# Solved: Error. Can not find script file autorun.vbs



## Drew345 (Dec 1, 2006)

When I try to open my Sandisk USB 1 GB memory stick, I get this message Can not(SIC) find script file J://autorun.vbs.
This only happens when I double click on the USB drive from the My Computer window. If I just put in the drive for the first time, it opens OK.
I got an alert from McAfee virus scan yesterday, about a Trojan horse detected and removed. So sorry, cant remember the name, cant find any log file. I scanned the computer and USB memory stick, both say clean now. But when I try to double click open the memory drive, I still get the error Can not find script file J://autorun.vbs. and the drive wont open.
Do I have a virus?
Should I just format the stick drive? I guess I will only loose some software that came with the drive?
Thanks,
Drew


----------



## Drew345 (Dec 1, 2006)

After looking at a similar problem that another user had
http://forums.techguy.org/security/520967-vbs-gaggle-e-cant-double.html?highlight=autorun.vbs
, I repeated some of the steps he was told to do:

I went to Start > Search and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders" 
(But I never did any scan here? just made the settings changes?)

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

I Downloaded Suspicious File Packer from http://www.safer-networking.org/en/tools/index.html and unzip it to desktop, open it & 
paste in this list of files and when it has created the archive on your desktop please upload that to http://www.thespykiller.co.uk/forum/index.php?board=1.0 so we can examine the files.

C:\WINDOWS\system32\autorun.vbs
C:\WINDOWS\system32\autorun.bat
C:\WINDOWS\system32\WScript.exe
d:\autorun.vbs

I posted the archive of this to thespykiller site post log file for suspicious file packer posted by Andrew.
http://www.thespykiller.co.uk/forum/index.php?topic=3156.0

I Downloaded AVG Anti-Spyware and ran the setup.I ran the program and updated the definition files. I set recommended actions to Quarentine. I set reports to automatically generate and only if threats found
I closed AVG Anit-spyware and did the following steps to scan in safe mode.
1.	Launch AVG Anti-Spyware by double clicking the icon on your desktop. 
2.	Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan". 
3.	AVG will now begin the scanning process. Please be patient as this may take a little time.
Once the scan is complete, do the following: 
4.	If you have any infections you will be prompted. Then select "Apply all actions." 
5.	Next select the "Reports" icon at the top. 
6.	Select the "Save report as" button in the lower lef- hand of the screen and save it to a text file on your system (make sure to remember where you saved that file. This is important). 
7.	Close AVG Anti-Spyware and reboot your system back into Normal Mode.

Ill post again in a few minutes after doing this.
Thanks,
Andrew


----------



## Cookiegal (Aug 27, 2003)

Hi and welcome to TSG,

Thank you for uploading those files to The SpyKiller. :up:

Would you please post a HijackThis log before doing anything else?

*Click here* to download *HJTsetup.exe*

Save HJTsetup.exe to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This. 
Continue to click *Next* in the setup dialogue boxes until you get to the *Select Addition Tasks* dialogue.
Put a check by *Create a desktop icon* then click *Next* again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click *Finish* and it will launch Hijack This.
Click on the *Do a system scan and save a log file* button. It will scan and then ask you to save the log.
Click *Save* to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


----------



## Drew345 (Dec 1, 2006)

Hello, Thank you very much for looking at my case.
As Information, I want to point out that I get the error when I double click on my J:// Drive USB Memory Stick. Now, I do not have that stick in my system. Of course, I am very happy to check my C: D: hard drive and system files also.
Here is the requested log file. Thanks for your kind attention.
Andrew

Logfile of HijackThis v1.99.1
Scan saved at 7:41:12 AM, on 12/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\BigFix\bigfix.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5220
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5220
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/amdlive
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {2220DADA-E946-4533-9987-03127AF1B776} (Tts_nonghyup Control) - http://vs.messagebay.co.kr/plugins/tts_nonghyup.cab
O16 - DPF: {286A75C3-11FB-4FB4-AC4A-4DD1B0750050} (INISAFEWeb6 V6 Class) - http://banking.nonghyup.com/plugin/client/INIS.cab
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK Control) - http://banking.nonghyup.com/plugin/scsk/scsk4.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {A1D886C6-4039-4451-97A9-515F5BE5D4C2} (mkdplusCtrl Class) - http://ahnlabdownload.nefficient.co.kr/asp/cab/mkdplus.cab
O16 - DPF: {E0BF7A2B-2F7C-497A-B50F-292D3F317965} (CongnamulMap Control) - http://www.congnamul.com/ActiveX/Release/Congnamul/CongnamulMap_V17.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{855DE2D2-9B93-4A1E-9E31-E900B69D5FB2}: NameServer = 147.46.80.1,147.46.37.10
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS


----------



## Cookiegal (Aug 27, 2003)

Please go *HERE* to run Panda's ActiveScan
Once you are on the Panda site click the *Scan your PC* button
A new window will open...click the *Check Now* button
Enter your *Country*
Enter your *State/Province*
Enter your *e-mail address* and click *send*
Select either *Home User* or *Company*
Click the big *Scan Now* button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on *My Computer* to start the scan
When the scan completes, if anything malicious is detected, click the *See Report* button, *then Save Report* and save it to a convenient location. Post the contents of the ActiveScan report


----------



## Drew345 (Dec 1, 2006)

I ran the Panda Activescan
It stopped on file 325850 (give or take 50) three times. About 25% done according to the sliding progress bar.
The file it stops on is D:\i386\Apps\App10214\
When it stops, the window freezes and I have to go to the Windows Task Manager to close the window. 
At the time it stops, there are 8 spywares detected and 1 &#8216;suspicious file&#8217;
Darn, there is no &#8216;see report&#8217; or &#8216;save report&#8217; button, because the Panda Active Scan cannot complete.
Any clue to get it to complete, or is it possible to diagnose with another scanning software?

Maybe this will help - -
Before doing that Panda Active Scan, I had already done this (over last night) --

I ran the AVG Ati-spyware scan in safe mode. All it found were 32 tracking cookies. I &#8216;applied all actions&#8217; and saved the report. I closed AVG and rebooted in Normal mode.

I also wanted to scan my J: Drive USB memory stick. The error message comes when I double click on the J: Drive in the &#8216;my computer&#8217; window. But AVG Anit-spyware has no option to scan a Jrive USB device. So I scanned my J:// drive USB memory stick using Norton antivirus. It said no infected files found.


----------



## Cookiegal (Aug 27, 2003)

I would like you to export a registry key please so I can check something.

Go to Start - Run - type in regedit and click OK to open the registry editor.

Expand each of the following keys by clicking on the + that you see to their left:

HKEY_CURRENT_USER
Software
Microsoft
Windows
CurrentVersion
Explorer

Then, under the Explorer key, scroll down to MountPoints2. Right click on MountPoints2 and select "export" and then save it as MountPonts2.reg to your deskop. Right click the file on your desktop and select "open with" and then select "Notepad" and copy and paste the contents here please.

Run Kaspersky online virus scan *Kaspersky Online Scanner*.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the *"Extended database" *for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

*Note:* You have to use Internet Explorer to do the online scan.

*Post a new HiJackThis log along with the results from Kaspersky scan and the exported registry key.*


----------



## Drew345 (Dec 1, 2006)

I went to rededit
I expanded:
HKEY_CURRENT_USER
Software
Microsoft
Windows
CurrentVersion
Explorer

I exported MountPoint2 and opened with notepad. A problem came as I wanted to post the results:

After doing this I posted the MountPoint export results. When I hit 'enter post' button, my exporer froze. I closed the window. Everytime went back to http://forums.techguy.org/ (anywindow! On that website), I got a blank screen and Internet Explorer says 'Done'. Not the window saying 'can't find website', but a totally blank screen. Refresh doesn't help, back to blank screen. I had to come to my office just to paste this reply.
I restarted my computer and got back to this point. I will post the regedit2 mountpoints in the next reply.


----------



## Drew345 (Dec 1, 2006)

This was too long for an entry; I cut about 1000 characters from the bottom.
Andrew

