1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Inactive [InActive] Trojan horse generic11.avya and trojan horse spamtool.cbj

Discussion in 'Malware and Virus Removal Archive' started by presto, 2008/10/21.

  1. 2008/10/21
    presto

    presto Inactive Thread Starter

    Joined:
    2008/10/21
    Messages:
    3
    Likes Received:
    0
    I have infection on my network(20 pc's). My AVG antivirus shows threats of trojan jorse generic11.avya and trojan horse spamtool.cbj with .exe files in c:\...\%user%\local settings\temp with random names. They also sometimes appear in process explorer under task manager. I have ran malwarebytes also and it found some errors that I corrected and now it find nothing yet the infection is still there. My executable files are not starting anymore. The computer is slow. I have run RSIT with HiJackThis and here are the log files.

    INFO.TXT
    info.txt logfile of random's system information tool 1.04 2008-10-21 13:18:16

    ======Uninstall list======

    -->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
    -->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
    -->C:\WINDOWS\IsUninst.exe -f "C:\Program Files\S3\S3\S3.isu "
    -->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
    -->C:\WINDOWS\UNNMP.exe /UNINSTALL
    -->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
    Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
    Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
    Adobe Reader 7.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
    Dake Reference Library-->C:\WINDOWS\unvise32.exe c:\navpress\uninstal.log
    Data Access Objects (DAO) 3.5-->C:\Program Files\Common Files\Microsoft Shared\DAO\Remove.EXE C:\WINDOWS\UNINST.EXE -fC:\PROGRA~1\COMMON~1\MICROS~1\DAO\DeIsL1.isu
    dBpowerAMP Music Converter--> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
    DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
    DivX Converter-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
    DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
    DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
    Google Toolbar for Internet Explorer-->MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
    Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar1.dll "
    HijackThis 2.0.2--> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
    HP Deskjet 5900 series-->C:\Program Files\HP\Digital Imaging\{79546A5F-AE7C-4693-8670-A3401B43ABD2}\setup\hpzscr01.exe -datfile hpfscr05.dat
    HP Image Zone 5.0-->C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
    HP Imaging Device Functions 5.0-->C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
    HP PSC & OfficeJet 5.3.B--> "C:\Program Files\HP\Digital Imaging\{49FB31C1-26EC-44c6-AB47-73C66E2BC41E}\setup\hpzscr01.exe" -datfile hposcr07.dat
    HP Software Update-->MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
    HP Solution Center & Imaging Support Tools 5.0-->C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
    Intel(R) Extreme Graphics Driver-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
    Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
    Macromedia Dreamweaver MX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8B4AB829-DFD3-436D-B808-D9733D76C590}\Setup.exe" -l0x9 mmUninstall
    Macromedia Extension Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}\setup.exe" -l0x9 mmUninstall
    Malwarebytes' Anti-Malware--> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe "
    Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
    Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
    Mobius Phone Explorer-->C:\Program Files\Mobius Phone Explorer\_Unins.exe
    Mozilla Thunderbird (1.5)-->C:\Program Files\Mozilla Thunderbird\uninstall\uninstall.exe /ua "1.5 (en-US) "
    Nero BurnRights-->C:\WINDOWS\UNNeroBurnRights.exe /UNINSTALL
    Nero PhotoShow Express--> "C:\Program Files\Nero\data\Xtras\Uninstall.exe "
    Nero Suite-->C:\Program Files\Common Files\Nero\Uninstall\setupx.exe /uninstall ExtraUninstallID=" "
    OpenOffice.org 2.0-->MsiExec.exe /I{686BB230-DE5B-44F4-8DB0-4F9BEE7310F7}
    PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
    Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
    SAMSUNG CDMA Modem Driver Set-->C:\WINDOWS\system32\Samsung_USB_Drivers\3\SSCDUninstall.exe
    Samsung Mobile phone USB driver Software-->C:\WINDOWS\system32\Samsung_USB_Drivers\5\SSSDUninstall.exe
    SAMSUNG Mobile USB Modem 1.0 Software-->C:\WINDOWS\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe
    SAMSUNG Mobile USB Modem Software-->C:\WINDOWS\system32\Samsung_USB_Drivers\2\SSM_Uninstall.exe
    Samsung PC Studio 3 USB Driver Installer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EBA29752-DDD2-4B62-B2E3-9841F92A3E3A}\setup.exe" -l0x9 -removeonly
    Samsung PC Studio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C4A4722E-79F9-417C-BD72-8D359A090C97}\setup.exe" -l0x9 -removeonly
    SiS VGA Utilities-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E06E4F4E-72D6-4497-BFFD-BCB43077C2F4}\setup.exe" -l0x9 -uninst
    Skype 2.0--> "C:\Program Files\Skype\Phone\unins000.exe "
    USB to UART Driver1.95.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F06FCDEC-5AB3-4927-A3E7-36AF98A8E05C}\setup.exe" -l0x9 -removeonly
    VNC Free Edition 4.1.1--> "C:\Program Files\RealVNC\VNC4\unins000.exe "
    WaveCart-->C:\WINDOWS\iun6002.exe "C:\BSI32\WaveCart_irunin.ini "
    Winamp (remove only)--> "C:\Program Files\Winamp\UninstWA.exe "
    WordWeb-->C:\Program Files\WordWeb\uninst.exe

