019db66a464}\Shell\explore]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{e81952a7-ae32-11dc-b222-0019db66a464}\Shell\explore\Command]
@=“G:\oufddh.exe”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{e81952a7-ae32-11dc-b222-0019db66a464}\Shell\open]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{e81952a7-ae32-11dc-b222-0019db66a464}\Shell\open\Command]
@=“G:\oufddh.exe”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{e81952a7-ae32-11dc-b222-0019db66a464}\Shell\open\Default]
@=“1”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{fe56434a-afdf-11dc-b225-0019db66a464}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,
cf,5f,5f,5f,5f,01,01,00,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,08,02,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{fe56434a-afdf-11dc-b225-0019db66a464}\shell]
@=“None”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{fe56434a-afdf-11dc-b225-0019db66a464}\shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{fe56434a-afdf-11dc-b225-0019db66a464}\shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume{552908b8-5f30-11dc-8466-806d6172696f}]
“Data”=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,
47,00,45,00,23,00,56,00,6f,00,6c,00,75,00,6d,00,65,00,23,00,31,00,26,00,33,
00,30,00,61,00,39,00,36,00,35,00,39,00,38,00,26,00,30,00,26,00,53,00,69,00,
67,00,6e,00,61,00,74,00,75,00,72,00,65,00,35,00,30,00,36,00,44,00,35,00,30,
00,36,00,43,00,4f,00,66,00,66,00,73,00,65,00,74,00,37,00,45,00,30,00,30,00,
4c,00,65,00,6e,00,67,00,74,00,68,00,39,00,43,00,33,00,44,00,42,00,44,00,38,
00,30,00,30,00,23,00,7b,00,35,00,33,00,66,00,35,00,36,00,33,00,30,00,64,00,
2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,31,00,64,00,30,00,2d,00,39,00,34,
00,66,00,32,00,2d,00,30,00,30,00,61,00,30,00,63,00,39,00,31,00,65,00,66,00,
62,00,38,00,62,00,7d,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,
65,00,7b,00,35,00,35,00,32,00,39,00,30,00,38,00,62,00,38,00,2d,00,35,00,66,
00,33,00,30,00,2d,00,31,00,31,00,64,00,63,00,2d,00,38,00,34,00,36,00,36,00,
2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,
00,7d,00,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,4e,00,
54,00,46,00,53,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,08,00,00,00,01,10,00,
00,ff,00,07,00,ff,00,00,00,16,00,00,00,ef,3e,e5,18,00,00,00,00,00,00,00,30,
00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,
00
“Generation”=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume{5c39e901-5f25-11dc-aedc-0019db66a464}]
“Data”=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,
47,00,45,00,23,00,56,00,6f,00,6c,00,75,00,6d,00,65,00,23,00,31,00,26,00,33,
00,30,00,61,00,39,00,36,00,35,00,39,00,38,00,26,00,30,00,26,00,53,00,69,00,
67,00,6e,00,61,00,74,00,75,00,72,00,65,00,35,00,30,00,36,00,44,00,35,00,30,
00,36,00,43,00,4f,00,66,00,66,00,73,00,65,00,74,00,39,00,43,00,33,00,44,00,
43,00,35,00,36,00,30,00,30,00,4c,00,65,00,6e,00,67,00,74,00,68,00,31,00,42,
00,37,00,46,00,33,00,39,00,32,00,43,00,30,00,30,00,23,00,7b,00,35,00,33,00,
66,00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,
00,31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,
30,00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,
65,00,7b,00,35,00,63,00,33,00,39,00,65,00,39,00,30,00,31,00,2d,00,35,00,66,
00,32,00,35,00,2d,00,31,00,31,00,64,00,63,00,2d,00,61,00,65,00,64,00,63,00,
2d,00,30,00,30,00,31,00,39,00,64,00,62,00,36,00,36,00,61,00,34,00,36,00,34,
00,7d,00,5c,00,00,00,53,00,61,00,6e,00,74,00,61,00,56,00,61,00,6e,00,74,00,
61,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,4e,00,
54,00,46,00,53,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,08,00,00,00,01,10,00,
00,ff,00,07,00,ff,00,00,00,16,00,00,00,8d,49,e6,f0,00,00,00,00,00,00,00,30,
00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,
00
“Generation”=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume{d2f649b6-61a6-11dc-b167-806d6172696f}]
“Data”=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,49,00,44,00,45,00,23,00,43,00,
64,00,52,00,6f,00,6d,00,48,00,4c,00,2d,00,44,00,54,00,2d,00,53,00,54,00,5f,
00,44,00,56,00,44,00,52,00,41,00,4d,00,5f,00,47,00,53,00,41,00,2d,00,48,00,
34,00,32,00,4c,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,
00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,53,00,4c,00,30,00,31,00,5f,00,5f,00,
5f,00,5f,00,23,00,33,00,31,00,34,00,62,00,33,00,37,00,33,00,36,00,33,00,33,
00,33,00,32,00,33,00,32,00,33,00,36,00,33,00,30,00,33,00,32,00,32,00,30,00,
33,00,31,00,32,00,30,00,32,00,30,00,32,00,30,00,32,00,30,00,32,00,30,00,32,
00,30,00,32,00,30,00,32,00,30,00,23,00,7b,00,35,00,33,00,66,00,35,00,36,00,
33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,31,00,64,00,30,
00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,00,63,00,39,00,
31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,
65,00,7b,00,64,00,32,00,66,00,36,00,34,00,39,00,62,00,36,00,2d,00,36,00,31,
00,61,00,36,00,2d,00,31,00,31,00,64,00,63,00,2d,00,62,00,31,00,36,00,37,00,
2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,
00,7d,00,5c,00,00,00,49,00,6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,49,00,
6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,10,00,00,00,ff,01,00,
00,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,00,00,00,00,
00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,
00
“Generation”=dword:00000001