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\H]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\I]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\J]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b4-5429-11db-b445-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b5-5429-11db-b445-806d6172696f}]
"BaseClass"="Drive"
"_CommentFromDesktopINI"=""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b6-5429-11db-b445-806d6172696f}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,cf,5f,5f,5f,5f,cf,cf,5f,5f,\
5f,cf,cf,cf,5f,5f,5f,cf,cf,cf,5f,5f,cf,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,60,00,00,00,08,06,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b6-5429-11db-b445-806d6172696f}\_Autorun]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b6-5429-11db-b445-806d6172696f}\_Autorun\DefaultIcon]
@="E:\\CCR.ico"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b7-5429-11db-b445-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b8-5429-11db-b445-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b9-5429-11db-b445-806d6172696f}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,\
cf,5f,5f,5f,5f,01,01,00,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,08,02,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147ba-5429-11db-b445-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{16f3dac0-ff1f-11da-8655-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{21866eae-28db-11db-8c3e-0016ecd49cce}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,08,03,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{21866eae-28db-11db-8c3e-0016ecd49cce}\shell]
@="None"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{21866eae-28db-11db-8c3e-0016ecd49cce}\shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{21866eae-28db-11db-8c3e-0016ecd49cce}\shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d40-287f-11db-8c3a-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d41-287f-11db-8c3a-806d6172696f}]
"BaseClass"="Drive"
"_CommentFromDesktopINI"=""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d41-287f-11db-8c3a-806d6172696f}\Shell]
@="AutoRun"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d41-287f-11db-8c3a-806d6172696f}\Shell\AutoRun]
@="Auto&Play"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d41-287f-11db-8c3a-806d6172696f}\Shell\AutoRun\command]
@="C:\\WINDOWS\\system32\\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d42-287f-11db-8c3a-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d43-287f-11db-8c3a-a4ed8e78fef7}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d44-287f-11db-8c3a-a4ed8e78fef7}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d45-287f-11db-8c3a-a4ed8e78fef7}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d46-287f-11db-8c3a-a4ed8e78fef7}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{807bd35c-2f72-11db-9118-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{807bd35d-2f72-11db-9118-806d6172696f}]
"BaseClass"="Drive"
"_CommentFromDesktopINI"=""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{807bd35e-2f72-11db-9118-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{87e77264-7878-11db-b4ae-0016ecdd5bc2}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\
cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,01,01,01,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,08,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{87e77264-7878-11db-b4ae-0016ecdd5bc2}\shell]
@="None"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{87e77264-7878-11db-b4ae-0016ecdd5bc2}\shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{87e77264-7878-11db-b4ae-0016ecdd5bc2}\shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d7694a70-59eb-11db-b455-0016ecdd5bc2}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,08,07,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d7694a70-59eb-11db-b455-0016ecdd5bc2}\Shell]
@="Open"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d7694a70-59eb-11db-b455-0016ecdd5bc2}\Shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d7694a70-59eb-11db-b455-0016ecdd5bc2}\Shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d7694a70-59eb-11db-b455-0016ecdd5bc2}\Shell\AutoRun]
"Extended"=""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d7694a70-59eb-11db-b455-0016ecdd5bc2}\Shell\AutoRun\command]
@="J:\\"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d7694a70-59eb-11db-b455-0016ecdd5bc2}\Shell\explore]
@="×ÊÔ´¹ÜÀíÆ÷(&X)"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d7694a70-59eb-11db-b455-0016ecdd5bc2}\Shell\explore\Command]
@="WScript.exe .\\autorun.vbs"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d7694a70-59eb-11db-b455-0016ecdd5bc2}\Shell\open]
@="´ò¿ª(&O)"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d7694a70-59eb-11db-b455-0016ecdd5bc2}\Shell\open\Command]
@="WScript.exe .\\autorun.vbs"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d7694a70-59eb-11db-b455-0016ecdd5bc2}\Shell\open\Default]
@="1"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e778d5c0-00b8-11db-b317-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ef3043d2-fd6d-11da-a0ff-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ef3043d3-fd6d-11da-a0ff-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ef3043d4-fd6d-11da-a0ff-806d6172696f}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,08,03,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ef3043d4-fd6d-11da-a0ff-806d6172696f}\shell]
@="None"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ef3043d4-fd6d-11da-a0ff-806d6172696f}\shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ef3043d4-fd6d-11da-a0ff-806d6172696f}\shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ffb343d8-59e6-11db-b454-0016ecdd5bc2}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\
cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,01,01,01,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,08,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ffb343d8-59e6-11db-b454-0016ecdd5bc2}\shell]
@="None"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ffb343d8-59e6-11db-b454-0016ecdd5bc2}\shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ffb343d8-59e6-11db-b454-0016ecdd5bc2}\shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{058147b4-5429-11db-b445-806d6172696f}]
"Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
47,00,45,00,23,00,56,00,6f,00,6c,00,75,00,6d,00,65,00,23,00,31,00,26,00,33,\
00,30,00,61,00,39,00,36,00,35,00,39,00,38,00,26,00,30,00,26,00,53,00,69,00,\
67,00,6e,00,61,00,74,00,75,00,72,00,65,00,33,00,39,00,33,00,32,00,33,00,39,\
00,33,00,32,00,4f,00,66,00,66,00,73,00,65,00,74,00,31,00,35,00,37,00,41,00,\
43,00,46,00,41,00,30,00,30,00,4c,00,65,00,6e,00,67,00,74,00,68,00,33,00,38,\
00,45,00,30,00,36,00,30,00,38,00,36,00,30,00,30,00,23,00,7b,00,35,00,33,00,\
66,00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,\
00,31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,\
30,00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
65,00,7b,00,30,00,35,00,38,00,31,00,34,00,37,00,62,00,34,00,2d,00,35,00,34,\
00,32,00,39,00,2d,00,31,00,31,00,64,00,62,00,2d,00,62,00,34,00,34,00,35,00,\
2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
00,7d,00,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,4e,00,\
54,00,46,00,53,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,08,00,00,00,01,10,00,\
00,ff,00,07,00,ff,00,00,00,36,00,00,00,cd,02,d4,9c,00,00,00,00,00,00,00,30,\
00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,\
00
"Generation"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{058147b5-5429-11db-b445-806d6172696f}]
"Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
47,00,45,00,23,00,56,00,6f,00,6c,00,75,00,6d,00,65,00,23,00,31,00,26,00,33,\
00,30,00,61,00,39,00,36,00,35,00,39,00,38,00,26,00,30,00,26,00,53,00,69,00,\
67,00,6e,00,61,00,74,00,75,00,72,00,65,00,33,00,39,00,33,00,32,00,33,00,39,\
00,33,00,32,00,4f,00,66,00,66,00,73,00,65,00,74,00,37,00,45,00,30,00,30,00,\
4c,00,65,00,6e,00,67,00,74,00,68,00,31,00,35,00,37,00,41,00,43,00,37,00,43,\
00,30,00,30,00,23,00,7b,00,35,00,33,00,66,00,35,00,36,00,33,00,30,00,64,00,\
2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,31,00,64,00,30,00,2d,00,39,00,34,\
00,66,00,32,00,2d,00,30,00,30,00,61,00,30,00,63,00,39,00,31,00,65,00,66,00,\
62,00,38,00,62,00,7d,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
65,00,7b,00,30,00,35,00,38,00,31,00,34,00,37,00,62,00,35,00,2d,00,35,00,34,\
00,32,00,39,00,2d,00,31,00,31,00,64,00,62,00,2d,00,62,00,34,00,34,00,35,00,\
2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
00,7d,00,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,46,00,\
41,00,54,00,33,00,32,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,08,00,00,00,01,10,00,\
00,06,00,00,00,ff,00,00,00,10,00,00,00,df,2b,3b,42,00,00,00,00,00,00,00,30,\
00,e0,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,\
00
"Generation"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{058147b6-5429-11db-b445-806d6172696f}]
"Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,49,00,44,00,45,00,23,00,43,00,\
64,00,52,00,6f,00,6d,00,54,00,53,00,53,00,54,00,63,00,6f,00,72,00,70,00,5f,\
00,43,00,44,00,23,00,44,00,56,00,44,00,57,00,5f,00,54,00,53,00,2d,00,48,00,\
35,00,35,00,32,00,44,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,\
00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,47,00,41,00,30,00,31,00,5f,00,5f,00,\
5f,00,5f,00,23,00,35,00,26,00,32,00,66,00,62,00,62,00,35,00,32,00,64,00,30,\
00,26,00,30,00,26,00,30,00,2e,00,30,00,2e,00,30,00,23,00,7b,00,35,00,33,00,\
66,00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,\
00,31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,\
30,00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
65,00,7b,00,30,00,35,00,38,00,31,00,34,00,37,00,62,00,36,00,2d,00,35,00,34,\
00,32,00,39,00,2d,00,31,00,31,00,64,00,62,00,2d,00,62,00,34,00,34,00,35,00,\
2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
00,7d,00,5c,00,00,00,49,00,6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,49,00,\
6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,10,00,00,00,7f,01,00,\
00,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,00,00,00,00,\
00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,\
00
"Generation"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{058147b7-5429-11db-b445-806d6172696f}]
"Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,76,00,61,00,62,00,6c,00,65,00,4d,\
00,65,00,64,00,69,00,61,00,23,00,37,00,26,00,31,00,39,00,64,00,31,00,32,00,\
62,00,66,00,35,00,26,00,30,00,26,00,52,00,4d,00,23,00,7b,00,35,00,33,00,66,\
00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,\
31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,\
00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
65,00,7b,00,30,00,35,00,38,00,31,00,34,00,37,00,62,00,37,00,2d,00,35,00,34,\
00,32,00,39,00,2d,00,31,00,31,00,64,00,62,00,2d,00,62,00,34,00,34,00,35,00,\
2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
00,7d,00,5c,00,00,00,49,00,6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,49,00,\
6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,04,00,00,00,01,10,00,\
00,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,00,00,00,00,\
00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,00,23,00,00,00,46,00,00,00,25,\
00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,\
73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,45,00,4d,00,69,00,63,\
00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,2c,00,36,00,00,00,25,00,53,00,79,00,\
73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,\
00,74,00,65,00,6d,00,33,00,32,00,5c,00,45,00,4d,00,69,00,63,00,6f,00,6e,00,\
2e,00,64,00,6c,00,6c,00,2c,00,31,00,00,00,4d,00,4d,00,43,00,2f,00,53,00,44,\
00,00,00,00,00
"Generation"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{058147b8-5429-11db-b445-806d6172696f}]
"Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,76,00,61,00,62,00,6c,00,65,00,4d,\
00,65,00,64,00,69,00,61,00,23,00,37,00,26,00,35,00,39,00,61,00,31,00,61,00,\
34,00,31,00,26,00,30,00,26,00,52,00,4d,00,23,00,7b,00,35,00,33,00,66,00,35,\
00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,31,00,\
64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,00,63,\
00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
65,00,7b,00,30,00,35,00,38,00,31,00,34,00,37,00,62,00,38,00,2d,00,35,00,34,\
00,32,00,39,00,2d,00,31,00,31,00,64,00,62,00,2d,00,62,00,34,00,34,00,35,00,\
2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
00,7d,00,5c,00,00,00,49,00,6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,49,00,\
6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,04,00,00,00,01,10,00,\
00,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,00,00,00,00,\
00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,00,23,00,00,00,46,00,00,00,25,\
00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,\
73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,45,00,4d,00,69,00,63,\
00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,2c,00,37,00,00,00,25,00,53,00,79,00,\
73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,\
00,74,00,65,00,6d,00,33,00,32,00,5c,00,45,00,4d,00,69,00,63,00,6f,00,6e,00,\
2e,00,64,00,6c,00,6c,00,2c,00,32,00,00,00,43,00,6f,00,6d,00,70,00,61,00,63,\
00,74,00,46,00,6c,00,61,00,73,00,68,00,49,00,2f,00,49,00,49,00,00,00,00,00
"Generation"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{058147b9-5429-11db-b445-806d6172696f}]
"Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,76,00,61,00,62,00,6c,00,65,00,4d,\
00,65,00,64,00,69,00,61,00,23,00,37,00,26,00,33,00,34,00,33,00,35,00,39,00,\
38,00,64,00,62,00,26,00,30,00,26,00,52,00,4d,00,23,00,7b,00,35,00,33,00,66,\
00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,\
31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,\
00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
65,00,7b,00,30,00,35,00,38,00,31,00,34,00,37,00,62,00,39,00,2d,00,35,00,34,\
00,32,00,39,00,2d,00,31,00,31,00,64,00,62,00,2d,00,62,00,34,00,34,00,35,00,\
2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
00,7d,00,5c,00,00,00,49,00,6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,49,00,\
6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,04,00,00,00,01,10,00,\
00,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,00,00,00,00,\
00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,00,23,00,00,00,46,00,00,00,25,\
00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,\
73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,45,00,4d,00,69,00,63,\
00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,2c,00,38,00,00,00,25,00,53,00,79,00,\
73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,\
00,74,00,65,00,6d,00,33,00,32,00,5c,00,45,00,4d,00,69,00,63,00,6f,00,6e,00,\
2e,00,64,00,6c,00,6c,00,2c,00,33,00,00,00,53,00,6d,00,61,00,72,00,74,00,4d,\
00,65,00,64,00,69,00,61,00,2f,00,78,00,44,00,00,00,00,00
"Generation"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{058147ba-5429-11db-b445-806d6172696f}]
"Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,76,00,61,00,62,00,6c,00,65,00,4d,\
00,65,00,64,00,69,00,61,00,23,00,37,00,26,00,32,00,35,00,35,00,34,00,39,00,\
33,00,66,00,31,00,26,00,30,00,26,00,52,00,4d,00,23,00,7b,00,35,00,33,00,66,\
00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,\
31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,\
...edited cut for length
"Generation"=dword:00000001


----------



## Drew345 (Dec 1, 2006)

The next entry will be the Kaspersky scan results, followed by the new 'hijack this'.
The last entry in the Kaspersky scan results shows a virus on my J: Drive memory stick. I am leaning toward a reformat of that memory stick. Sound like the right thing to do? I hope my computer hard drive is not infected. Does it look clean?
Thanks, Andrew


----------



## Drew345 (Dec 1, 2006)

Monday, December 04, 2006 8:21:54 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 3/12/2006
Kaspersky Anti-Virus database records: 247704


Scan Settings 
Scan using the following antivirus database extended 
Scan Archives true 
Scan Mail Bases true 

Scan Target My Computer 
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\ 

Scan Statistics 
Total number of scanned objects 108128 
Number of viruses found 1 
Number of infected objects 1 / 0 
Number of suspicious objects 0 
Duration of the scan process 01:05:03 

Infected Object Name Virus Name Last Action 
C:\Documents and Settings\All Users\Application Data\McAfee\SpamKiller\Logs\Filtering.log Object is locked skipped 

C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd002.log Object is locked skipped 

C:\Documents and Settings\All Users\Application Data\McAfee.com\VSO\OASLogs\OAS.log Object is locked skipped 

C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped 

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped 

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped 

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped 

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped 

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped 

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped 

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped 

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped 

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped 

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped 

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped 

C:\Documents and Settings\Owner.ANDREW\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped 

C:\Documents and Settings\Owner.ANDREW\Application Data\Microsoft\Word\AutoRecovery save of everything I did.asd Object is locked skipped 

C:\Documents and Settings\Owner.ANDREW\Cookies\index.dat Object is locked skipped 

C:\Documents and Settings\Owner.ANDREW\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped 

C:\Documents and Settings\Owner.ANDREW\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped 

C:\Documents and Settings\Owner.ANDREW\Local Settings\History\History.IE5\index.dat Object is locked skipped 

C:\Documents and Settings\Owner.ANDREW\Local Settings\Temp\~DF1379.tmp Object is locked skipped 

C:\Documents and Settings\Owner.ANDREW\Local Settings\Temp\~DF9CE3.tmp Object is locked skipped 

C:\Documents and Settings\Owner.ANDREW\Local Settings\Temp\~DFA3C9.tmp Object is locked skipped 

C:\Documents and Settings\Owner.ANDREW\Local Settings\Temp\~DFE8B7.tmp Object is locked skipped 

C:\Documents and Settings\Owner.ANDREW\Local Settings\Temp\~WRF0004.tmp Object is locked skipped 

C:\Documents and Settings\Owner.ANDREW\Local Settings\Temp\~WRS0005.tmp Object is locked skipped 

C:\Documents and Settings\Owner.ANDREW\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped 

C:\Documents and Settings\Owner.ANDREW\My Documents\Letters\Virus stuff\everything I did.doc Object is locked skipped 

C:\Documents and Settings\Owner.ANDREW\NTUSER.DAT Object is locked skipped 

C:\Documents and Settings\Owner.ANDREW\ntuser.dat.LOG Object is locked skipped 

C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\urgent-800.dat Object is locked skipped 

C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Gateway_Specific.dat Object is locked skipped 

C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Gateway_Specific_UK.dat Object is locked skipped 

C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Microsoft_Security.dat Object is locked skipped 

C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Microsoft_Security_UK.dat Object is locked skipped 

C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Other.dat Object is locked skipped 

C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Urgent.dat Object is locked skipped 

C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Welcome.dat Object is locked skipped 

C:\Program Files\Microsoft Office\Office10\Startup\PDFMaker.dot Object is locked skipped 

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped 

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP55\change.log Object is locked skipped 

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped 

C:\WINDOWS\ModemLog_PCI Soft Data Fax Modem with SmartCP.txt Object is locked skipped 

C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{483DE759-86AA-4737-B941-D5D8182CD1CD}.crmlog Object is locked skipped 

C:\WINDOWS\SchedLgU.Txt Object is locked skipped 

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped 

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped 

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped 

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped 

C:\WINDOWS\system32\config\default Object is locked skipped 

C:\WINDOWS\system32\config\default.LOG Object is locked skipped 

C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped 

C:\WINDOWS\system32\config\SAM Object is locked skipped 

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped 

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped 

C:\WINDOWS\system32\config\SECURITY Object is locked skipped 

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped 

C:\WINDOWS\system32\config\software Object is locked skipped 

C:\WINDOWS\system32\config\software.LOG Object is locked skipped 

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped 

C:\WINDOWS\system32\config\system Object is locked skipped 

C:\WINDOWS\system32\config\system.LOG Object is locked skipped 

C:\WINDOWS\system32\h323log.txt Object is locked skipped 

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped 

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped 

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped 

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped 

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped 

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped 

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped 

C:\WINDOWS\WindowsUpdate.log Object is locked skipped 

J:\autorun.bat Infected: Virus.Win32.Small.k skipped 

Scan process completed.