    =====HijackThis Backups=====

    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\system32\wweb32.dll/lookup.html
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\system32\avgwlntf.dll
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
    O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

    ======Environment variables======

    "ComSpec "=%SystemRoot%\system32\cmd.exe
    "Path "=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\WBEM;C:\Program Files\Samsung\Samsung PC Studio 3\
    "windir "=%SystemRoot%
    "OS "=Windows_NT
    "PROCESSOR_ARCHITECTURE "=x86
    "PROCESSOR_LEVEL "=15
    "PROCESSOR_IDENTIFIER "=x86 Family 15 Model 2 Stepping 9, GenuineIntel
    "PROCESSOR_REVISION "=0209
    "NUMBER_OF_PROCESSORS "=1
    "PATHEXT "=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
    "TEMP "=%SystemRoot%\TEMP
    "TMP "=%SystemRoot%\TEMP

    -----------------EOF-----------------
    LOG.TXT
    Logfile of random's system information tool 1.04 (written by random/random)
    Run by svilakati at 2008-10-21 13:18:11
    Microsoft Windows XP Professional Service Pack 2, v.2096
    System drive C: has 8 GB (52%) free of 16 GB
    Total RAM: 503 MB (49% free)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:18:13 PM, on 10/21/2008
    Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\RealVNC\VNC4\WinVNC4.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\inetsrv\DavCData.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\svilakati\Desktop\RSIT.exe
    C:\Program Files\Trend Micro\HijackThis\svilakati.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.za/
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\RunServices: [Win32 Servermgr12345] C:\WINDOWS\system32\winimgr.exe
    O4 - HKLM\..\RunServices: [Win32 Servermgrs12] C:\WINDOWS\system32\wininit.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = voc.pri
    O17 - HKLM\Software\..\Telephony: DomainName = voc.pri
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = voc.pri
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = voc.pri
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

    --
    End of file - 2861 bytes

    ======Registry dump======

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
    SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "Synchronization Manager "=C:\WINDOWS\system32\mobsync.exe [2004-05-19 143360]
    "IgfxTray "=C:\WINDOWS\system32\igfxtray.exe [2004-07-01 212992]
    "SiSPower "=C:\WINDOWS\system32\SiSPower.dll [2005-08-25 49152]
    "SunJavaUpdateSched "=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
    "KernelFaultCheck "=C:\WINDOWS\system32\dumprep 0 -k []

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "=C:\WINDOWS\system32\ctfmon.exe [2004-05-19 14336]
    "Skype "=C:\Program Files\Skype\Phone\Skype.exe [2006-02-06 19490344]
    "swg "=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-04-05 68856]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
    C:\WINDOWS\system32\igfxsrvc.dll [2004-07-01 344064]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "NoDispScrSavPage "=0