Part1 Report
Sat 02/23/2008 12:38:46.46

No Autorun files found in C:\WINDOWS

No Autorun files found in C:\WINDOWS\system32

No Autorun files found in root of C:

No Autorun files found in root of E:

Part 2:
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,00,
01,00,01,01,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,01,00,00,00,09,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell]
@=“AutoRun”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell\AutoRun]
@=“Auto&Play”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell\AutoRun\command]
@=“C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{18aaf67c-76cf-11dc-b19e-0019db66a464}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,08,06,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{18aaf67c-76cf-11dc-b19e-0019db66a464}\shell]
@=“None”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{18aaf67c-76cf-11dc-b19e-0019db66a464}\shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{18aaf67c-76cf-11dc-b19e-0019db66a464}\shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{43dfb5c7-603b-11dc-aee2-0019db66a464}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,08,07,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{43dfb5c7-603b-11dc-aee2-0019db66a464}\shell]
@=“None”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{43dfb5c7-603b-11dc-aee2-0019db66a464}\shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{43dfb5c7-603b-11dc-aee2-0019db66a464}\shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{552908b6-5f30-11dc-8466-806d6172696f}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,01,00,01,01,ee,ff,ff,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,60,00,00,00,09,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{552908b6-5f30-11dc-8466-806d6172696f}\Shell]
@=“AutoRun”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{552908b6-5f30-11dc-8466-806d6172696f}\Shell\AutoRun]
@=“Auto&Play”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{552908b6-5f30-11dc-8466-806d6172696f}\Shell\AutoRun\command]
@=“D:\autoplay.exe”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{552908b6-5f30-11dc-8466-806d6172696f}_Autorun]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{552908b6-5f30-11dc-8466-806d6172696f}_Autorun\DefaultIcon]
@=“D:\appicon.ico”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{552908b8-5f30-11dc-8466-806d6172696f}]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{5c39e901-5f25-11dc-aedc-0019db66a464}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,
cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,df,df,df,5f,df,df,01,01,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,01,00,00,00,08,00,00,00
“_LabelFromReg”=“SantaVanta”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{5df9e44e-6f23-11dc-b18c-0019db66a464}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,
cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,cf,cf,cf,5f,cf,cf,cf,5f,5f,5f,5f,5f,5f,5f,5f,
5f,5f,00,00,10,00,00,00,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{5df9e44e-6f23-11dc-b18c-0019db66a464}\shell]
@=“None”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{5df9e44e-6f23-11dc-b18c-0019db66a464}\shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{5df9e44e-6f23-11dc-b18c-0019db66a464}\shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{5df9e44f-6f23-11dc-b18c-0019db66a464}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,
cf,5f,5f,5f,5f,01,01,00,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,08,02,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7b3621b8-a85c-11dc-b216-0019db66a464}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,01,00,00,00,08,07,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7b3621b8-a85c-11dc-b216-0019db66a464}\shell]
@=“None”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7b3621b8-a85c-11dc-b216-0019db66a464}\shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7b3621b8-a85c-11dc-b216-0019db66a464}\shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7b3621c3-a85c-11dc-b216-0019db66a464}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,
cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,01,01,01,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,08,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7b3621c3-a85c-11dc-b216-0019db66a464}\shell]
@=“None”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7b3621c3-a85c-11dc-b216-0019db66a464}\shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7b3621c3-a85c-11dc-b216-0019db66a464}\shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7b3621c7-a85c-11dc-b216-0019db66a464}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,
cf,5f,5f,5f,5f,01,01,00,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,08,02,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7b3621c7-a85c-11dc-b216-0019db66a464}\shell]
@=“None”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7b3621c7-a85c-11dc-b216-0019db66a464}\shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7b3621c7-a85c-11dc-b216-0019db66a464}\shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{8ec2a3f6-888f-11dc-b1cf-0019db66a464}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,
cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,01,01,01,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,08,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{8ec2a3f6-888f-11dc-b1cf-0019db66a464}\shell]