----------



## Drew345 (Dec 1, 2006)

Logfile of HijackThis v1.99.1
Scan saved at 8:33:26 AM, on 12/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\BigFix\bigfix.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\iPod\bin\iPodService.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5220
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5220
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/amdlive
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {2220DADA-E946-4533-9987-03127AF1B776} (Tts_nonghyup Control) - http://vs.messagebay.co.kr/plugins/tts_nonghyup.cab
O16 - DPF: {286A75C3-11FB-4FB4-AC4A-4DD1B0750050} (INISAFEWeb6 V6 Class) - http://banking.nonghyup.com/plugin/client/INIS.cab
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK Control) - http://banking.nonghyup.com/plugin/scsk/scsk4.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A1D886C6-4039-4451-97A9-515F5BE5D4C2} (mkdplusCtrl Class) - http://ahnlabdownload.nefficient.co.kr/asp/cab/mkdplus.cab
O16 - DPF: {E0BF7A2B-2F7C-497A-B50F-292D3F317965} (CongnamulMap Control) - http://www.congnamul.com/ActiveX/Release/Congnamul/CongnamulMap_V17.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{855DE2D2-9B93-4A1E-9E31-E900B69D5FB2}: NameServer = 147.46.80.1,147.46.37.10
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS


----------



## Cookiegal (Aug 27, 2003)

There are some entries in that registry export that need to be fixed so I'm attaching a FixDrew.zip file to this post. Save it to your desktop. Unzip it and double click the FixDrew.reg file and allow it to enter into the registry.

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

*O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [Power2GoExpress] NA*

Then delete this file from your J drive:

*J:\autorun.bat*

How are things running now?


----------



## Drew345 (Dec 1, 2006)

I rean the fixDrew.zip and let it edit my regitry key.
I ran hijackthis and fixed those two entries.
I deleted the file J://autorun.bat

But still, when I try to open my J: Drive memory stick I get the error:
Error. Can not find script file autorun.vbs 
and the drive won't open. I also can't explore to open the drive. The only way to open the drive is, the first time I plug it in, it will open automatically. Other than that, always that error 'Can not find script file autorun.vbs'

I ran the Kaspersky internet virus scan. I put the results in the next entry. It looks like the virus is gone, but there is still that autorun.vbs problem.
I also ran the hijack this again. The results are in the second entry here.


----------



## Drew345 (Dec 1, 2006)

Monday, December 04, 2006 7:53:29 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 4/12/2006
Kaspersky Anti-Virus database records: 247817


Scan Settings 
Scan using the following antivirus database extended 
Scan Archives true 
Scan Mail Bases true 

Scan Target My Computer 
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\ 

Scan Statistics 
Total number of scanned objects 108252 
Number of viruses found 0 
Number of infected objects 0 / 0 
Number of suspicious objects 0 
Duration of the scan process 01:00:48 

Infected Object Name Virus Name Last Action 
C:\Documents and Settings\All Users\Application Data\McAfee\SpamKiller\Logs\Filtering.log Object is locked skipped 

C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd002.log Object is locked skipped 

C:\Documents and Settings\All Users\Application Data\McAfee.com\VSO\OASLogs\OAS.log Object is locked skipped 

C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped 

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped 

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped 

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped 

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped 

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped 

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped 

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped 

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped 

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped 

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped 

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped 

C:\Documents and Settings\Owner.ANDREW\Cookies\index.dat Object is locked skipped 

C:\Documents and Settings\Owner.ANDREW\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped 

C:\Documents and Settings\Owner.ANDREW\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped 

C:\Documents and Settings\Owner.ANDREW\Local Settings\History\History.IE5\index.dat Object is locked skipped 

C:\Documents and Settings\Owner.ANDREW\Local Settings\History\History.IE5\MSHist012006120420061205\index.dat Object is locked skipped 

C:\Documents and Settings\Owner.ANDREW\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped 

C:\Documents and Settings\Owner.ANDREW\NTUSER.DAT Object is locked skipped 

C:\Documents and Settings\Owner.ANDREW\ntuser.dat.LOG Object is locked skipped 

C:\Documents and Settings\Owner.ANDREW\UserData\index.dat Object is locked skipped 

C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\ie7conflict.dat Object is locked skipped 

C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Gateway_Specific.dat Object is locked skipped 

C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Gateway_Specific_UK.dat Object is locked skipped 

C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Microsoft_Security.dat Object is locked skipped 

C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Microsoft_Security_UK.dat Object is locked skipped 

C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Other.dat Object is locked skipped 

C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Urgent.dat Object is locked skipped 

C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Welcome.dat Object is locked skipped 

C:\Program Files\BigFix\__Data\__Global\Logs\20061204.log Object is locked skipped 

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped 

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP55\change.log Object is locked skipped 

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped 

C:\WINDOWS\ModemLog_PCI Soft Data Fax Modem with SmartCP.txt Object is locked skipped 

C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{98A4F5CF-6FA5-4EA5-B87B-A5F77B2B08E7}.crmlog Object is locked skipped 

C:\WINDOWS\SchedLgU.Txt Object is locked skipped 

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped 

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped 

C:\WINDOWS\system32\config\default Object is locked skipped 

C:\WINDOWS\system32\config\default.LOG Object is locked skipped 

C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped 

C:\WINDOWS\system32\config\SAM Object is locked skipped 

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped 

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped 

C:\WINDOWS\system32\config\SECURITY Object is locked skipped 

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped 

C:\WINDOWS\system32\config\software Object is locked skipped 

C:\WINDOWS\system32\config\software.LOG Object is locked skipped 

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped 

C:\WINDOWS\system32\config\system Object is locked skipped 

C:\WINDOWS\system32\config\system.LOG Object is locked skipped 

C:\WINDOWS\system32\h323log.txt Object is locked skipped 

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped 

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped 

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped 

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped 

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped 

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped 

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped 

C:\WINDOWS\WindowsUpdate.log Object is locked skipped 

Scan process completed.


----------



## Drew345 (Dec 1, 2006)

Logfile of HijackThis v1.99.1
Scan saved at 8:08:38 PM, on 12/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\BigFix\bigfix.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\iPod\bin\iPodService.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5220
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5220
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/amdlive
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {2220DADA-E946-4533-9987-03127AF1B776} (Tts_nonghyup Control) - http://vs.messagebay.co.kr/plugins/tts_nonghyup.cab
O16 - DPF: {286A75C3-11FB-4FB4-AC4A-4DD1B0750050} (INISAFEWeb6 V6 Class) - http://banking.nonghyup.com/plugin/client/INIS.cab
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK Control) - http://banking.nonghyup.com/plugin/scsk/scsk4.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A1D886C6-4039-4451-97A9-515F5BE5D4C2} (mkdplusCtrl Class) - http://ahnlabdownload.nefficient.co.kr/asp/cab/mkdplus.cab
O16 - DPF: {E0BF7A2B-2F7C-497A-B50F-292D3F317965} (CongnamulMap Control) - http://www.congnamul.com/ActiveX/Release/Congnamul/CongnamulMap_V17.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{855DE2D2-9B93-4A1E-9E31-E900B69D5FB2}: NameServer = 147.46.80.1,147.46.37.10
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS


----------



## Cookiegal (Aug 27, 2003)

Were you able to run a scan on the J drive?


----------



## Drew345 (Dec 1, 2006)

Hello Cookiegal,
Yes, the Kaspersky log I put in on post #15 here did have the J:/ drive included in the scan. Also, I ran the AVG scan on the J:/ Drive. Neither one showed any virus or spyware on the J:/ Drive memory stick. It looks like that J:/ drive is clean now, (I did delete the offending autorun.exe yesterday). The disk just seems to be missing a 'autorun.vbs' file. I don't know if that is a real, necessary system file, or if that is still the trace of some virus.
Thanks, Drew


----------



## Cookiegal (Aug 27, 2003)

Would you please export the *MountPoints2* registry key again as you did before? Be sure to remove the one you had exported to your desktop previously.


