Hi Shark74,
-- I do think a tool such as Acronis would be beneficial. Obviously, if you were to use it on a student's compy, there would be privacy issues that would come into play.
Of course, if you are the one tasked with cleaning their computers, that I think that would override any privacy concerns....
-- Your combofix log shows a lot of malware autorunning via external drive, as you suspected.
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{439bddb1-a2b3-11dc-aaf1-0016d457db95}]
\Shell\AutoRun\command - ntde1ect.com
\Shell\explore\Command - ntde1ect.com
\Shell\open\Command - ntde1ect.com
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{c57f052a-ca63-11dc-ab0c-0016d457db95}]
\Shell\Auto\command - F:\Pictures.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Pictures.exe
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{eee99ee9-9a63-11dc-aae3-0016d457db95}]
\Shell\AutoRun\command - asfsadfasddfasfsd.exe
etc.....
I am going to remove all those registry keys, but that is only a temporary measure until the next time an infected drive is accessed...
A tool such as Flash-Disinfector by sUBs
http://www.techsupportforum.com/sect...isinfector.exe may help when you have the drives in your possession.
-- Do you know what this is? --> C:\WINDOWS\system32\PolicyBU.reg
I imagine it tweaks Explorer Policy registry values. Probably nothing to worry about.
What about this one? --->C:\toolkit_widget.gif
Anyhoo, let's do this:
-- Please delete your copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag and drop CFScript.txt into/over ComboFix.exe to start ComboFix
-- Let Combofix run as before and post us that log and we'll go from there.
Cheers
PP
Reply With Quote