@=“None”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{8ec2a3f6-888f-11dc-b1cf-0019db66a464}\shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{8ec2a3f6-888f-11dc-b1cf-0019db66a464}\shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{91d37fe2-ad7f-11dc-b221-0019db66a464}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,09,07,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{91d37fe2-ad7f-11dc-b221-0019db66a464}\Shell]
@=“AutoRun”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{91d37fe2-ad7f-11dc-b221-0019db66a464}\Shell\Auto]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{91d37fe2-ad7f-11dc-b221-0019db66a464}\Shell\Auto\command]
@=“sxs.exe”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{91d37fe2-ad7f-11dc-b221-0019db66a464}\Shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{91d37fe2-ad7f-11dc-b221-0019db66a464}\Shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{91d37fe2-ad7f-11dc-b221-0019db66a464}\Shell\AutoRun]
“Extended”=“”
@=“Auto&Play”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{91d37fe2-ad7f-11dc-b221-0019db66a464}\Shell\AutoRun\command]
@=“C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{9ac1c448-916d-11dc-b1db-0019db66a464}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,
cf,5f,5f,5f,5f,01,01,00,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,08,01,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{9ac1c448-916d-11dc-b1db-0019db66a464}\shell]
@=“None”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{9ac1c448-916d-11dc-b1db-0019db66a464}\shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{9ac1c448-916d-11dc-b1db-0019db66a464}\shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{c78b2b50-b6d8-11dc-b238-0019db66a464}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,08,03,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{c78b2b50-b6d8-11dc-b238-0019db66a464}\shell]
@=“None”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{c78b2b50-b6d8-11dc-b238-0019db66a464}\shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{c78b2b50-b6d8-11dc-b238-0019db66a464}\shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{cf7078e8-85a5-11dc-b1c2-0019db66a464}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,09,04,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{cf7078e8-85a5-11dc-b1c2-0019db66a464}\Shell]
@=“AutoRun”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{cf7078e8-85a5-11dc-b1c2-0019db66a464}\Shell\Auto]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{cf7078e8-85a5-11dc-b1c2-0019db66a464}\Shell\Auto\command]
@=“F:\sss.exe”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{cf7078e8-85a5-11dc-b1c2-0019db66a464}\Shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{cf7078e8-85a5-11dc-b1c2-0019db66a464}\Shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{cf7078e8-85a5-11dc-b1c2-0019db66a464}\Shell\AutoRun]
“Extended”=“”
@=“Auto&Play”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{cf7078e8-85a5-11dc-b1c2-0019db66a464}\Shell\AutoRun\command]
@=“C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sss.exe”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{d2f649b6-61a6-11dc-b167-806d6172696f}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,01,00,01,01,ee,ff,ff,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,60,00,00,00,09,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{d2f649b6-61a6-11dc-b167-806d6172696f}_Autorun]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{d2f649b6-61a6-11dc-b167-806d6172696f}_Autorun\DefaultIcon]
@=“D:\appicon.ico”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{e81952a6-ae32-11dc-b222-0019db66a464}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,01,00,01,01,ee,ff,ff,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,20,00,00,00,09,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{e81952a6-ae32-11dc-b222-0019db66a464}\Shell]
@=“AutoRun”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{e81952a6-ae32-11dc-b222-0019db66a464}\Shell\AutoRun]
@=“Auto&Play”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{e81952a6-ae32-11dc-b222-0019db66a464}\Shell\AutoRun\command]
@=“F:\LaunchU3.exe -a”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{e81952a6-ae32-11dc-b222-0019db66a464}_Autorun]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{e81952a6-ae32-11dc-b222-0019db66a464}_Autorun\DefaultIcon]
@=“F:\LaunchU3.exe,0”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{e81952a7-ae32-11dc-b222-0019db66a464}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,09,04,00,00
“_LabelFromReg”=“Capricorn”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{e81952a7-ae32-11dc-b222-0019db66a464}\Shell]
@=“Open”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{e81952a7-ae32-11dc-b222-0019db66a464}\Shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{e81952a7-ae32-11dc-b222-0019db66a464}\Shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{e81952a7-ae32-11dc-b222-0019db66a464}\Shell\AutoRun]
“Extended”=“”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{e81952a7-ae32-11dc-b222-0019db66a464}\Shell\AutoRun\command]
@=“G:\oufddh.exe”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{e81952a7-ae32-11dc-b222-0019db66a464}\Shell\explore]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{e81952a7-ae32-11dc-b222-0019db66a464}\Shell\explore\Command]