----------



## Drew345 (Dec 1, 2006)

Yes, I will put in in the next post.
Thanks for keeping with me.
Drew


----------



## Drew345 (Dec 1, 2006)

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\H]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\I]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\J]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b4-5429-11db-b445-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b5-5429-11db-b445-806d6172696f}]
"BaseClass"="Drive"
"_CommentFromDesktopINI"=""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b6-5429-11db-b445-806d6172696f}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,cf,5f,5f,5f,5f,cf,cf,5f,5f,\
5f,cf,cf,cf,5f,5f,5f,cf,cf,cf,5f,5f,cf,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,60,00,00,00,08,06,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b6-5429-11db-b445-806d6172696f}\_Autorun]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b6-5429-11db-b445-806d6172696f}\_Autorun\DefaultIcon]
@="E:\\CCR.ico"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b7-5429-11db-b445-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b8-5429-11db-b445-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b9-5429-11db-b445-806d6172696f}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,\
cf,5f,5f,5f,5f,01,01,00,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,08,02,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147ba-5429-11db-b445-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{16f3dac0-ff1f-11da-8655-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{21866eae-28db-11db-8c3e-0016ecd49cce}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,08,03,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{21866eae-28db-11db-8c3e-0016ecd49cce}\shell]
@="None"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{21866eae-28db-11db-8c3e-0016ecd49cce}\shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{21866eae-28db-11db-8c3e-0016ecd49cce}\shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d40-287f-11db-8c3a-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d41-287f-11db-8c3a-806d6172696f}]
"BaseClass"="Drive"
"_CommentFromDesktopINI"=""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d41-287f-11db-8c3a-806d6172696f}\Shell]
@="AutoRun"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d41-287f-11db-8c3a-806d6172696f}\Shell\AutoRun]
@="Auto&Play"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d41-287f-11db-8c3a-806d6172696f}\Shell\AutoRun\command]
@="C:\\WINDOWS\\system32\\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d42-287f-11db-8c3a-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d43-287f-11db-8c3a-a4ed8e78fef7}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d44-287f-11db-8c3a-a4ed8e78fef7}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d45-287f-11db-8c3a-a4ed8e78fef7}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d46-287f-11db-8c3a-a4ed8e78fef7}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{807bd35c-2f72-11db-9118-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{807bd35d-2f72-11db-9118-806d6172696f}]
"BaseClass"="Drive"
"_CommentFromDesktopINI"=""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{807bd35e-2f72-11db-9118-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{87e77264-7878-11db-b4ae-0016ecdd5bc2}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\
cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,01,01,01,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,08,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{87e77264-7878-11db-b4ae-0016ecdd5bc2}\shell]
@="None"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{87e77264-7878-11db-b4ae-0016ecdd5bc2}\shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{87e77264-7878-11db-b4ae-0016ecdd5bc2}\shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d7694a70-59eb-11db-b455-0016ecdd5bc2}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,08,07,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e778d5c0-00b8-11db-b317-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ef3043d2-fd6d-11da-a0ff-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ef3043d3-fd6d-11da-a0ff-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ef3043d4-fd6d-11da-a0ff-806d6172696f}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,08,03,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ef3043d4-fd6d-11da-a0ff-806d6172696f}\shell]
@="None"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ef3043d4-fd6d-11da-a0ff-806d6172696f}\shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ef3043d4-fd6d-11da-a0ff-806d6172696f}\shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ffb343d8-59e6-11db-b454-0016ecdd5bc2}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\
cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,01,01,01,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,08,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ffb343d8-59e6-11db-b454-0016ecdd5bc2}\shell]
@="None"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ffb343d8-59e6-11db-b454-0016ecdd5bc2}\shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ffb343d8-59e6-11db-b454-0016ecdd5bc2}\shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{058147b4-5429-11db-b445-806d6172696f}]
"Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
47,00,45,00,23,00,56,00,6f,00,6c,00,75,00,6d,00,65,00,23,00,31,00,26,00,33,\
00,30,00,61,00,39,00,36,00,35,00,39,00,38,00,26,00,30,00,26,00,53,00,69,00,\
67,00,6e,00,61,00,74,00,75,00,72,00,65,00,33,00,39,00,33,00,32,00,33,00,39,\
00,33,00,32,00,4f,00,66,00,66,00,73,00,65,00,74,00,31,00,35,00,37,00,41,00,\
43,00,46,00,41,00,30,00,30,00,4c,00,65,00,6e,00,67,00,74,00,68,00,33,00,38,\
00,45,00,30,00,36,00,30,00,38,00,36,00,30,00,30,00,23,00,7b,00,35,00,33,00,\
66,00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,\
00,31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,\
30,00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
65,00,7b,00,30,00,35,00,38,00,31,00,34,00,37,00,62,00,34,00,2d,00,35,00,34,\
00,32,00,39,00,2d,00,31,00,31,00,64,00,62,00,2d,00,62,00,34,00,34,00,35,00,\
2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
00,7d,00,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,4e,00,\
54,00,46,00,53,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,08,00,00,00,01,10,00,\
00,ff,00,07,00,ff,00,00,00,36,00,00,00,cd,02,d4,9c,00,00,00,00,00,00,00,30,\
00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,\
00
"Generation"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{058147b5-5429-11db-b445-806d6172696f}]
"Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
47,00,45,00,23,00,56,00,6f,00,6c,00,75,00,6d,00,65,00,23,00,31,00,26,00,33,\
00,30,00,61,00,39,00,36,00,35,00,39,00,38,00,26,00,30,00,26,00,53,00,69,00,\
67,00,6e,00,61,00,74,00,75,00,72,00,65,00,33,00,39,00,33,00,32,00,33,00,39,\
00,33,00,32,00,4f,00,66,00,66,00,73,00,65,00,74,00,37,00,45,00,30,00,30,00,\
4c,00,65,00,6e,00,67,00,74,00,68,00,31,00,35,00,37,00,41,00,43,00,37,00,43,\
00,30,00,30,00,23,00,7b,00,35,00,33,00,66,00,35,00,36,00,33,00,30,00,64,00,\
2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,31,00,64,00,30,00,2d,00,39,00,34,\
00,66,00,32,00,2d,00,30,00,30,00,61,00,30,00,63,00,39,00,31,00,65,00,66,00,\
62,00,38,00,62,00,7d,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
65,00,7b,00,30,00,35,00,38,00,31,00,34,00,37,00,62,00,35,00,2d,00,35,00,34,\
00,32,00,39,00,2d,00,31,00,31,00,64,00,62,00,2d,00,62,00,34,00,34,00,35,00,\
2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
00,7d,00,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,46,00,\
41,00,54,00,33,00,32,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,08,00,00,00,01,10,00,\
00,06,00,00,00,ff,00,00,00,10,00,00,00,df,2b,3b,42,00,00,00,00,00,00,00,30,\
00,e0,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,\
00
"Generation"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{058147b6-5429-11db-b445-806d6172696f}]
"Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,49,00,44,00,45,00,23,00,43,00,\
64,00,52,00,6f,00,6d,00,54,00,53,00,53,00,54,00,63,00,6f,00,72,00,70,00,5f,\
00,43,00,44,00,23,00,44,00,56,00,44,00,57,00,5f,00,54,00,53,00,2d,00,48,00,\
35,00,35,00,32,00,44,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,\
00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,47,00,41,00,30,00,31,00,5f,00,5f,00,\
5f,00,5f,00,23,00,35,00,26,00,32,00,66,00,62,00,62,00,35,00,32,00,64,00,30,\
00,26,00,30,00,26,00,30,00,2e,00,30,00,2e,00,30,00,23,00,7b,00,35,00,33,00,\
66,00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,\
00,31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,\
30,00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
65,00,7b,00,30,00,35,00,38,00,31,00,34,00,37,00,62,00,36,00,2d,00,35,00,34,\
00,32,00,39,00,2d,00,31,00,31,00,64,00,62,00,2d,00,62,00,34,00,34,00,35,00,\
2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
00,7d,00,5c,00,00,00,49,00,6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,49,00,\
6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,10,00,00,00,7f,01,00,\
00,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,00,00,00,00,\
00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,\
00
"Generation"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{058147b7-5429-11db-b445-806d6172696f}]
"Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,76,00,61,00,62,00,6c,00,65,00,4d,\
00,65,00,64,00,69,00,61,00,23,00,37,00,26,00,31,00,39,00,64,00,31,00,32,00,\
62,00,66,00,35,00,26,00,30,00,26,00,52,00,4d,00,23,00,7b,00,35,00,33,00,66,\
00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,\
31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,\
00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
65,00,7b,00,30,00,35,00,38,00,31,00,34,00,37,00,62,00,37,00,2d,00,35,00,34,\
00,32,00,39,00,2d,00,31,00,31,00,64,00,62,00,2d,00,62,00,34,00,34,00,35,00,\
2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
00,7d,00,5c,00,00,00,49,00,6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,49,00,\
6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,04,00,00,00,01,10,00,\
00,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,00,00,00,00,\
00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,00,23,00,00,00,46,00,00,00,25,\
00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,\
73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,45,00,4d,00,69,00,63,\
00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,2c,00,36,00,00,00,25,00,53,00,79,00,\
73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,\
00,74,00,65,00,6d,00,33,00,32,00,5c,00,45,00,4d,00,69,00,63,00,6f,00,6e,00,\
2e,00,64,00,6c,00,6c,00,2c,00,31,00,00,00,4d,00,4d,00,43,00,2f,00,53,00,44,\
00,00,00,00,00
"Generation"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{058147b8-5429-11db-b445-806d6172696f}]
"Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,76,00,61,00,62,00,6c,00,65,00,4d,\
00,65,00,64,00,69,00,61,00,23,00,37,00,26,00,35,00,39,00,61,00,31,00,61,00,\
34,00,31,00,26,00,30,00,26,00,52,00,4d,00,23,00,7b,00,35,00,33,00,66,00,35,\
00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,31,00,\
64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,00,63,\
00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
65,00,7b,00,30,00,35,00,38,00,31,00,34,00,37,00,62,00,38,00,2d,00,35,00,34,\
00,32,00,39,00,2d,00,31,00,31,00,64,00,62,00,2d,00,62,00,34,00,34,00,35,00,\
2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
00,7d,00,5c,00,00,00,49,00,6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,49,00,\
6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,04,00,00,00,01,10,00,\
00,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,00,00,00,00,\
00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,00,23,00,00,00,46,00,00,00,25,\
00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,\
73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,45,00,4d,00,69,00,63,\
00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,2c,00,37,00,00,00,25,00,53,00,79,00,\
73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,\
00,74,00,65,00,6d,00,33,00,32,00,5c,00,45,00,4d,00,69,00,63,00,6f,00,6e,00,\
2e,00,64,00,6c,00,6c,00,2c,00,32,00,00,00,43,00,6f,00,6d,00,70,00,61,00,63,\
00,74,00,46,00,6c,00,61,00,73,00,68,00,49,00,2f,00,49,00,49,00,00,00,00,00
"Generation"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{058147b9-5429-11db-b445-806d6172696f}]
"Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,76,00,61,00,62,00,6c,00,65,00,4d,\
00,65,00,64,00,69,00,61,00,23,00,37,00,26,00,33,00,34,00,33,00,35,00,39,00,\
38,00,64,00,62,00,26,00,30,00,26,00,52,00,4d,00,23,00,7b,00,35,00,33,00,66,\
00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,\
31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,\
00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
65,00,7b,00,30,00,35,00,38,00,31,00,34,00,37,00,62,00,39,00,2d,00,35,00,34,\
00,32,00,39,00,2d,00,31,00,31,00,64,00,62,00,2d,00,62,00,34,00,34,00,35,00,\
2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
00,7d,00,5c,00,00,00,49,00,6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,49,00,\
6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,04,00,00,00,01,10,00,\
00,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,00,00,00,00,\
00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,00,23,00,00,00,46,00,00,00,25,\
00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,\
73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,45,00,4d,00,69,00,63,\
00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,2c,00,38,00,00,00,25,00,53,00,79,00,\
73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,\
00,74,00,65,00,6d,00,33,00,32,00,5c,00,45,00,4d,00,69,00,63,00,6f,00,6e,00,\
2e,00,64,00,6c,00,6c,00,2c,00,33,00,00,00,53,00,6d,00,61,00,72,00,74,00,4d,\
00,65,00,64,00,69,00,61,00,2f,00,78,00,44,00,00,00,00,00
"Generation"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{058147ba-5429-11db-b445-806d6172696f}]
"Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,76,00,61,00,62,00,6c,00,65,00,4d,\
00,65,00,64,00,69,00,61,00,23,00,37,00,26,00,32,00,35,00,35,00,34,00,39,00,\
33,00,66,00,31,00,26,00,30,00,26,00,52,00,4d,00,23,00,7b,00,35,00,33,00,66,\
00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,\
31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,\
00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
65,00,7b,00,30,00,35,00,38,00,31,00,34,00,37,00,62,00,61,00,2d,00,35,00,34,\
00,32,00,39,00,2d,00,31,00,31,00,64,00,62,00,2d,00,62,00,34,00,34,00,35,00,\
2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
00,7d,00,5c,00,00,00,49,00,6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,49,00,\
6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,04,00,00,00,01,10,00,\
00,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,00,00,00,00,\
00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,00,23,00,00,00,46,00,00,00,25,\
00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,\
73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,45,00,4d,00,69,00,63,\
00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,2c,00,39,00,00,00,25,00,53,00,79,00,\
73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,\
00,74,00,65,00,6d,00,33,00,32,00,5c,00,45,00,4d,00,69,00,63,00,6f,00,6e,00,\
2e,00,64,00,6c,00,6c,00,2c,00,34,00,00,00,4d,00,53,00,2f,00,4d,00,53,00,20,\
00,50,00,72,00,6f,00,00,00,00,00
"Generation"=dword:00000001


----------



## Drew345 (Dec 1, 2006)

This may be important.
I have another memory stick (32Mb). With this 32Mb memory stick, I have no problem. I can open it without any error message. I noticed that on this 32 Mb memory stick, there are no hidden files on the 'top' directory. The memory sitck with the problem (1Gb) has alot of hidden files on the 'top' directory. I will give a list of those hidden files here. I had deleted the autorun.bat before; I didn't know if all these other files are also part of the problem. The virus scanner never complained about these other files. Should I have deleted all these other 'autorun' files when I deleted the autorun.bat?

Here is a list of hidden files on the 'top' of the 1GB drive (that wont open by double click):
autorun.apm
autorun.bin
autorum.bmp
autorun.esss
autorun.esssssssssss
autorun.esssssssssssssssss
Autorun.exe_(chineseWriting)
AUTORUN.FCB
Autorun.ico
autorun.inf
AUTORUN.INF1
autorun.inf_(more chinese)
Autorun.ini
AUTORUN.PNF
autorun.rar
autorun.reg


----------



## Cookiegal (Aug 27, 2003)

We would like to take a closer look at all of those autorun files on your flash drive so please do this:

Download Suspicious File Packer from http://www.safer-networking.org/en/tools/index.html and unzip it to desktop, open it & 
paste in those files and when it has created the archive on your desktop please upload that to http://www.thespykiller.co.uk/forum/index.php?board=1.0 so we can examine them:

Please add a link to your post here so we know where the files came from. Thanks.

Also, please do this:

*1.* Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name *options.txt* and save as file type: *all files* to your desktop.



> RegSearch Options File
> 
> [Search]
> *autorun*
> ...


*2.* Download Registry Search to your desktop. 
Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
Open the new folder, and double click on *regsearch.exe*
Click "Import" in the lower left corner and browse to the *options.txt* file that you just saved on your desktop. Do not choose the one in the RegSearch folder itself. 
Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
 Please reply here with the entire contents of the Notepad file from RegSearch.


----------



## Drew345 (Dec 1, 2006)

I ran the suspicious file packer and uploaded the files to this link:

http://www.thespykiller.co.uk/forum/index.php?topic=3197.0

SFP ran very fast. These suspisious files were all on my J:/ Drive 1 GB memory stick. The Memory stick was plugged in of course, but I don't know if SFP pulls files from the J:/ Drive routinely.

I ran the registry search with the modified 'options.txt' file. 
The report from RegSearch is pasted here below.

Thanks, Drew

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 12/6/2006 7:48:30 AM for strings:
; 'autorun'
; Strings excluded from search:
; (None)
; Search in: 
; Registry Keys Registry Values Registry Data 
; HKEY_LOCAL_MACHINE HKEY_USERS