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "dontdisplaylastusername "=0
    "legalnoticecaption "=
    "legalnoticetext "=
    "shutdownwithoutlogon "=1
    "undockwithoutlogon "=1
    "EnableLUA "=0

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
    "NoDriveTypeAutoRun "=145
    "DisablePersonalDirChange "=1
    "ForceStartMenuLogOff "=1

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabled:Remote Assistance "
    "\\voc-server\voc-files\homes\svilakati\GAMES\Games\Zuma\Zuma.exe "= "\\voc-server\voc-files\homes\svilakati\GAMES\Games\Zuma\Zuma.exe:*:Enabled:ipsec "
    "C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN "= "C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN:*:Enabled:ipsec "
    "\\voc-server\netlogon\KIX32.EXE "= "\\voc-server\netlogon\KIX32.EXE:*:Enabled:ipsec "
    "C:\WINDOWS\SOUNDMAN.EXE "= "C:\WINDOWS\SOUNDMAN.EXE:*:Enabled:ipsec "
    "C:\WINDOWS\Explorer.EXE "= "C:\WINDOWS\explorer.exe:*:Enabled:ipsec "
    "C:\WINDOWS\system32\igfxtray.exe "= "C:\WINDOWS\system32\igfxtray.exe:*:Enabled:ipsec "
    "C:\WINDOWS\regedit.exe "= "C:\WINDOWS\regedit.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w37abe.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w37abe.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w141822.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w141822.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w363ae7.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w363ae7.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w19ff46.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w19ff46.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w2fb3d7.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w2fb3d7.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w19d16c7.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w19d16c7.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\we1f12c.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\we1f12c.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\wbcee63.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\wbcee63.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w15612ea.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w15612ea.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\wd29bc4.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\wd29bc4.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w119a0ec.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w119a0ec.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w1ed72fc.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w1ed72fc.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\wd45c8f.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\wd45c8f.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w134e15b.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w134e15b.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w46eec8d.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w46eec8d.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w135b622.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w135b622.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w2a7db43.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w2a7db43.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w4c8a035.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w4c8a035.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w1986501.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w1986501.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w199463a.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w199463a.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w2a2448c.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w2a2448c.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w1515e74.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w1515e74.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w545f6d0.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w545f6d0.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w4a8da4c.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w4a8da4c.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w3f4c16e.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w3f4c16e.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w65533d0.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w65533d0.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w7eb2010.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w7eb2010.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w260d7c5.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w260d7c5.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w3ac52a8.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w3ac52a8.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w75939c0.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w75939c0.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w4981ff3.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w4981ff3.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w845e89c.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w845e89c.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w322641c.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w322641c.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w2170eda.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w2170eda.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w85cb6f0.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w85cb6f0.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w217861c.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w217861c.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w7075e6c.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w7075e6c.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w707c5b0.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w707c5b0.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w2580d28.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w2580d28.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w5dcf19f.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w5dcf19f.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w67daaf4.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w67daaf4.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w298cc1c.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w298cc1c.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\wa63acf0.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\wa63acf0.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\wbb18e36.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\wbb18e36.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\wfac5285.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\wfac5285.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w5b34d0c.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w5b34d0c.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w5b52f78.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w5b52f78.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w9509cd0.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w9509cd0.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\wade80e7.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\wade80e7.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w6376a58.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w6376a58.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\wa13edca.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\wa13edca.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\wbc2bc89.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\wbc2bc89.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\wd714e98.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\wd714e98.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w127e2a50.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w127e2a50.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w1043936a.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w1043936a.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w12134a2c.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w12134a2c.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\we7666f0.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\we7666f0.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w73be66c.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w73be66c.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\wd89c079.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\wd89c079.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\wb9b0be4.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\wb9b0be4.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w154940a8.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w154940a8.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\wa4db2d7.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\wa4db2d7.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w83e6d48.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w83e6d48.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\we6dae50.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\we6dae50.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w41fb346.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w41fb346.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\wd1feb06.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\wd1feb06.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\waf04533.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\waf04533.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w690591f.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w690591f.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w13b29b44.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w13b29b44.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w1974d155.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w1974d155.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\wde304b6.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\wde304b6.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\wb92d172.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\wb92d172.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w14d6ae09.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w14d6ae09.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w15f7eefa.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w15f7eefa.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w9c3ca08.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w9c3ca08.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w9c40984.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w9c40984.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w4e25ed8.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w4e25ed8.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\wcd6adc4.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\wcd6adc4.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w148b3d38.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w148b3d38.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w522f276.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w522f276.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w1c422502.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w1c422502.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w1af289fa.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w1af289fa.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\wd79c48c.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\wd79c48c.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w18424bf0.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w18424bf0.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w102d419c.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w102d419c.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\we1bcbbf.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\we1bcbbf.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w1965db66.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w1965db66.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w5a4faac.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w5a4faac.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w1695f908.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w1695f908.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w14a42e00.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w14a42e00.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w8d8d9a2.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w8d8d9a2.exe:*:Enabled:ipsec "
    "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w5e606c4.exe "= "C:\DOCUME~1\SVILAK~1\LOCALS~1\Temp\w5e606c4.exe:*:Enabled:ipsec "