@=“G:\oufddh.exe”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{e81952a7-ae32-11dc-b222-0019db66a464}\Shell\open]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{e81952a7-ae32-11dc-b222-0019db66a464}\Shell\open\Command]
@=“G:\oufddh.exe”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{e81952a7-ae32-11dc-b222-0019db66a464}\Shell\open\Default]
@=“1”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{fe56434a-afdf-11dc-b225-0019db66a464}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,
cf,5f,5f,5f,5f,01,01,00,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,08,02,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{fe56434a-afdf-11dc-b225-0019db66a464}\shell]
@=“None”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{fe56434a-afdf-11dc-b225-0019db66a464}\shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{fe56434a-afdf-11dc-b225-0019db66a464}\shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume{552908b8-5f30-11dc-8466-806d6172696f}]
“Data”=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,
47,00,45,00,23,00,56,00,6f,00,6c,00,75,00,6d,00,65,00,23,00,31,00,26,00,33,
00,30,00,61,00,39,00,36,00,35,00,39,00,38,00,26,00,30,00,26,00,53,00,69,00,
67,00,6e,00,61,00,74,00,75,00,72,00,65,00,35,00,30,00,36,00,44,00,35,00,30,
00,36,00,43,00,4f,00,66,00,66,00,73,00,65,00,74,00,37,00,45,00,30,00,30,00,
4c,00,65,00,6e,00,67,00,74,00,68,00,39,00,43,00,33,00,44,00,42,00,44,00,38,
00,30,00,30,00,23,00,7b,00,35,00,33,00,66,00,35,00,36,00,33,00,30,00,64,00,
2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,31,00,64,00,30,00,2d,00,39,00,34,
00,66,00,32,00,2d,00,30,00,30,00,61,00,30,00,63,00,39,00,31,00,65,00,66,00,
62,00,38,00,62,00,7d,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,
65,00,7b,00,35,00,35,00,32,00,39,00,30,00,38,00,62,00,38,00,2d,00,35,00,66,
00,33,00,30,00,2d,00,31,00,31,00,64,00,63,00,2d,00,38,00,34,00,36,00,36,00,
2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,
00,7d,00,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,4e,00,
54,00,46,00,53,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,08,00,00,00,01,10,00,
00,ff,00,07,00,ff,00,00,00,16,00,00,00,ef,3e,e5,18,00,00,00,00,00,00,00,30,
00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,
00
“Generation”=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume{5c39e901-5f25-11dc-aedc-0019db66a464}]
“Data”=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,
47,00,45,00,23,00,56,00,6f,00,6c,00,75,00,6d,00,65,00,23,00,31,00,26,00,33,
00,30,00,61,00,39,00,36,00,35,00,39,00,38,00,26,00,30,00,26,00,53,00,69,00,
67,00,6e,00,61,00,74,00,75,00,72,00,65,00,35,00,30,00,36,00,44,00,35,00,30,
00,36,00,43,00,4f,00,66,00,66,00,73,00,65,00,74,00,39,00,43,00,33,00,44,00,
43,00,35,00,36,00,30,00,30,00,4c,00,65,00,6e,00,67,00,74,00,68,00,31,00,42,
00,37,00,46,00,33,00,39,00,32,00,43,00,30,00,30,00,23,00,7b,00,35,00,33,00,
66,00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,
00,31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,
30,00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,
65,00,7b,00,35,00,63,00,33,00,39,00,65,00,39,00,30,00,31,00,2d,00,35,00,66,
00,32,00,35,00,2d,00,31,00,31,00,64,00,63,00,2d,00,61,00,65,00,64,00,63,00,
2d,00,30,00,30,00,31,00,39,00,64,00,62,00,36,00,36,00,61,00,34,00,36,00,34,
00,7d,00,5c,00,00,00,53,00,61,00,6e,00,74,00,61,00,56,00,61,00,6e,00,74,00,
61,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,4e,00,
54,00,46,00,53,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,08,00,00,00,01,10,00,
00,ff,00,07,00,ff,00,00,00,16,00,00,00,8d,49,e6,f0,00,00,00,00,00,00,00,30,
00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,
00
“Generation”=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume{d2f649b6-61a6-11dc-b167-806d6172696f}]
“Data”=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,49,00,44,00,45,00,23,00,43,00,
64,00,52,00,6f,00,6d,00,48,00,4c,00,2d,00,44,00,54,00,2d,00,53,00,54,00,5f,
00,44,00,56,00,44,00,52,00,41,00,4d,00,5f,00,47,00,53,00,41,00,2d,00,48,00,
34,00,32,00,4c,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,
00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,53,00,4c,00,30,00,31,00,5f,00,5f,00,
5f,00,5f,00,23,00,33,00,31,00,34,00,62,00,33,00,37,00,33,00,36,00,33,00,33,
00,33,00,32,00,33,00,32,00,33,00,36,00,33,00,30,00,33,00,32,00,32,00,30,00,
33,00,31,00,32,00,30,00,32,00,30,00,32,00,30,00,32,00,30,00,32,00,30,00,32,
00,30,00,32,00,30,00,32,00,30,00,23,00,7b,00,35,00,33,00,66,00,35,00,36,00,
33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,31,00,64,00,30,
00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,00,63,00,39,00,
31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,
65,00,7b,00,64,00,32,00,66,00,36,00,34,00,39,00,62,00,36,00,2d,00,36,00,31,
00,61,00,36,00,2d,00,31,00,31,00,64,00,63,00,2d,00,62,00,31,00,36,00,37,00,
2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,
00,7d,00,5c,00,00,00,49,00,6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,49,00,
6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,10,00,00,00,ff,01,00,
00,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,00,00,00,00,
00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,
00
“Generation”=dword:00000001