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8DF592B-DE05-49f5-BB21-084F548F12A9}]
@="iTunesAdminEnableAutoRun Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8DF592B-DE05-49f5-BB21-084F548F12A9}\ProgID]
@="iTunesAdmin.iTunesAdminEnableAutoRun.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8DF592B-DE05-49f5-BB21-084F548F12A9}\VersionIndependentProgID]
@="iTunesAdmin.iTunesAdminEnableAutoRun"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iTunesAdmin.iTunesAdminEnableAutoRun]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iTunesAdmin.iTunesAdminEnableAutoRun]
@="iTunesAdminEnableAutoRun Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iTunesAdmin.iTunesAdminEnableAutoRun\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iTunesAdmin.iTunesAdminEnableAutoRun\CurVer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iTunesAdmin.iTunesAdminEnableAutoRun\CurVer]
@="iTunesAdmin.iTunesAdminEnableAutoRun.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iTunesAdmin.iTunesAdminEnableAutoRun.1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iTunesAdmin.iTunesAdminEnableAutoRun.1]
@="iTunesAdminEnableAutoRun Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iTunesAdmin.iTunesAdminEnableAutoRun.1\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor]
"AutoRun"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\10.0\Access\Jet\4.0\ISAM Formats\Exchange 4.0]
"AutoRun"="YES"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\10.0\Access\Jet\4.0\ISAM Formats\Outlook 9.0]
"AutoRun"="YES"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\EventHandlers\AutorunINFLegacyArrival]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\AutoScan\AutoRunPatch]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\AutoScan\AutoRunPatch\{ced6b8f5-1107-43af-b172-4908e7439edc}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\AutoScan\AutoRunPatch\{ffcf421c-c5d5-411e-8eca-1e63f20e0191}]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\autorun.exe]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Cdrom]
"AutoRun"=dword:00000001
; Contents of value:
; NEC MBR-7 
; NEC MBR-7.4 PIONEER CHANGR DR
; PIONEER CHANGR DRM-1804X PIONEER CD-ROM DRM-6324X PIONEER C
; PIONEER CD-ROM DRM-6324X PIONEER CD-ROM DRM-624X TORiSAN CD-ROM CDR_C36 
; PIONEER CD-ROM DRM-624X TORiSAN CD-ROM CDR_C36 
; TORiSAN CD-ROM CDR_C36 
; 
"AutoRunAlwaysDisable"=hex(7):4e,45,43,20,20,20,20,20,4d,42,52,2d,37,20,20,20,\
00,4e,45,43,20,20,20,20,20,4d,42,52,2d,37,2e,34,20,00,50,49,4f,4e,45,45,52,\
20,43,48,41,4e,47,52,20,44,52,4d,2d,31,38,30,34,58,00,50,49,4f,4e,45,45,52,\
20,43,44,2d,52,4f,4d,20,44,52,4d,2d,36,33,32,34,58,00,50,49,4f,4e,45,45,52,\
20,43,44,2d,52,4f,4d,20,44,52,4d,2d,36,32,34,58,20,00,54,4f,52,69,53,41,4e,\
20,43,44,2d,52,4f,4d,20,43,44,52,5f,43,33,36,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk]
; Contents of value:
; Brother RemovableDisk(U) 
; 
"AutoRunAlwaysDisable"=hex(7):42,72,6f,74,68,65,72,20,52,65,6d,6f,76,61,62,6c,\
65,44,69,73,6b,28,55,29,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\autorun.exe]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Cdrom]
"AutoRun"=dword:00000001
; Contents of value:
; NEC MBR-7 
; NEC MBR-7.4 PIONEER CHANGR DR
; PIONEER CHANGR DRM-1804X PIONEER CD-ROM DRM-6324X PIONEER C
; PIONEER CD-ROM DRM-6324X PIONEER CD-ROM DRM-624X TORiSAN CD-ROM CDR_C36 
; PIONEER CD-ROM DRM-624X TORiSAN CD-ROM CDR_C36 
; TORiSAN CD-ROM CDR_C36 
; 
"AutoRunAlwaysDisable"=hex(7):4e,45,43,20,20,20,20,20,4d,42,52,2d,37,20,20,20,\
00,4e,45,43,20,20,20,20,20,4d,42,52,2d,37,2e,34,20,00,50,49,4f,4e,45,45,52,\
20,43,48,41,4e,47,52,20,44,52,4d,2d,31,38,30,34,58,00,50,49,4f,4e,45,45,52,\
20,43,44,2d,52,4f,4d,20,44,52,4d,2d,36,33,32,34,58,00,50,49,4f,4e,45,45,52,\
20,43,44,2d,52,4f,4d,20,44,52,4d,2d,36,32,34,58,20,00,54,4f,52,69,53,41,4e,\
20,43,44,2d,52,4f,4d,20,43,44,52,5f,43,33,36,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Disk]
; Contents of value:
; Brother RemovableDisk(U) 
; 
"AutoRunAlwaysDisable"=hex(7):42,72,6f,74,68,65,72,20,52,65,6d,6f,76,61,62,6c,\
65,44,69,73,6b,28,55,29,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\autorun.exe]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun"=dword:00000001
; Contents of value:
; NEC MBR-7 
; NEC MBR-7.4 PIONEER CHANGR DR
; PIONEER CHANGR DRM-1804X PIONEER CD-ROM DRM-6324X PIONEER C
; PIONEER CD-ROM DRM-6324X PIONEER CD-ROM DRM-624X TORiSAN CD-ROM CDR_C36 
; PIONEER CD-ROM DRM-624X TORiSAN CD-ROM CDR_C36 
; TORiSAN CD-ROM CDR_C36 
; 
"AutoRunAlwaysDisable"=hex(7):4e,45,43,20,20,20,20,20,4d,42,52,2d,37,20,20,20,\
00,4e,45,43,20,20,20,20,20,4d,42,52,2d,37,2e,34,20,00,50,49,4f,4e,45,45,52,\
20,43,48,41,4e,47,52,20,44,52,4d,2d,31,38,30,34,58,00,50,49,4f,4e,45,45,52,\
20,43,44,2d,52,4f,4d,20,44,52,4d,2d,36,33,32,34,58,00,50,49,4f,4e,45,45,52,\
20,43,44,2d,52,4f,4d,20,44,52,4d,2d,36,32,34,58,20,00,54,4f,52,69,53,41,4e,\
20,43,44,2d,52,4f,4d,20,43,44,52,5f,43,33,36,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Disk]
; Contents of value:
; Brother RemovableDisk(U) 
; 
"AutoRunAlwaysDisable"=hex(7):42,72,6f,74,68,65,72,20,52,65,6d,6f,76,61,62,6c,\
65,44,69,73,6b,28,55,29,00,00

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-21-3368850538-3122947942-4152638423-1006\Software\Microsoft\Internet Explorer\TypedURLs]
"url3"="http://forums.techguy.org/security/520967-vbs-gaggle-e-cant-double.html?highlight=autorun.vbs"

[HKEY_USERS\S-1-5-21-3368850538-3122947942-4152638423-1006\Software\Microsoft\MediaPlayer\UIPlugins\{5DF031B7-6A37-42D9-8802-E27F4F224332}]
"AttemptedAutoRun"=dword:00000001

[HKEY_USERS\S-1-5-21-3368850538-3122947942-4152638423-1006\Software\Microsoft\MediaPlayer\UIPlugins\{9695AEF9-9D03-4671-8F2F-FF49D1BB01C4}]
"AttemptedAutoRun"=dword:00000001

[HKEY_USERS\S-1-5-21-3368850538-3122947942-4152638423-1006\Software\Microsoft\MediaPlayer\UIPlugins\{D5E49195-ED19-40fb-9EE0-E6625A808B77}]
"AttemptedAutoRun"=dword:00000001

[HKEY_USERS\S-1-5-21-3368850538-3122947942-4152638423-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b6-5429-11db-b445-806d6172696f}]
; Contents of value:
;    ßß_Ï____ÏÏ___ÏÏÏ___ÏÏÏ__Ï_____ îÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ `  
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,cf,5f,5f,5f,5f,cf,cf,5f,5f,\
5f,cf,cf,cf,5f,5f,5f,cf,cf,cf,5f,5f,cf,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,60,00,00,00,08,06,00,00

[HKEY_USERS\S-1-5-21-3368850538-3122947942-4152638423-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b6-5429-11db-b445-806d6172696f}\_Autorun]

[HKEY_USERS\S-1-5-21-3368850538-3122947942-4152638423-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b6-5429-11db-b445-806d6172696f}\_Autorun\DefaultIcon]

[HKEY_USERS\S-1-5-21-3368850538-3122947942-4152638423-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b9-5429-11db-b445-806d6172696f}]
; Contents of value:
;    ßß_ß____ßß___ßßß___ßßß__ß_____ _____ÏÏ____ îÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ   
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,\
cf,5f,5f,5f,5f,01,01,00,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,08,02,00,00

[HKEY_USERS\S-1-5-21-3368850538-3122947942-4152638423-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{21866eae-28db-11db-8c3e-0016ecd49cce}]
; Contents of value:
;    ßß_ß____ßß___ßßß___ßßß__ß_____ îÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ   
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,08,03,00,00

[HKEY_USERS\S-1-5-21-3368850538-3122947942-4152638423-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d41-287f-11db-8c3a-806d6172696f}\Shell]
@="AutoRun"

[HKEY_USERS\S-1-5-21-3368850538-3122947942-4152638423-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d41-287f-11db-8c3a-806d6172696f}\Shell\AutoRun]

[HKEY_USERS\S-1-5-21-3368850538-3122947942-4152638423-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d41-287f-11db-8c3a-806d6172696f}\Shell\AutoRun\command]

[HKEY_USERS\S-1-5-21-3368850538-3122947942-4152638423-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{87e77264-7878-11db-b4ae-0016ecdd5bc2}]
; Contents of value:
;    ßß_ß____ßß___ßßß___ßßß__ß_____Ï_____ÏÏ____ÏÏÏÏÏîÿÿÿÿÿÿÿÿÿÿÿÿÿ   
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\
cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,01,01,01,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,08,00,00,00

[HKEY_USERS\S-1-5-21-3368850538-3122947942-4152638423-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d7694a70-59eb-11db-b455-0016ecdd5bc2}]
; Contents of value:
;    ßß_ß____ßß___ßßß___ßßß__ß_____ îÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ   
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,08,07,00,00

[HKEY_USERS\S-1-5-21-3368850538-3122947942-4152638423-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d7694a70-59eb-11db-b455-0016ecdd5bc2}\Shell\AutoRun]

[HKEY_USERS\S-1-5-21-3368850538-3122947942-4152638423-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d7694a70-59eb-11db-b455-0016ecdd5bc2}\Shell\AutoRun\command]

[HKEY_USERS\S-1-5-21-3368850538-3122947942-4152638423-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d7694a70-59eb-11db-b455-0016ecdd5bc2}\Shell\explore\Command]
@="WScript.exe .\\autorun.vbs"

[HKEY_USERS\S-1-5-21-3368850538-3122947942-4152638423-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d7694a70-59eb-11db-b455-0016ecdd5bc2}\Shell\open\Command]
@="WScript.exe .\\autorun.vbs"

[HKEY_USERS\S-1-5-21-3368850538-3122947942-4152638423-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ef3043d4-fd6d-11da-a0ff-806d6172696f}]
; Contents of value:
;    ßß_ß____ßß___ßßß___ßßß__ß_____ îÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ   
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,08,03,00,00

[HKEY_USERS\S-1-5-21-3368850538-3122947942-4152638423-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ffb343d8-59e6-11db-b454-0016ecdd5bc2}]
; Contents of value:
;    ßß_ß____ßß___ßßß___ßßß__ß_____Ï_____ÏÏ____ÏÏÏÏÏîÿÿÿÿÿÿÿÿÿÿÿÿÿ   
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\
cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,01,01,01,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,08,00,00,00

[HKEY_USERS\S-1-5-21-3368850538-3122947942-4152638423-1006\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

; End Of The Log...


----------



## Cookiegal (Aug 27, 2003)

Were you logged in under a different user account when you used the registry search tool from when you did the last export of the Mountpoints2 key?


----------



## Cookiegal (Aug 27, 2003)

Also, I wanted to point out that this infection steals information and if you do any on-line banking or other financial transactions and have that sort of information stored in your computer then you should change all account numbers and passwords.


I would also like to know how many user profile accounts you have set up on this computer please.


----------



## Drew345 (Dec 1, 2006)

I only have one user account, so I was logged in as the same user when I did the registry search tool as when I did the last export of Mousepoints2.

The comment about 'infection steals information' has me alarmed of course. I will change my passwords and account numbers, but can you please clarify a bit:
- Do you mean that there is an infection on my PC? Up to now I thought only my J: Drive memory stick was infected. One time it tried to jump from my memory stick to my PC and I thought my McAffee stopped it.
- Is it safe now to log on and change my on-line banking passwords, or is the infection still running on my machine?
- Do you mean stealing information as 'key-logging' or 'copying files' from my harddrive. I don't keep passwords on my harddrive.

This has me disturbed and I am now very close to reformating my hard drive and memory stick and installing everything from scratch. Should I do it? 
Thanks,
Drew


----------



## Drew345 (Dec 1, 2006)

Thank you for the warning in your last post. I am taking appropriate measures with my finantial institution.
Sorry if there was any 'attitude' in my last post. I was a bit emotional hearing that news.
Thanks, Drew


----------



## Mosaic1 (Aug 17, 2001)

Hi Drew,

I have been watching this thread and consulting in the background. BEcause of the time difference I see yoa re here now and so would like to work with you a bit if that's ok. It's possible that something is putting back the entry in the registry. Quickly, can you please right click on the C: drive and tell me what that context menu looks like? 


After you do that, Import the reg file Cookiegal gave you before to remove the entry pointing to autorun.vbs.

Once you are finished, please export mountpoints2 again and post that.

Then finally, please open the C: drive using My Computer. 

Then export the mpountpoints2 key again and post it. Please do this in that order.

Mosaic1


----------



## Drew345 (Dec 1, 2006)

I am not sure what &#8216;context menu&#8217; is. I think it means the drop-down menu that opens when I right click on the c-drive.
Also, the C-drive always opens fine. It is the J: Drive memory stick that makes the problem. Did you mean the j: Drive &#8216;context menu&#8217;?
I go to &#8216;my computer&#8217; and right click on the c-drive, the &#8216;drop-down&#8217; menu looks like:
Open 
Explore 
Search
Scan with AVG Anti-spyware
Sharing and security
Scan&#8230;
Add to Archive&#8230;
Add to &#8220;Archive.rar&#8221;
Compress and email
Compress to Archive.rar and email
Format
Copy Paste
Create Shortcut
Rename
Properties


----------



## Drew345 (Dec 1, 2006)

Concerning the step 2, importing the reg file to delete entry pointing to autorun.vbs.
Cookiegal gave me one regfile "fixdrew.reg"
The contents of this regfile are:

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d7694a70-59eb-11db-b455-0016ecdd5bc2}\Shell]

Is that the reg file you are refering to in that second step? I am just confused because I don't see any reference to 'autorun.vbs' in that reg file. If that's the one, I'll run it.

Finally, one more question. The 4th step says to open the c:drive. Again, did you perhaps mean the J: Drive Memory stick (which is having the problem)?

Just to clarify please, then I will do these steps right away.
Thanks,
Drew


----------



## Mosaic1 (Aug 17, 2001)

As for the information stealing. I think it may have been possible if you had really been infected. But nothing is certain unless you were infected and we can see copies of the files. 
It is always a good idea to make changes to protect yourself when infected. Ther a re always different variants. Also, this one, if active, can also send out emails behind your back attaching itself to those emails. 
Those flash drives are one way these infections do get passed from one System to another.

Yes. Use the file Cookiegal gave you.

I want to see what happens after you remove it. There should be no autoplay entry when you right click on a fixed drive like C:


----------



## Mosaic1 (Aug 17, 2001)

The bottom line is that in one variant at least, an entry is added to the fixed drives context menu to run a file. That file adds back the context menu entry for your flash drive. So even though the file it is set to run is not there,(the autorun.vbs) you get an error. And there may be other files created as well when you open the C: Drive.

Therefore, I want to see what happens after you clean up and then open the C Drive again. 

And I would like to know what entries are listed when you right click on the C: drive in My Computer and which of those entries is in bold.


The reg file deletes the shell subkey. That will clean up any subkeys under shell. the subkeys are where you would see autorun.vbs mentioned.