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabled:Remote Assistance "
    "C:\Program Files\HP\digital imaging\bin\hpqtra08.exe "= "C:\Program Files\HP\digital imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe "
    "C:\Program Files\HP\digital imaging\bin\hpqste08.exe "= "C:\Program Files\HP\digital imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe "
    "C:\Program Files\HP\digital imaging\bin\hpofxm08.exe "= "C:\Program Files\HP\digital imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe "
    "C:\Program Files\HP\digital imaging\bin\hposfx08.exe "= "C:\Program Files\HP\digital imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe "
    "C:\Program Files\HP\digital imaging\bin\hposid01.exe "= "C:\Program Files\HP\digital imaging\bin\hposid01.exe:*:Enabled:hposid01.exe "
    "C:\Program Files\HP\digital imaging\bin\hpqscnvw.exe "= "C:\Program Files\HP\digital imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe "
    "C:\Program Files\HP\digital imaging\bin\hpqkygrp.exe "= "C:\Program Files\HP\digital imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe "
    "C:\Program Files\HP\digital imaging\bin\hpqcopy.exe "= "C:\Program Files\HP\digital imaging\bin\hpqcopy.exe:*:Enabled:hpqcopy.exe "
    "C:\Program Files\HP\digital imaging\bin\hpfccopy.exe "= "C:\Program Files\HP\digital imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe "
    "C:\Program Files\HP\digital imaging\bin\hpzwiz01.exe "= "C:\Program Files\HP\digital imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe "
    "C:\Program Files\HP\digital imaging\bin\hpotbx08.exe "= "C:\Program Files\HP\digital imaging\bin\hpotbx08.exe:*:Enabled:hpotbx08.exe "
    "C:\Program Files\HP\digital imaging\unload\hpqphunl.exe "= "C:\Program Files\HP\digital imaging\unload\hpqphunl.exe:*:Enabled:hpqphunl.exe "
    "C:\Program Files\HP\digital imaging\unload\hpqdia.exe "= "C:\Program Files\HP\digital imaging\unload\hpqdia.exe:*:Enabled:hpqdia.exe "
    "C:\Program Files\HP\digital imaging\bin\hpoews01.exe "= "C:\Program Files\HP\digital imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe "
    "C:\Program Files\uTorrent\uTorrent.exe "= "C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent "
    "C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe "= "C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe:*:Enabled:Dreamweaver MX "
    "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe "= "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger "
    "C:\Program Files\Yahoo!\Messenger\YServer.exe "= "C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server "
    "C:\Program Files\Skype\Phone\Skype.exe "= "C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype "

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17e14888-49e0-11dd-b237-806d6172696f}]
    shell\AutoRun\command - F:\LaunchU3.exe -a

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a21c148-647c-11dd-b252-806d6172696f}]
    shell\AutoRun\command - F:\tpfbusg.cmd
    shell\explore\command - F:\tpfbusg.cmd
    shell\open\command - F:\tpfbusg.cmd

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1aa4b023-394c-11dd-b233-806d6172696f}]
    shell\AutoRun\command - F:\r1y1.bat
    shell\explore\command - F:\r1y1.bat
    shell\open\command - F:\r1y1.bat

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1fd6068a-5cb6-11dd-b24c-806d6172696f}]
    shell\AutoRun\command - F:\kdxdweli.cmd
    shell\explore\command - F:\kdxdweli.cmd
    shell\open\command - F:\kdxdweli.cmd

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{35899ffa-0ac4-11dd-8da8-806d6172696f}]
    shell\AutoOpen\command - N:\.\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe
    shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{35899ffd-0ac4-11dd-8da8-806d6172696f}]
    shell\AutoRun\command - 0hct8ybw.bat
    shell\explore\command - 0hct8ybw.bat
    shell\open\command - 0hct8ybw.bat

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{73222f22-94a0-11dd-b257-806d6172696f}]
    shell\AutoRun\command - F:\jdhc2x2.com
    shell\explore\command - F:\jdhc2x2.com
    shell\open\command - F:\jdhc2x2.com

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{93de4122-e921-11dc-8ce3-806d6172696f}]
    shell\AutoRun\command - F:\SSVICHOSST.exe
    shell\Open\command - F:\SSVICHOSST.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9799fccd-d0cf-11dc-8cdc-806d6172696f}]
    shell\Auto\command - F:\driver.exe
    shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL driver.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98c185b5-434e-11dd-b234-806d6172696f}]
    shell\AutoRun\command - F:\kinza.exe
    shell\explore\command - F:\kinza.exe
    shell\open\command - F:\kinza.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cf73fcfc-e44b-11dc-8cdd-806d6172696f}]
    shell\AutoRun\command - F:\c9hehpa.bat
    shell\explore\command - F:\c9hehpa.bat
    shell\open\command - F:\c9hehpa.bat

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e189144c-37a7-11dd-b232-806d6172696f}]
    shell\AutoRun\command - F:\rqq2v.bat
    shell\explore\command - F:\rqq2v.bat
    shell\open\command - F:\rqq2v.bat

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ee22e32c-e6ce-11dc-8ce2-806d6172696f}]
    shell\AutoRun\command - F:\xn1i9x.com
    shell\explore\command - F:\xn1i9x.com
    shell\open\command - F:\xn1i9x.com


    ======File associations======

    .js - open - "C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe" "%1 "