Part2 Report
Sat 02/23/2008 12:38:46.90

No Autorun files found in C:\WINDOWS

No Autorun files found in C:\WINDOWS\system32

No Autorun files found in root of C:

No Autorun files found in root of E:

ComboFix 08-02-22.3 - Home 2008-02-23 12:43:10.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.743 [GMT 8:00]
Running from: C:\Documents and Settings\Home\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Home\Desktop\CFscript.txt

  • Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-23 to 2008-02-23 )))))))))))))))))))))))))))))))
.

2008-02-23 02:44 . 2008-02-23 02:44 d-------- C:\Program Files\CleanUp!
2008-02-23 02:25 . 2008-02-23 02:35 d-------- C:\Program Files\CABAL Online (SG MY)
2008-02-23 02:08 . 2008-02-23 11:04 d-------- C:\Program Files\ZMatrix
2008-02-23 02:08 . 2008-02-23 02:08 d-------- C:\Documents and Settings\Home\Application Data.ZMatrix
2008-02-22 19:45 . 2008-02-22 19:45 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-02-22 19:45 . 2008-02-22 19:45 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-02-22 19:44 . 2008-02-22 19:44 d-------- C:\Program Files\Kaspersky Lab
2008-02-22 19:44 . 2008-02-23 12:44 3,781,152 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-22 19:44 . 2008-02-23 11:24 54,464 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-22 19:44 . 2008-02-23 12:44 6,176 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-22 19:44 . 2008-02-23 11:24 1,364 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-02-22 16:24 . 2008-02-22 16:24 d-------- C:\kav
2008-02-22 15:17 . 2008-02-23 02:03 71,680 --a------ C:\WINDOWS\system32\amvo0.dll.vir
2008-02-22 14:42 . 2008-02-22 14:42 d-------- C:\Program Files\ZoneAlarmSB
2008-02-22 14:41 . 2008-02-22 14:41 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-02-22 14:41 . 2008-02-22 14:42 4,212 —h----- C:\WINDOWS\system32\zllictbl.dat
2008-02-22 14:40 . 2008-02-22 19:39 d-------- C:\WINDOWS\system32\ZoneLabs
2008-02-22 14:40 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-02-22 14:39 . 2008-02-22 19:37 d-------- C:\WINDOWS\Internet Logs
2008-02-22 13:25 . 2008-02-22 13:25 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-22 13:24 . 2008-02-23 02:23 d-------- C:\Program Files\SUPERAntiSpyware
2008-02-22 13:24 . 2008-02-22 13:24 d-------- C:\Documents and Settings\Home\Application Data\SUPERAntiSpyware.com
2008-02-22 13:22 . 2008-02-22 13:22 d-------- C:\Program Files\Panda Security
2008-02-22 12:50 . 2008-02-22 12:50 d-------- C:\Program Files\Lavasoft
2008-02-22 12:50 . 2008-02-22 12:51 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-22 12:26 . 2008-02-22 12:26 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-22 12:26 . 2008-02-23 11:25 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-22 11:47 . 2008-02-22 11:47 d-------- C:\Documents and Settings\Home\Application Data\PrevxCSI
2008-02-21 14:08 . 2008-02-23 11:22 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-21 14:07 . 2008-02-21 14:07 d-------- C:\Program Files\Trojan Remover
2008-02-21 14:07 . 2008-02-21 14:07 d-------- C:\Documents and Settings\Home\Application Data\Simply Super Software