Hope this explains it more clearly. 


Since we dont have the McAfee information, we are guessing as to which variant you have.


There are several possibilities.


----------



## Drew345 (Dec 1, 2006)

When I right click the c:drive, from that list of items mentions 2 posts ago, only the "Open" was in bold. Will report any change after these steps.
I ran the reg file and will post the exported mousepoints2 in the next post.


----------



## Drew345 (Dec 1, 2006)

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\H]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\I]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\J]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b4-5429-11db-b445-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b5-5429-11db-b445-806d6172696f}]
"BaseClass"="Drive"
"_CommentFromDesktopINI"=""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b5-5429-11db-b445-806d6172696f}\Shell]
@="AutoRun"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b5-5429-11db-b445-806d6172696f}\Shell\AutoRun]
@="Auto&Play"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b5-5429-11db-b445-806d6172696f}\Shell\AutoRun\command]
@="C:\\WINDOWS\\system32\\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b6-5429-11db-b445-806d6172696f}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,cf,5f,5f,5f,5f,cf,cf,5f,5f,\
5f,cf,cf,cf,5f,5f,5f,cf,cf,cf,5f,5f,cf,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,60,00,00,00,08,06,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b6-5429-11db-b445-806d6172696f}\_Autorun]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b6-5429-11db-b445-806d6172696f}\_Autorun\DefaultIcon]
@="E:\\CCR.ico"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b7-5429-11db-b445-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b8-5429-11db-b445-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b9-5429-11db-b445-806d6172696f}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,\
cf,5f,5f,5f,5f,01,01,00,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,08,02,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147ba-5429-11db-b445-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{16f3dac0-ff1f-11da-8655-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{21866eae-28db-11db-8c3e-0016ecd49cce}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,08,03,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{21866eae-28db-11db-8c3e-0016ecd49cce}\shell]
@="None"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{21866eae-28db-11db-8c3e-0016ecd49cce}\shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{21866eae-28db-11db-8c3e-0016ecd49cce}\shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d40-287f-11db-8c3a-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d41-287f-11db-8c3a-806d6172696f}]
"BaseClass"="Drive"
"_CommentFromDesktopINI"=""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d41-287f-11db-8c3a-806d6172696f}\Shell]
@="AutoRun"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d41-287f-11db-8c3a-806d6172696f}\Shell\AutoRun]
@="Auto&Play"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d41-287f-11db-8c3a-806d6172696f}\Shell\AutoRun\command]
@="C:\\WINDOWS\\system32\\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d42-287f-11db-8c3a-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d43-287f-11db-8c3a-a4ed8e78fef7}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d44-287f-11db-8c3a-a4ed8e78fef7}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d45-287f-11db-8c3a-a4ed8e78fef7}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d46-287f-11db-8c3a-a4ed8e78fef7}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{807bd35c-2f72-11db-9118-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{807bd35d-2f72-11db-9118-806d6172696f}]
"BaseClass"="Drive"
"_CommentFromDesktopINI"=""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{807bd35e-2f72-11db-9118-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{87e77264-7878-11db-b4ae-0016ecdd5bc2}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\
cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,01,01,01,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,08,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{87e77264-7878-11db-b4ae-0016ecdd5bc2}\shell]
@="None"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{87e77264-7878-11db-b4ae-0016ecdd5bc2}\shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{87e77264-7878-11db-b4ae-0016ecdd5bc2}\shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d7694a70-59eb-11db-b455-0016ecdd5bc2}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,08,07,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e778d5c0-00b8-11db-b317-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ef3043d2-fd6d-11da-a0ff-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ef3043d3-fd6d-11da-a0ff-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ef3043d4-fd6d-11da-a0ff-806d6172696f}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,08,03,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ef3043d4-fd6d-11da-a0ff-806d6172696f}\shell]
@="None"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ef3043d4-fd6d-11da-a0ff-806d6172696f}\shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ef3043d4-fd6d-11da-a0ff-806d6172696f}\shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ffb343d8-59e6-11db-b454-0016ecdd5bc2}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\
cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,01,01,01,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,08,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ffb343d8-59e6-11db-b454-0016ecdd5bc2}\shell]
@="None"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ffb343d8-59e6-11db-b454-0016ecdd5bc2}\shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ffb343d8-59e6-11db-b454-0016ecdd5bc2}\shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{058147b4-5429-11db-b445-806d6172696f}]
"Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
47,00,45,00,23,00,56,00,6f,00,6c,00,75,00,6d,00,65,00,23,00,31,00,26,00,33,\
00,30,00,61,00,39,00,36,00,35,00,39,00,38,00,26,00,30,00,26,00,53,00,69,00,\
67,00,6e,00,61,00,74,00,75,00,72,00,65,00,33,00,39,00,33,00,32,00,33,00,39,\
00,33,00,32,00,4f,00,66,00,66,00,73,00,65,00,74,00,31,00,35,00,37,00,41,00,\
43,00,46,00,41,00,30,00,30,00,4c,00,65,00,6e,00,67,00,74,00,68,00,33,00,38,\
00,45,00,30,00,36,00,30,00,38,00,36,00,30,00,30,00,23,00,7b,00,35,00,33,00,\
66,00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,\
00,31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,\
30,00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
65,00,7b,00,30,00,35,00,38,00,31,00,34,00,37,00,62,00,34,00,2d,00,35,00,34,\
00,32,00,39,00,2d,00,31,00,31,00,64,00,62,00,2d,00,62,00,34,00,34,00,35,00,\
2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
00,7d,00,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,4e,00,\
54,00,46,00,53,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,08,00,00,00,01,10,00,\
00,ff,00,07,00,ff,00,00,00,36,00,00,00,cd,02,d4,9c,00,00,00,00,00,00,00,30,\
00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,\
00
"Generation"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{058147b5-5429-11db-b445-806d6172696f}]
"Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
47,00,45,00,23,00,56,00,6f,00,6c,00,75,00,6d,00,65,00,23,00,31,00,26,00,33,\
00,30,00,61,00,39,00,36,00,35,00,39,00,38,00,26,00,30,00,26,00,53,00,69,00,\
67,00,6e,00,61,00,74,00,75,00,72,00,65,00,33,00,39,00,33,00,32,00,33,00,39,\
00,33,00,32,00,4f,00,66,00,66,00,73,00,65,00,74,00,37,00,45,00,30,00,30,00,\
4c,00,65,00,6e,00,67,00,74,00,68,00,31,00,35,00,37,00,41,00,43,00,37,00,43,\
00,30,00,30,00,23,00,7b,00,35,00,33,00,66,00,35,00,36,00,33,00,30,00,64,00,\
2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,31,00,64,00,30,00,2d,00,39,00,34,\
00,66,00,32,00,2d,00,30,00,30,00,61,00,30,00,63,00,39,00,31,00,65,00,66,00,\
62,00,38,00,62,00,7d,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
65,00,7b,00,30,00,35,00,38,00,31,00,34,00,37,00,62,00,35,00,2d,00,35,00,34,\
00,32,00,39,00,2d,00,31,00,31,00,64,00,62,00,2d,00,62,00,34,00,34,00,35,00,\
2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
00,7d,00,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,46,00,\
41,00,54,00,33,00,32,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,08,00,00,00,01,10,00,\
00,06,00,00,00,ff,00,00,00,10,00,00,00,df,2b,3b,42,00,00,00,00,00,00,00,30,\
00,e0,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,\
00
"Generation"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{058147b6-5429-11db-b445-806d6172696f}]
"Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,49,00,44,00,45,00,23,00,43,00,\
64,00,52,00,6f,00,6d,00,54,00,53,00,53,00,54,00,63,00,6f,00,72,00,70,00,5f,\
00,43,00,44,00,23,00,44,00,56,00,44,00,57,00,5f,00,54,00,53,00,2d,00,48,00,\
35,00,35,00,32,00,44,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,\
00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,47,00,41,00,30,00,31,00,5f,00,5f,00,\
5f,00,5f,00,23,00,35,00,26,00,32,00,66,00,62,00,62,00,35,00,32,00,64,00,30,\
00,26,00,30,00,26,00,30,00,2e,00,30,00,2e,00,30,00,23,00,7b,00,35,00,33,00,\
66,00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,\
00,31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,\
30,00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
65,00,7b,00,30,00,35,00,38,00,31,00,34,00,37,00,62,00,36,00,2d,00,35,00,34,\
00,32,00,39,00,2d,00,31,00,31,00,64,00,62,00,2d,00,62,00,34,00,34,00,35,00,\
2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
00,7d,00,5c,00,00,00,49,00,6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,49,00,\
6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,10,00,00,00,7f,01,00,\
00,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,00,00,00,00,\
00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,\
00
"Generation"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{058147b7-5429-11db-b445-806d6172696f}]
"Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,76,00,61,00,62,00,6c,00,65,00,4d,\
00,65,00,64,00,69,00,61,00,23,00,37,00,26,00,31,00,39,00,64,00,31,00,32,00,\
62,00,66,00,35,00,26,00,30,00,26,00,52,00,4d,00,23,00,7b,00,35,00,33,00,66,\
00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,\
31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,\
00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
65,00,7b,00,30,00,35,00,38,00,31,00,34,00,37,00,62,00,37,00,2d,00,35,00,34,\
00,32,00,39,00,2d,00,31,00,31,00,64,00,62,00,2d,00,62,00,34,00,34,00,35,00,\
2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
00,7d,00,5c,00,00,00,49,00,6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,49,00,\
6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,04,00,00,00,01,10,00,\
00,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,00,00,00,00,\
00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,00,23,00,00,00,46,00,00,00,25,\
00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,\
73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,45,00,4d,00,69,00,63,\
00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,2c,00,36,00,00,00,25,00,53,00,79,00,\
73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,\
00,74,00,65,00,6d,00,33,00,32,00,5c,00,45,00,4d,00,69,00,63,00,6f,00,6e,00,\
2e,00,64,00,6c,00,6c,00,2c,00,31,00,00,00,4d,00,4d,00,43,00,2f,00,53,00,44,\
00,00,00,00,00
"Generation"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{058147b8-5429-11db-b445-806d6172696f}]
"Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,76,00,61,00,62,00,6c,00,65,00,4d,\
00,65,00,64,00,69,00,61,00,23,00,37,00,26,00,35,00,39,00,61,00,31,00,61,00,\
34,00,31,00,26,00,30,00,26,00,52,00,4d,00,23,00,7b,00,35,00,33,00,66,00,35,\
00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,31,00,\
64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,00,63,\
00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
65,00,7b,00,30,00,35,00,38,00,31,00,34,00,37,00,62,00,38,00,2d,00,35,00,34,\
00,32,00,39,00,2d,00,31,00,31,00,64,00,62,00,2d,00,62,00,34,00,34,00,35,00,\
2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
00,7d,00,5c,00,00,00,49,00,6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,49,00,\
6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,04,00,00,00,01,10,00,\
00,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,00,00,00,00,\
00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,00,23,00,00,00,46,00,00,00,25,\
00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,\
73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,45,00,4d,00,69,00,63,\
00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,2c,00,37,00,00,00,25,00,53,00,79,00,\
73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,\
00,74,00,65,00,6d,00,33,00,32,00,5c,00,45,00,4d,00,69,00,63,00,6f,00,6e,00,\
2e,00,64,00,6c,00,6c,00,2c,00,32,00,00,00,43,00,6f,00,6d,00,70,00,61,00,63,\
00,74,00,46,00,6c,00,61,00,73,00,68,00,49,00,2f,00,49,00,49,00,00,00,00,00
"Generation"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{058147b9-5429-11db-b445-806d6172696f}]
"Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
 47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,76,00,61,00,62,00,6c,00,65,00,4d,\
00,65,00,64,00,69,00,61,00,23,00,37,00,26,00,33,00,34,00,33,00,35,00,39,00,\
38,00,64,00,62,00,26,00,30,00,26,00,52,00,4d,00,23,00,7b,00,35,00,33,00,66,\
00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,\
31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,\
00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
65,00,7b,00,30,00,35,00,38,00,31,00,34,00,37,00,62,00,39,00,2d,00,35,00,34,\
00,32,00,39,00,2d,00,31,00,31,00,64,00,62,00,2d,00,62,00,34,00,34,00,35,00,\
2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
00,7d,00,5c,00,00,00,49,00,6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,49,00,\
6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,04,00,00,00,01,10,00,\
00,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,00,00,00,00,\
00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,00,23,00,00,00,46,00,00,00,25,\
00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,\
73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,45,00,4d,00,69,00,63,\
00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,2c,00,38,00,00,00,25,00,53,00,79,00,\
73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,\
00,74,00,65,00,6d,00,33,00,32,00,5c,00,45,00,4d,00,69,00,63,00,6f,00,6e,00,\
2e,00,64,00,6c,00,6c,00,2c,00,33,00,00,00,53,00,6d,00,61,00,72,00,74,00,4d,\
00,65,00,64,00,69,00,61,00,2f,00,78,00,44,00,00,00,00,00
"Generation"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{058147ba-5429-11db-b445-806d6172696f}]
"Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,76,00,61,00,62,00,6c,00,65,00,4d,\
00,65,00,64,00,69,00,61,00,23,00,37,00,26,00,32,00,35,00,35,00,34,00,39,00,\
33,00,66,00,31,00,26,00,30,00,26,00,52,00,4d,00,23,00,7b,00,35,00,33,00,66,\
00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,\
31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,\
00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
65,00,7b,00,30,00,35,00,38,00,31,00,34,00,37,00,62,00,61,00,2d,00,35,00,34,\
00,32,00,39,00,2d,00,31,00,31,00,64,00,62,00,2d,00,62,00,34,00,34,00,35,00,\
2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
00,7d,00,5c,00,00,00,49,00,6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,49,00,\
6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,04,00,00,00,01,10,00,\
00,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,00,00,00,00,\
00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,00,23,00,00,00,46,00,00,00,25,\
00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,\
73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,45,00,4d,00,69,00,63,\
00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,2c,00,39,00,00,00,25,00,53,00,79,00,\
73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,\
00,74,00,65,00,6d,00,33,00,32,00,5c,00,45,00,4d,00,69,00,63,00,6f,00,6e,00,\
2e,00,64,00,6c,00,6c,00,2c,00,34,00,00,00,4d,00,53,00,2f,00,4d,00,53,00,20,\
00,50,00,72,00,6f,00,00,00,00,00
"Generation"=dword:00000001


----------



## Drew345 (Dec 1, 2006)

I opened the C: Drive from 'my computer' (by double clicking one it).
Oh my gosh, on the C: Drive is an 'autoexec.bat' hidden file (but not autorun.bat).
I exported the mousepoints 2 and post that here in the next entry.
Then after that I will put the C: Drive right click drop down menu.