    ======List of files/folders created in the last 3 months======

    2008-10-21 13:18:11 ----D---- C:\rsit
    2008-10-17 10:53:28 ----D---- C:\Program Files\Enigma Software Group
    2008-10-16 14:26:27 ----D---- C:\Documents and Settings\All Users\Application Data\Avg7
    2008-10-16 13:21:59 ----D---- C:\Documents and Settings\svilakati\Application Data\Malwarebytes
    2008-10-16 13:21:48 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
    2008-10-16 13:21:48 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-10-16 13:21:00 ----D---- C:\Program Files\Trend Micro
    2008-10-16 11:06:45 ----D---- C:\Program Files\SDHelper (Spybot - Search & Destroy)
    2008-10-16 10:49:07 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-10-16 10:41:56 ----A---- C:\WINDOWS\system32\winsusrm.dll
    2008-10-16 10:32:37 ----D---- C:\Program Files\XoftSpy
    2008-10-15 16:40:53 ----A---- C:\WINDOWS\system32\MSVolume.dll
    2008-10-15 16:33:21 ----D---- C:\Program Files\Hijackthis
    2008-10-15 10:15:41 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
    2008-09-09 09:36:31 ----D---- C:\Documents and Settings\svilakati\Application Data\Yahoo!
    2008-09-04 19:50:09 ----D---- C:\Documents and Settings\All Users\Application Data\Yahoo!
    2008-09-04 19:38:20 ----A---- C:\YServer.txt
    2008-09-04 19:37:37 ----D---- C:\Program Files\Yahoo!
    2008-08-13 07:22:43 ----D---- C:\WINDOWS\Sun
    2008-08-13 07:22:43 ----D---- C:\Documents and Settings\svilakati\Application Data\Sun
    2008-08-12 16:37:59 ----A---- C:\WINDOWS\system32\javaws.exe
    2008-08-12 16:37:59 ----A---- C:\WINDOWS\system32\javaw.exe
    2008-08-12 16:37:59 ----A---- C:\WINDOWS\system32\java.exe
    2008-08-12 16:36:59 ----D---- C:\Program Files\Java
    2008-08-12 16:06:34 ----D---- C:\Program Files\Common Files\Java
    2008-08-11 10:48:26 ----D---- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
    2008-08-01 11:05:26 ----D---- C:\WINDOWS\system32\NtmsData

    ======List of files/folders modified in the last 3 months======

    2008-10-21 13:18:02 ----D---- C:\WINDOWS\system32\CatRoot2
    2008-10-21 13:09:48 ----D---- C:\WINDOWS\Prefetch
    2008-10-21 12:35:43 ----D---- C:\WINDOWS\Temp
    2008-10-21 12:25:33 ----D---- C:\Program Files\Mozilla Thunderbird
    2008-10-21 09:29:14 ----D---- C:\WINDOWS\system32\inetsrv
    2008-10-21 08:12:03 ----D---- C:\WINDOWS\security
    2008-10-20 13:00:08 ----D---- C:\WINDOWS\Registration
    2008-10-20 12:14:29 ----D---- C:\Documents and Settings\svilakati\Application Data\Skype
    2008-10-20 11:53:44 ----D---- C:\Documents and Settings\svilakati\Application Data\OpenOffice.org2
    2008-10-20 11:53:13 ----D---- C:\WINDOWS\system32\drivers
    2008-10-17 13:18:47 ----RD---- C:\Program Files
    2008-10-17 11:37:21 ----D---- C:\WINDOWS\system32
    2008-10-16 14:35:06 ----D---- C:\Temp
    2008-10-16 14:35:00 ----A---- C:\WINDOWS\win.ini
    2008-10-16 14:35:00 ----A---- C:\WINDOWS\system.ini
    2008-10-16 14:26:20 ----SD---- C:\Documents and Settings\svilakati\Application Data\Microsoft
    2008-10-16 14:26:19 ----D---- C:\WINDOWS\system
    2008-10-16 14:26:19 ----D---- C:\WINDOWS
    2008-10-16 14:18:58 ----A---- C:\WINDOWS\SchedLgU.Txt
    2008-10-16 10:45:47 ----D---- C:\WINDOWS\system32\config
    2008-10-15 15:06:24 ----RHD---- C:\$VAULT$.AVG
    2008-10-15 14:35:38 ----HD---- C:\Config.Msi
    2008-10-15 14:24:26 ----RSD---- C:\WINDOWS\Fonts
    2008-10-15 14:23:36 ----D---- C:\Program Files\OpenOffice.org 2.0
    2008-10-15 14:22:49 ----SHD---- C:\WINDOWS\Installer
    2008-10-07 20:48:30 ----D---- C:\Documents and Settings\svilakati\Application Data\Syntrillium
    2008-09-25 17:58:22 ----D---- C:\navpress
    2008-08-25 07:53:15 ----D---- C:\Inetpub
    2008-08-18 10:21:51 ----D---- C:\WINDOWS\system32\ias
    2008-08-12 16:06:34 ----D---- C:\Program Files\Common Files
    2008-08-06 09:13:21 ----D---- C:\WINDOWS\system32\Restore
    2008-08-01 10:48:20 ----A---- C:\WINDOWS\ODBC.INI
    2008-07-29 16:13:03 ----A---- C:\WINDOWS\NeroDigital.ini
    2008-07-28 10:09:01 ----A---- C:\WINDOWS\CDPlayer.ini
    2008-07-24 16:21:06 ----D---- C:\Documents and Settings\svilakati\Application Data\U3
    2008-07-24 13:41:38 ----A---- C:\WINDOWS\IE4 Error Log.txt

    ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

    R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-05-19 33792]
    R1 SiSkp;SiSkp; C:\WINDOWS\system32\DRIVERS\srvkp.sys [2005-08-25 11904]
    R1 StarOpen;StarOpen; C:\WINDOWS\system32\drivers\StarOpen.sys [2006-07-24 5632]
    R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2005-07-26 3644032]
    R3 dpti930;dpti930; \??\C:\WINDOWS\system32\drivers\isokoo.sys []
    R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2004-07-01 724221]
    R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-17 2944]
    R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-03-11 20992]
    R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-05-19 26624]
    R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-05-19 57600]
    R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-03-12 20480]
    S3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINDOWS\system32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
    S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2005-12-17 51120]
    S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2005-12-17 16496]
    S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2005-12-17 21744]
    S3 SiS315;SiS315; C:\WINDOWS\system32\DRIVERS\sisgrp.sys [2005-09-03 261632]
    S3 SISNIC;SiS PCI Fast Ethernet Adapter Driver; C:\WINDOWS\system32\DRIVERS\sisnic.sys [2004-03-11 32768]
    S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM); C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 58320]
    S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter; C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 8304]
    S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers; C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 94000]
    S3 usb2vcom;USB to Serial Bridge Controller; C:\WINDOWS\System32\Drivers\usb2vcom.sys [2005-12-28 29184]
    S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-03-12 31616]
    S3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-05-19 17024]
    S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-03-12 25856]
    S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-03-12 15104]
    S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-03-12 26624]

    ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

    R2 IISADMIN;IIS Admin; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-05-19 15872]
    R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
    R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP); C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-05-19 15872]
    R2 W3SVC;World Wide Web Publishing; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-05-19 15872]
    R2 WinVNC4;VNC Server Version 4; C:\Program Files\RealVNC\VNC4\WinVNC4.exe [2005-03-11 455632]
    S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2003-02-20 32768]
    S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-01-23 138168]
    S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
    S4 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2004-09-29 69632]

    -----------------EOF-----------------

    I need help please
    Thank you in advance :confused:
     
    presto,
    #1
  2. 2008/10/22
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi presto
    Welcome to WindowsBBS.
    Your Flash Drive(s) are infected so any machines that have used them on are also infected.
    Our first response to these situations is that you should have your IT person handle this problem. my network(20 pc's).

    I don't know that I am up to cleaning 20 PC's for your company. :cool:

    Having P2P file sharing on a work computer...tisk...tisk. Very bad idea. :(

    P2P software ( Limewire, BitTorrent uTorrent etc… ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

    Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

    References for the risk of these programs are here, and here.

    I would strongly recommend that you uninstall them,

    I would strongly suggest you look into professional help to handle this problem.
    I would also suggest you do some safer surfing habbits.

    Geri
     
    Geri,
    #2


  3. to hide this advert.

  4. 2008/10/24
    presto

    presto Inactive Thread Starter

    Joined:
    2008/10/21
    Messages:
    3
    Likes Received:
    0
    hi.
    thanks for the very important information. I have the torrent software uninstalled do not know what else to do. infact some IT companies here prefer me formatting the machine because we have tried other antivirus like NOD32. I have gone to you guys because I know you are knowledgeable here.
    thanks
     
    presto,
    #3
  5. 2008/10/26
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    If that many PCs are infected, I recommend you take them all offline and reformat them all. It would probably be wise to do the domain controller as well.
     
    noahdfear,
    #4

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...