2008-02-21 14:07 . 2008-02-21 14:07 d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-02-21 14:07 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-02-21 14:07 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-02-21 14:07 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-02-21 14:07 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-02-21 14:07 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-02-20 17:58 . 2008-02-22 19:40 106,757 -r-hs---- C:\oufddh.exe
2008-02-20 01:21 . 2008-02-20 01:21 d-------- C:\Program Files\Investintech.com Inc
2008-02-15 19:42 . 2008-02-15 19:40 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-15 19:40 . 2008-02-15 19:42 d-------- C:\Documents and Settings\Home.housecall6.6
2008-02-12 18:16 . 2008-02-22 19:40 106,757 --a------ C:\WINDOWS\system32\amvo.exe.vir
2008-02-12 02:51 . 2008-02-12 02:51 d-------- C:\Program Files\Ventrilo
2008-02-08 18:37 . 2008-02-08 18:37 219,664 --a------ C:\WINDOWS\system32\klogon.dll
2008-02-08 18:35 . 2008-02-08 18:35 23,604 --a------ C:\WINDOWS\system32\drivers\klopp.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-23 04:38 --------- d-----w C:\Program Files\lg_fwupdate
2008-02-22 18:16 --------- d-----w C:\Program Files\Yahoo!
2008-02-22 18:15 --------- d-----w C:\Program Files\VentSrv
2008-02-22 18:15 --------- d-----w C:\Program Files\Nokia
2008-02-22 18:15 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-22 18:08 --------- d-----w C:\Documents and Settings\Home\Application Data.ZMatrix
2008-02-22 14:02 --------- d-----w C:\Documents and Settings\Home\Application Data\U3
2008-02-21 18:19 --------- d-----w C:\Program Files\Warcraft III
2008-02-21 14:14 --------- d-----w C:\Documents and Settings\Home\Application Data\LimeWire
2008-02-21 06:20 --------- d-----w C:\Program Files\LimeWire
2008-02-05 10:26 --------- d-----w C:\Documents and Settings\Home\Application Data\dvdcss
2008-01-27 11:18 --------- d-----w C:\Program Files\World of Warcraft
2008-01-20 02:54 --------- d-----w C:\Program Files\MessengerDiscovery
2008-01-19 18:42 --------- d-----w C:\Program Files\MSN Messenger
2008-01-06 10:13 --------- d-----w C:\Program Files\Common Files\LightScribe
2007-12-14 03:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-12-02 10:58 127,034 -c----r C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
2007-11-25 15:43 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
2007-11-25 14:55 81,920 -c----r C:\WINDOWS\bwUnin-6.1.4.68-8876480L.exe
2007-11-24 16:43 92,064 -c–a-w C:\Documents and Settings\Home\mqdmmdm.sys
2007-11-24 16:43 9,232 -c–a-w C:\Documents and Settings\Home\mqdmmdfl.sys
2007-11-24 16:43 79,328 -c–a-w C:\Documents and Settings\Home\mqdmserd.sys
2007-11-24 16:43 66,656 -c–a-w C:\Documents and Settings\Home\mqdmbus.sys
2007-11-24 16:43 6,208 -c–a-w C:\Documents and Settings\Home\mqdmcmnt.sys
2007-11-24 16:43 5,936 -c–a-w C:\Documents and Settings\Home\mqdmwhnt.sys
2007-11-24 16:43 4,048 -c–a-w C:\Documents and Settings\Home\mqdmcr.sys
2007-11-24 16:43 25,600 -c–a-w C:\Documents and Settings\Home\usbsermptxp.sys
2007-11-24 16:43 22,768 -c–a-w C:\Documents and Settings\Home\usbsermpt.sys
2004-10-01 07:00 40,960 -c–a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-02-22 14:42 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}