----------



## Drew345 (Dec 1, 2006)

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\H]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\I]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\J]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b4-5429-11db-b445-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b5-5429-11db-b445-806d6172696f}]
"BaseClass"="Drive"
"_CommentFromDesktopINI"=""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b5-5429-11db-b445-806d6172696f}\Shell]
@="AutoRun"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b5-5429-11db-b445-806d6172696f}\Shell\AutoRun]
@="Auto&Play"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b5-5429-11db-b445-806d6172696f}\Shell\AutoRun\command]
@="C:\\WINDOWS\\system32\\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b6-5429-11db-b445-806d6172696f}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,cf,5f,5f,5f,5f,cf,cf,5f,5f,\
5f,cf,cf,cf,5f,5f,5f,cf,cf,cf,5f,5f,cf,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,60,00,00,00,08,06,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b6-5429-11db-b445-806d6172696f}\_Autorun]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b6-5429-11db-b445-806d6172696f}\_Autorun\DefaultIcon]
@="E:\\CCR.ico"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b7-5429-11db-b445-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b8-5429-11db-b445-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b9-5429-11db-b445-806d6172696f}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,\
cf,5f,5f,5f,5f,01,01,00,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,08,02,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147ba-5429-11db-b445-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{16f3dac0-ff1f-11da-8655-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{21866eae-28db-11db-8c3e-0016ecd49cce}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,08,03,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{21866eae-28db-11db-8c3e-0016ecd49cce}\shell]
@="None"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{21866eae-28db-11db-8c3e-0016ecd49cce}\shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{21866eae-28db-11db-8c3e-0016ecd49cce}\shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d40-287f-11db-8c3a-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d41-287f-11db-8c3a-806d6172696f}]
"BaseClass"="Drive"
"_CommentFromDesktopINI"=""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d41-287f-11db-8c3a-806d6172696f}\Shell]
@="AutoRun"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d41-287f-11db-8c3a-806d6172696f}\Shell\AutoRun]
@="Auto&Play"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d41-287f-11db-8c3a-806d6172696f}\Shell\AutoRun\command]
@="C:\\WINDOWS\\system32\\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d42-287f-11db-8c3a-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d43-287f-11db-8c3a-a4ed8e78fef7}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d44-287f-11db-8c3a-a4ed8e78fef7}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d45-287f-11db-8c3a-a4ed8e78fef7}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d46-287f-11db-8c3a-a4ed8e78fef7}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{807bd35c-2f72-11db-9118-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{807bd35d-2f72-11db-9118-806d6172696f}]
"BaseClass"="Drive"
"_CommentFromDesktopINI"=""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{807bd35e-2f72-11db-9118-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{87e77264-7878-11db-b4ae-0016ecdd5bc2}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\
cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,01,01,01,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,08,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{87e77264-7878-11db-b4ae-0016ecdd5bc2}\shell]
@="None"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{87e77264-7878-11db-b4ae-0016ecdd5bc2}\shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{87e77264-7878-11db-b4ae-0016ecdd5bc2}\shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d7694a70-59eb-11db-b455-0016ecdd5bc2}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,08,07,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e778d5c0-00b8-11db-b317-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ef3043d2-fd6d-11da-a0ff-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ef3043d3-fd6d-11da-a0ff-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ef3043d4-fd6d-11da-a0ff-806d6172696f}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,08,03,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ef3043d4-fd6d-11da-a0ff-806d6172696f}\shell]
@="None"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ef3043d4-fd6d-11da-a0ff-806d6172696f}\shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ef3043d4-fd6d-11da-a0ff-806d6172696f}\shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ffb343d8-59e6-11db-b454-0016ecdd5bc2}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\
cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,01,01,01,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,08,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ffb343d8-59e6-11db-b454-0016ecdd5bc2}\shell]
@="None"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ffb343d8-59e6-11db-b454-0016ecdd5bc2}\shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ffb343d8-59e6-11db-b454-0016ecdd5bc2}\shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{058147b4-5429-11db-b445-806d6172696f}]
"Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
47,00,45,00,23,00,56,00,6f,00,6c,00,75,00,6d,00,65,00,23,00,31,00,26,00,33,\
00,30,00,61,00,39,00,36,00,35,00,39,00,38,00,26,00,30,00,26,00,53,00,69,00,\
67,00,6e,00,61,00,74,00,75,00,72,00,65,00,33,00,39,00,33,00,32,00,33,00,39,\
00,33,00,32,00,4f,00,66,00,66,00,73,00,65,00,74,00,31,00,35,00,37,00,41,00,\
43,00,46,00,41,00,30,00,30,00,4c,00,65,00,6e,00,67,00,74,00,68,00,33,00,38,\
00,45,00,30,00,36,00,30,00,38,00,36,00,30,00,30,00,23,00,7b,00,35,00,33,00,\
66,00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,\
00,31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,\
30,00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
65,00,7b,00,30,00,35,00,38,00,31,00,34,00,37,00,62,00,34,00,2d,00,35,00,34,\
00,32,00,39,00,2d,00,31,00,31,00,64,00,62,00,2d,00,62,00,34,00,34,00,35,00,\
2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
00,7d,00,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,4e,00,\
54,00,46,00,53,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,08,00,00,00,01,10,00,\
00,ff,00,07,00,ff,00,00,00,36,00,00,00,cd,02,d4,9c,00,00,00,00,00,00,00,30,\
00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,\
00
"Generation"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{058147b5-5429-11db-b445-806d6172696f}]
"Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
47,00,45,00,23,00,56,00,6f,00,6c,00,75,00,6d,00,65,00,23,00,31,00,26,00,33,\
00,30,00,61,00,39,00,36,00,35,00,39,00,38,00,26,00,30,00,26,00,53,00,69,00,\
67,00,6e,00,61,00,74,00,75,00,72,00,65,00,33,00,39,00,33,00,32,00,33,00,39,\
00,33,00,32,00,4f,00,66,00,66,00,73,00,65,00,74,00,37,00,45,00,30,00,30,00,\
4c,00,65,00,6e,00,67,00,74,00,68,00,31,00,35,00,37,00,41,00,43,00,37,00,43,\
00,30,00,30,00,23,00,7b,00,35,00,33,00,66,00,35,00,36,00,33,00,30,00,64,00,\
2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,31,00,64,00,30,00,2d,00,39,00,34,\
00,66,00,32,00,2d,00,30,00,30,00,61,00,30,00,63,00,39,00,31,00,65,00,66,00,\
62,00,38,00,62,00,7d,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
65,00,7b,00,30,00,35,00,38,00,31,00,34,00,37,00,62,00,35,00,2d,00,35,00,34,\
00,32,00,39,00,2d,00,31,00,31,00,64,00,62,00,2d,00,62,00,34,00,34,00,35,00,\
2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
00,7d,00,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,46,00,\
41,00,54,00,33,00,32,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,08,00,00,00,01,10,00,\
00,06,00,00,00,ff,00,00,00,10,00,00,00,df,2b,3b,42,00,00,00,00,00,00,00,30,\
00,e0,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,\
00
"Generation"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{058147b6-5429-11db-b445-806d6172696f}]
"Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,49,00,44,00,45,00,23,00,43,00,\
64,00,52,00,6f,00,6d,00,54,00,53,00,53,00,54,00,63,00,6f,00,72,00,70,00,5f,\
00,43,00,44,00,23,00,44,00,56,00,44,00,57,00,5f,00,54,00,53,00,2d,00,48,00,\
35,00,35,00,32,00,44,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,\
00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,47,00,41,00,30,00,31,00,5f,00,5f,00,\
5f,00,5f,00,23,00,35,00,26,00,32,00,66,00,62,00,62,00,35,00,32,00,64,00,30,\
00,26,00,30,00,26,00,30,00,2e,00,30,00,2e,00,30,00,23,00,7b,00,35,00,33,00,\
66,00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,\
00,31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,\
30,00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
65,00,7b,00,30,00,35,00,38,00,31,00,34,00,37,00,62,00,36,00,2d,00,35,00,34,\
00,32,00,39,00,2d,00,31,00,31,00,64,00,62,00,2d,00,62,00,34,00,34,00,35,00,\
2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
00,7d,00,5c,00,00,00,49,00,6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,49,00,\
6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,10,00,00,00,7f,01,00,\
00,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,00,00,00,00,\
00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,\
00
"Generation"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{058147b7-5429-11db-b445-806d6172696f}]
"Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,76,00,61,00,62,00,6c,00,65,00,4d,\
00,65,00,64,00,69,00,61,00,23,00,37,00,26,00,31,00,39,00,64,00,31,00,32,00,\
62,00,66,00,35,00,26,00,30,00,26,00,52,00,4d,00,23,00,7b,00,35,00,33,00,66,\
00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,\
31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,\
00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
65,00,7b,00,30,00,35,00,38,00,31,00,34,00,37,00,62,00,37,00,2d,00,35,00,34,\
00,32,00,39,00,2d,00,31,00,31,00,64,00,62,00,2d,00,62,00,34,00,34,00,35,00,\
2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
00,7d,00,5c,00,00,00,49,00,6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,49,00,\
6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,04,00,00,00,01,10,00,\
00,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,00,00,00,00,\
00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,00,23,00,00,00,46,00,00,00,25,\
00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,\
73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,45,00,4d,00,69,00,63,\
00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,2c,00,36,00,00,00,25,00,53,00,79,00,\
73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,\
00,74,00,65,00,6d,00,33,00,32,00,5c,00,45,00,4d,00,69,00,63,00,6f,00,6e,00,\
2e,00,64,00,6c,00,6c,00,2c,00,31,00,00,00,4d,00,4d,00,43,00,2f,00,53,00,44,\
00,00,00,00,00
"Generation"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{058147b8-5429-11db-b445-806d6172696f}]
"Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,76,00,61,00,62,00,6c,00,65,00,4d,\
00,65,00,64,00,69,00,61,00,23,00,37,00,26,00,35,00,39,00,61,00,31,00,61,00,\
34,00,31,00,26,00,30,00,26,00,52,00,4d,00,23,00,7b,00,35,00,33,00,66,00,35,\
00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,31,00,\
64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,00,63,\
00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
65,00,7b,00,30,00,35,00,38,00,31,00,34,00,37,00,62,00,38,00,2d,00,35,00,34,\
00,32,00,39,00,2d,00,31,00,31,00,64,00,62,00,2d,00,62,00,34,00,34,00,35,00,\
2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
00,7d,00,5c,00,00,00,49,00,6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,49,00,\
6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,04,00,00,00,01,10,00,\
00,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,00,00,00,00,\
00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,00,23,00,00,00,46,00,00,00,25,\
00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,\
73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,45,00,4d,00,69,00,63,\
00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,2c,00,37,00,00,00,25,00,53,00,79,00,\
73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,\
00,74,00,65,00,6d,00,33,00,32,00,5c,00,45,00,4d,00,69,00,63,00,6f,00,6e,00,\
2e,00,64,00,6c,00,6c,00,2c,00,32,00,00,00,43,00,6f,00,6d,00,70,00,61,00,63,\
00,74,00,46,00,6c,00,61,00,73,00,68,00,49,00,2f,00,49,00,49,00,00,00,00,00
"Generation"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{058147b9-5429-11db-b445-806d6172696f}]
"Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,76,00,61,00,62,00,6c,00,65,00,4d,\
00,65,00,64,00,69,00,61,00,23,00,37,00,26,00,33,00,34,00,33,00,35,00,39,00,\
38,00,64,00,62,00,26,00,30,00,26,00,52,00,4d,00,23,00,7b,00,35,00,33,00,66,\
00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,\
31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,\
00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
65,00,7b,00,30,00,35,00,38,00,31,00,34,00,37,00,62,00,39,00,2d,00,35,00,34,\
00,32,00,39,00,2d,00,31,00,31,00,64,00,62,00,2d,00,62,00,34,00,34,00,35,00,\
2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
00,7d,00,5c,00,00,00,49,00,6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,49,00,\
6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,04,00,00,00,01,10,00,\
00,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,00,00,00,00,\
00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,00,23,00,00,00,46,00,00,00,25,\
00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,\
73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,45,00,4d,00,69,00,63,\
00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,2c,00,38,00,00,00,25,00,53,00,79,00,\
73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,\
00,74,00,65,00,6d,00,33,00,32,00,5c,00,45,00,4d,00,69,00,63,00,6f,00,6e,00,\
2e,00,64,00,6c,00,6c,00,2c,00,33,00,00,00,53,00,6d,00,61,00,72,00,74,00,4d,\
00,65,00,64,00,69,00,61,00,2f,00,78,00,44,00,00,00,00,00
"Generation"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{058147ba-5429-11db-b445-806d6172696f}]
"Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,76,00,61,00,62,00,6c,00,65,00,4d,\
00,65,00,64,00,69,00,61,00,23,00,37,00,26,00,32,00,35,00,35,00,34,00,39,00,\
33,00,66,00,31,00,26,00,30,00,26,00,52,00,4d,00,23,00,7b,00,35,00,33,00,66,\
00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,\
31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,\
00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
65,00,7b,00,30,00,35,00,38,00,31,00,34,00,37,00,62,00,61,00,2d,00,35,00,34,\
00,32,00,39,00,2d,00,31,00,31,00,64,00,62,00,2d,00,62,00,34,00,34,00,35,00,\
2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
00,7d,00,5c,00,00,00,49,00,6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,49,00,\
6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,04,00,00,00,01,10,00,\
00,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,00,00,00,00,\
00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,00,23,00,00,00,46,00,00,00,25,\
00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,\
73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,45,00,4d,00,69,00,63,\
00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,2c,00,39,00,00,00,25,00,53,00,79,00,\
73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,\
00,74,00,65,00,6d,00,33,00,32,00,5c,00,45,00,4d,00,69,00,63,00,6f,00,6e,00,\
2e,00,64,00,6c,00,6c,00,2c,00,34,00,00,00,4d,00,53,00,2f,00,4d,00,53,00,20,\
00,50,00,72,00,6f,00,00,00,00,00
"Generation"=dword:00000001


----------



## Mosaic1 (Aug 17, 2001)

Autoexec.bat is probably not a problem. Can you right click on it and choose edit please? Then copy and paste the contents here. 


