-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}785E6FC50263-C419-F5B4-7813-4891854B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F64B93D732D1-BCCB-50D4-9473-930D5EBB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C05CF6C5F748-499A-2D84-2694-E577D0F8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A77DEF9BC768-541A-A994-7006-129ADF45{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9530C92448C0-5C6B-B504-8683-F7643D2F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9A51543450EF-BFD8-8D34-A09E-1540EA23{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0B75657170B2-1DDB-1E94-0684-9FD04B57{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}07CD90D9DF65-1439-4954-4DDA-D4DB1C22{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}ACD326C012F7-B648-7584-1DF4-C2381C7B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B7DF9D90AE59-B5AB-D5B4-A2A9-BB10F573{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B67D78AF01B5-8E18-1C74-C77A-1C863D66{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6BB684717E46-6DA8-F0B4-32AC-B02472ED{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C4E173377806-1C5B-DC14-197A-A4DE1364{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A2804707E945-C179-EC24-481A-A783B597{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}133EDEBAC369-5698-E304-4E60-AFF39A9D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EFF101EE0B8D-1ED9-3DE4-A329-9D1F9989{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\1201
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}ADFC213EDA4A-7A2B-D7F4-5321-F3A4A144{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A44109C2F569-A99B-CD94-15DA-376C18D4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}470E97010CC6-4A29-2354-EB49-2F0AA2EF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B06C4043B3F7-5458-1BF4-524C-4624516E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9BCA0341AA81-8ED8-3344-A793-E0072E13{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}548288517889-7F7A-E554-6309-050E009F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D55FAA11099C-A5EA-2D34-2161-E80651D1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}68A7D340B521-118A-B704-A2B4-520956D4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3E6BF99505C8-BF4A-BA44-230E-F42C619A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8F41C58C7ED1-8DCA-BBD4-6341-7DC4CB24{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C735B01B0787-752A-2704-5F0B-97D5443A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AB44804F0C83-9D1A-D194-DD18-1A539ABF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}89F3E740518B-AC59-14D4-01D0-8C314447{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D18A5240CF0E-08DB-35C4-6D7F-6A6171D2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4BD8C28801DF-526B-A3F4-9855-FA6C5D8B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CED06A357030-FF9A-5424-CB19-44EB97B8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0603879E7372-C058-29A4-2D8F-5F6B8F98{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CD797502B3E0-F369-7284-7B3C-BDCF71B3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1EAC0A839990-0AC8-2614-8FDB-FA8AE0B1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}17ABC3862C7F-5959-EFD4-BD44-C725B531{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E12EEDF90F44-E72A-2544-C74B-6DFFB8F8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}308978A37E85-94A8-EA14-9EE0-718E9BF0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9A021B057732-F8DA-BFA4-E7A5-6A02B672{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D1489573682A-D528-5C14-EBDD-5D8FF1CB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E6E55851963A-0309-D784-9FDB-DA5AF16B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8EE572B2C7BE-610A-0214-35BF-B7D845CA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A7FCBD503E98-4AC8-7314-3243-E4659129{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F4D36F78ECB6-129B-3A34-DA02-E9D0823D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CB32F5483013-8FEA-F9D4-BEF4-CCE2EA71{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6FD14ED9D8F0-75FA-ADD4-B7FB-92830489{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}968A79125C90-B3D9-07A4-E44C-7E0E8F74{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}05A1F7A2CFCA-30CA-4D74-F16F-0D2D5CED{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2C1DBDF58277-C188-2E34-F234-6EDDBCC6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}480B17D47476-907A-4EE4-A390-74B8BDA2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C9B153B55BF4-4CC8-2BC4-2D2A-8D6434EE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}722BAC744020-E94A-01A4-A6EB-F80008B5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}31C6DF4D45D1-63DA-A1A4-9139-EA1F5B76{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}10D3B9E22768-149B-2B24-B791-BA289E97{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}51981551CB97-26B8-5514-4D4D-EFABD920{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}29B424FE865F-1939-4E24-F1CE-F4FF315C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\edzmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ypszr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\onisacputes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
...
Random Runs removed from HKLM
"dmzde.exe"=-
...
...
PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»» Searching by size/names...
C:\WINDOWS\SYSTEM32\DMCTU.EXE
C:\WINDOWS\SYSTEM32\DMFGG.EXE
C:\WINDOWS\SYSTEM32\DMNQN.EXE
C:\WINDOWS\SYSTEM32\DMZDE.EXE
C:\WINDOWS\SYSTEM32\DMZXK.EXE
* csr.exe C:\WINDOWS\System32\CSCBH.EXE
* csr.exe C:\WINDOWS\System32\CSHKF.EXE
»»»»»
Search five digit cs, dm kd and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSCBH.EXE 51,257 2006-08-07
C:\WINDOWS\SYSTEM32\CSHKF.EXE 51,203 2006-11-18
C:\WINDOWS\SYSTEM32\DMCTU.EXE 44,032 2004-08-04
C:\WINDOWS\SYSTEM32\DMFGG.EXE 44,032 2004-08-04
C:\WINDOWS\SYSTEM32\DMNQN.EXE 44,032 2004-08-04
C:\WINDOWS\SYSTEM32\DMYQI.EXE 44,032 2002-08-29
C:\WINDOWS\SYSTEM32\DMZDE.EXE 44,032 2004-08-04
C:\WINDOWS\SYSTEM32\DMZXK.EXE 44,032 2004-08-04
Other suspects.
C:\WINDOWS\System32\{3D29F5DA-6A58-4967-9AC6-A8229C55E646}.exe
C:\WINDOWS\System32\{40B58FE2-D7B0-4997-8A87-30CE9BFCB145}.exe
C:\WINDOWS\System32\{571FE379-D440-46F9-BC84-7E916FFC32CB}.exe
C:\WINDOWS\System32\{7CAB407F-DAB8-4A75-B608-DA90AD7FEB34}.exe
C:\WINDOWS\System32\{9156C83D-7DDE-467F-BD4F-2213A787C56A}.exe
C:\WINDOWS\System32\{B0B3DA5A-5677-4846-93B6-543304CB95B3}.exe
C:\WINDOWS\System32\{D2F00882-D15F-49AF-8BB9-22AF918F1A9A}.exe
C:\WINDOWS\System32\{EB7967C9-EAAD-4137-BF80-5259F06C81BF}.exe
C:\WINDOWS\System32\{F1759AC1-92B1-46DC-B8E6-9EAF8E884CC1}.exe
»»»»» Misc files.
»»»»» Checking for older varients covered by the Rem3 tool.
...
Postrun check
[HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""
...
Well that is it. Thanks again for your help.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