[HKEY_CLASSES_ROOT\clsid{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
“{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}”= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-02-22 14:42 262144]

[HKEY_CLASSES_ROOT\clsid{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“MsnMsgr”=“C:\Program Files\Windows Live\Messenger\MsnMsgr.exe” [2007-10-18 11:34 5724184]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-08-04 01:06 1667584]
“CTSyncU.exe”=“C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe” [2006-06-12 14:32 700416]
“PcSync”=“C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe” [2006-06-27 16:21 1449984]
“BitComet”=“C:\Program Files\BitComet\BitComet.exe” [2007-09-10 20:33 6338360]
“LogitechSoftwareUpdate”=“C:\Program Files\Logitech\Video\ManifestEngine.exe” [2004-06-01 18:46 196608]
“LDM”=“C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe”
“Yahoo! Pager”=“C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe” [2007-08-30 17:43 4670704]
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2007-04-12 23:44 8429568]
“nwiz”=“nwiz.exe” [2007-04-12 23:44 1626112 C:\WINDOWS\system32\nwiz.exe]
“SW20”=“C:\WINDOWS\system32\sw20.exe” [2006-12-15 10:58 208896]
“SW24”=“C:\WINDOWS\system32\sw24.exe” [2006-12-15 10:58 69632]
“WinSys2”=“C:\WINDOWS\system32\winsys2.exe” [2006-12-15 10:59 217088]
“NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2007-04-12 23:44 81920]
“RTHDCPL”=“RTHDCPL.EXE” [2007-03-21 14:49 16126464 C:\WINDOWS\RTHDCPL.exe]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11 132496]
“RemoteControl”=“C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe” [2004-11-02 20:24 32768]
“InCD”=“C:\Program Files\Ahead\InCD\InCD.exe” [2006-11-02 14:55 1397760]
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 10:50 155648]
“LGODDFU”=“C:\Program Files\lg_fwupdate\fwupdate.exe” [2005-04-12 10:11 229376]
“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2007-10-22 04:21 185632]
“PCSuiteTrayApplication”=“C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe” [2006-06-15 12:36 229376]
“LVCOMSX”=“C:\WINDOWS\system32\LVCOMSX.EXE” [2004-05-21 19:11 221184]
“LogitechVideoRepair”=“C:\Program Files\Logitech\Video\ISStart.exe” [2004-06-01 11:09 458752]
“LogitechVideoTray”=“C:\Program Files\Logitech\Video\LogiTray.exe” [2004-06-01 11:03 217088]
“BluetoothAuthenticationAgent”=“bthprops.cpl” [2004-08-04 08:56 110592 C:\WINDOWS\system32\bthprops.cpl]
“TrojanScanner”=“C:\Program Files\Trojan Remover\Trjscan.exe” [2008-02-20 17:48 863824]
“AVP”=“C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe” [2008-02-08 18:36 227856]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2002-12-02 21:08:34 147456]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2002-12-02 20:56:10 40960]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-12-02 18:58:19 67128]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-18 04:05:56 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”= %windir%\system32\sessmgr.exe:@xpsp2res.dll,-22019
“C:\Program Files\World of Warcraft\BackgroundDownloader.exe”=
“C:\Program Files\VoipStunt.com\VoipStunt\VoipStunt.exe”=
“C:\Documents and Settings\Home\Desktop\lancraft.exe”=
“C:\Program Files\VentSrv\ventrilo_srv.exe”=
“C:\Program Files\BitComet\BitComet.exe”=
“C:\Program Files\WIZET\MapleStory\MapleStory.exe”=
“C:\Program Files\Ares\Ares.exe”=
“C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe”=
“C:\Program Files\Yahoo!\Messenger\YServer.exe”=
“C:\Program Files\MessengerDiscovery\MessengerDiscovery Live.exe”=
“C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe”=
“C:\Program Files\Windows Live\Messenger\msnmsgr.exe”=
“C:\Program Files\Windows Live\Messenger\livecall.exe”=
“C:\Program Files\LimeWire\LimeWire.exe”=
“C:\kav\kav7.0\english\setup.exe”=
“C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“3724:TCP”= 3724:TCP:Blizzard Downloader: 3724
“10426:TCP”= 10426:TCP:BitComet 10426 TCP
“10426:UDP”= 10426:UDP:BitComet 10426 UDP

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S3 PID_0920;Logitech QuickCam Express(PID_0920);C:\WINDOWS\system32\DRIVERS\LV532AV.SYS [2004-05-22 03:15]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{552908b6-5f30-11dc-8466-806d6172696f}]
\Shell\AutoRun\command - D:\autoplay.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{91d37fe2-ad7f-11dc-b221-0019db66a464}]
\Shell\Auto\command - sxs.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{cf7078e8-85a5-11dc-b1c2-0019db66a464}]
\Shell\Auto\command - F:\sss.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{e81952a6-ae32-11dc-b222-0019db66a464}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{e81952a7-ae32-11dc-b222-0019db66a464}]
\Shell\AutoRun\command - G:\oufddh.exe
\Shell\explore\Command - G:\oufddh.exe
\Shell\open\Command - G:\oufddh.exe

.


catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-23 12:44:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0


.
Completion time: 2008-02-23 12:45:27
ComboFix-quarantined-files.txt 2008-02-23 04:45:24
ComboFix2.txt 2008-02-23 02:56:24

Logfile of HijackThis v1.99.1
Scan saved at 12:46:35 PM, on 2/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\winsys2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Home\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://sg.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://sg.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM..\Run: [WinSys2] C:\WINDOWS\system32\winsys2.exe
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [RemoteControl] “C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [LGODDFU] “C:\Program Files\lg_fwupdate\fwupdate.exe”
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent
O4 - HKLM..\Run: [trojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM..\Run: [AVP] “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe”
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [CTSyncU.exe] “C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe”
O4 - HKCU..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU..\Run: [BitComet] “C:\Program Files\BitComet\BitComet.exe” /tray
O4 - HKCU..\Run: [LogitechSoftwareUpdate] “C:\Program Files\Logitech\Video\ManifestEngine.exe” boot
O4 - HKCU..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU..\Run: [Yahoo! Pager] “C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE” -quiet
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/WebfettiInitialSetup1.0.0.15-3.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

Sorry for the spams. Drive E is half of my total hard drive, just in case i needed to format my drive C. Capricorn is my removal thumb drive, but at the time of scans, it is not plugged in. I’ve got 1 drive D(cd rom), and thats it. No floppy drive or any other things.

We’ll use a different program to clean up some mountpoints.

So we may as well restore that file and have it tested.

Open windows explorer, click the + sign beside the c:\ drive, scroll down, click the plus sign beside the windows folder.

Use the slider in the left hand panel, slide it up untill you can see

C:\qoobox

click the + sign beside qoobox
click the + sign beside Quarantine
click the + sign beside C
click the + sign beside WINDOWS
click on the system32 folder

Look in the right hand panel for a file named winsys.exe.vir

Use the slider in the left panel slide it down untill the windows\ system32 folder is across form the file you just located. Right click on it and hold the mouse button down, Drag the file to the system32 folder and let go of the mouse button. Chose move here.

Now we test the file. While you are doing that, I’ll put together a fix. If you have any problems let me know and we’ll do it a step at a time.

Please submit these files for analysis

To submit a file to virustoal, please click om this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\WINDOWS\system32\winsys.exe.vir

scroll down a bit and click “send file”, wait for the results and post then in your next reply.

Thanks for the additional information, Please do not plug it in we will deal with it later.