Also, please run the regsearch just exactly the same as you did before as per Cookiegal's instructions after you finish the other.


----------



## Drew345 (Dec 1, 2006)

Now I look at the Crive Right click drop down menu again. Only the 'Open' is in bold. Here is what is in the menu:
Open 
Explore 
Search&#8230;
Scan with AVG Anti-spyware
Sharing and security&#8230;
Scan
Add to Archive&#8230;
Add to &#8220;Archive.rar&#8221;
Compress and email&#8230;
Compress to Archive.rar and email
Format&#8230;
Copy 
Create Shortcut
Rename
Properties

It looks the same as before doing these things. In the first post, I put 'copy paste' and now I see only copy. I hope I didn't miscopy the first time. I thought I was accurate. Also, some of the ... have moved from one comand to the other. Again, I could have miscopied the ...'s in the first one, but I did try to be really accurate.

I am off to work now.
I guess my big concern is if I can use this computer (is it clean?) to log into those finantial institutions for monotoring and changing passwords. It seems like there is not a black or white answer for that. But thank you for your answers above.
Drew


----------



## Mosaic1 (Aug 17, 2001)

Use your other computer for now to make any changes. And dont use this system for anything sensitive. This may seem like overkill, but let's be as safe as possible.

After work. do post the regsearch results please. 

Is the Flash drive connected? 

When youright click on the J: drive in My computer, what are the entries you see please?


Can you also search all drives for a file named info.exe (Although I think that is legitimate and only on your CD drives)


The idea is to see if and when this error comes back and what rewrites the registry after it has been cleaned up.


----------



## Mosaic1 (Aug 17, 2001)

In the meantime. don't try to open any drive by clicking on it in My Computer.
I think those files on your J: Drive are infectors.

I am attaching a zip file. Please create a new Folder on your desktop and name it Nasties.

Unzip the attachment to the nasties folder. So now you have nasties\getit.bat

Put the Flash drive in and then double click on getit.bat

This will copy all those files you noticed to the Nasties folder. Those are the files which have autorun in their titles.

Then please upload all those files you just copied using the batch, to Spykiller, as before. You can use suspisicous file packer again to do that.

Take the flash drive out of the drive and dont use it again on any computer until we let you know.

I have been researchng how flash drives spread infections. We need to see those files and then we'll likely delete them from your flash drive if they are ,in fact, infectors.

When you run the Batch to copy these files if your AV denies access to these files, then you know they are positively nasty. If not, they still may be. Let's see what we find here.

The time zone difference is tremendous. That's why 
I am posting as I get more ideas to help. *Please be careful not to double click on any drive from My Computer until we get this settled.* I think your AV is doing a good job. But we can't be 100% sure yet.


----------



## Mosaic1 (Aug 17, 2001)

> It looks like that J:/ drive is clean now, (I did delete the offending autorun.exe yesterday). The disk just seems to be missing a 'autorun.vbs' file. I don't know if that is a real, necessary system file, or if that is still the trace of some virus.


 Where was autorun.exe found? On the J: drive? Is is still in your recycle bin? If so, please include a copy of that file too in your upload.


----------



## Drew345 (Dec 1, 2006)

Here are the registry search results asked for in reply #40.
The J: Drive memory stick is not plugged in. I do not plug it in unless there is a need.

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 12/7/2006 4:14:32 PM for strings:
; 'autorun'
; Strings excluded from search:
; (None)
; Search in: 
; Registry Keys Registry Values Registry Data 
; HKEY_LOCAL_MACHINE HKEY_USERS

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8DF592B-DE05-49f5-BB21-084F548F12A9}]
@="iTunesAdminEnableAutoRun Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8DF592B-DE05-49f5-BB21-084F548F12A9}\ProgID]
@="iTunesAdmin.iTunesAdminEnableAutoRun.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8DF592B-DE05-49f5-BB21-084F548F12A9}\VersionIndependentProgID]
@="iTunesAdmin.iTunesAdminEnableAutoRun"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iTunesAdmin.iTunesAdminEnableAutoRun]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iTunesAdmin.iTunesAdminEnableAutoRun]
@="iTunesAdminEnableAutoRun Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iTunesAdmin.iTunesAdminEnableAutoRun\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iTunesAdmin.iTunesAdminEnableAutoRun\CurVer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iTunesAdmin.iTunesAdminEnableAutoRun\CurVer]
@="iTunesAdmin.iTunesAdminEnableAutoRun.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iTunesAdmin.iTunesAdminEnableAutoRun.1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iTunesAdmin.iTunesAdminEnableAutoRun.1]
@="iTunesAdminEnableAutoRun Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iTunesAdmin.iTunesAdminEnableAutoRun.1\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor]
"AutoRun"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\10.0\Access\Jet\4.0\ISAM Formats\Exchange 4.0]
"AutoRun"="YES"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\10.0\Access\Jet\4.0\ISAM Formats\Outlook 9.0]
"AutoRun"="YES"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\EventHandlers\AutorunINFLegacyArrival]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\AutoScan\AutoRunPatch]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\AutoScan\AutoRunPatch\{ced6b8f5-1107-43af-b172-4908e7439edc}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\AutoScan\AutoRunPatch\{ffcf421c-c5d5-411e-8eca-1e63f20e0191}]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\autorun.exe]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Cdrom]
"AutoRun"=dword:00000001
; Contents of value:
; NEC MBR-7 
; NEC MBR-7.4 PIONEER CHANGR DR
; PIONEER CHANGR DRM-1804X PIONEER CD-ROM DRM-6324X PIONEER C
; PIONEER CD-ROM DRM-6324X PIONEER CD-ROM DRM-624X TORiSAN CD-ROM CDR_C36 
; PIONEER CD-ROM DRM-624X TORiSAN CD-ROM CDR_C36 
; TORiSAN CD-ROM CDR_C36 
; 
"AutoRunAlwaysDisable"=hex(7):4e,45,43,20,20,20,20,20,4d,42,52,2d,37,20,20,20,\
00,4e,45,43,20,20,20,20,20,4d,42,52,2d,37,2e,34,20,00,50,49,4f,4e,45,45,52,\
20,43,48,41,4e,47,52,20,44,52,4d,2d,31,38,30,34,58,00,50,49,4f,4e,45,45,52,\
20,43,44,2d,52,4f,4d,20,44,52,4d,2d,36,33,32,34,58,00,50,49,4f,4e,45,45,52,\
20,43,44,2d,52,4f,4d,20,44,52,4d,2d,36,32,34,58,20,00,54,4f,52,69,53,41,4e,\
20,43,44,2d,52,4f,4d,20,43,44,52,5f,43,33,36,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk]
; Contents of value:
; Brother RemovableDisk(U) 
; 
"AutoRunAlwaysDisable"=hex(7):42,72,6f,74,68,65,72,20,52,65,6d,6f,76,61,62,6c,\
65,44,69,73,6b,28,55,29,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\autorun.exe]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Cdrom]
"AutoRun"=dword:00000001
; Contents of value:
; NEC MBR-7 
; NEC MBR-7.4 PIONEER CHANGR DR
; PIONEER CHANGR DRM-1804X PIONEER CD-ROM DRM-6324X PIONEER C
; PIONEER CD-ROM DRM-6324X PIONEER CD-ROM DRM-624X TORiSAN CD-ROM CDR_C36 
; PIONEER CD-ROM DRM-624X TORiSAN CD-ROM CDR_C36 
; TORiSAN CD-ROM CDR_C36 
; 
"AutoRunAlwaysDisable"=hex(7):4e,45,43,20,20,20,20,20,4d,42,52,2d,37,20,20,20,\
00,4e,45,43,20,20,20,20,20,4d,42,52,2d,37,2e,34,20,00,50,49,4f,4e,45,45,52,\
20,43,48,41,4e,47,52,20,44,52,4d,2d,31,38,30,34,58,00,50,49,4f,4e,45,45,52,\
20,43,44,2d,52,4f,4d,20,44,52,4d,2d,36,33,32,34,58,00,50,49,4f,4e,45,45,52,\
20,43,44,2d,52,4f,4d,20,44,52,4d,2d,36,32,34,58,20,00,54,4f,52,69,53,41,4e,\
20,43,44,2d,52,4f,4d,20,43,44,52,5f,43,33,36,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Disk]
; Contents of value:
; Brother RemovableDisk(U) 
; 
"AutoRunAlwaysDisable"=hex(7):42,72,6f,74,68,65,72,20,52,65,6d,6f,76,61,62,6c,\
65,44,69,73,6b,28,55,29,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\autorun.exe]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun"=dword:00000001
; Contents of value:
; NEC MBR-7 
; NEC MBR-7.4 PIONEER CHANGR DR
; PIONEER CHANGR DRM-1804X PIONEER CD-ROM DRM-6324X PIONEER C
; PIONEER CD-ROM DRM-6324X PIONEER CD-ROM DRM-624X TORiSAN CD-ROM CDR_C36 
; PIONEER CD-ROM DRM-624X TORiSAN CD-ROM CDR_C36 
; TORiSAN CD-ROM CDR_C36 
; 
"AutoRunAlwaysDisable"=hex(7):4e,45,43,20,20,20,20,20,4d,42,52,2d,37,20,20,20,\
00,4e,45,43,20,20,20,20,20,4d,42,52,2d,37,2e,34,20,00,50,49,4f,4e,45,45,52,\
20,43,48,41,4e,47,52,20,44,52,4d,2d,31,38,30,34,58,00,50,49,4f,4e,45,45,52,\
20,43,44,2d,52,4f,4d,20,44,52,4d,2d,36,33,32,34,58,00,50,49,4f,4e,45,45,52,\
20,43,44,2d,52,4f,4d,20,44,52,4d,2d,36,32,34,58,20,00,54,4f,52,69,53,41,4e,\
20,43,44,2d,52,4f,4d,20,43,44,52,5f,43,33,36,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Disk]
; Contents of value:
; Brother RemovableDisk(U) 
; 
"AutoRunAlwaysDisable"=hex(7):42,72,6f,74,68,65,72,20,52,65,6d,6f,76,61,62,6c,\
65,44,69,73,6b,28,55,29,00,00

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-21-3368850538-3122947942-4152638423-1006\Software\Microsoft\Internet Explorer\TypedURLs]
"url5"="http://forums.techguy.org/security/520967-vbs-gaggle-e-cant-double.html?highlight=autorun.vbs"

[HKEY_USERS\S-1-5-21-3368850538-3122947942-4152638423-1006\Software\Microsoft\MediaPlayer\UIPlugins\{5DF031B7-6A37-42D9-8802-E27F4F224332}]
"AttemptedAutoRun"=dword:00000001

[HKEY_USERS\S-1-5-21-3368850538-3122947942-4152638423-1006\Software\Microsoft\MediaPlayer\UIPlugins\{9695AEF9-9D03-4671-8F2F-FF49D1BB01C4}]
"AttemptedAutoRun"=dword:00000001

[HKEY_USERS\S-1-5-21-3368850538-3122947942-4152638423-1006\Software\Microsoft\MediaPlayer\UIPlugins\{D5E49195-ED19-40fb-9EE0-E6625A808B77}]
"AttemptedAutoRun"=dword:00000001

[HKEY_USERS\S-1-5-21-3368850538-3122947942-4152638423-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b6-5429-11db-b445-806d6172696f}]
; Contents of value:
;    ßß_Ï____ÏÏ___ÏÏÏ___ÏÏÏ__Ï_____ îÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ `  
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,cf,5f,5f,5f,5f,cf,cf,5f,5f,\
5f,cf,cf,cf,5f,5f,5f,cf,cf,cf,5f,5f,cf,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,60,00,00,00,08,06,00,00

[HKEY_USERS\S-1-5-21-3368850538-3122947942-4152638423-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b6-5429-11db-b445-806d6172696f}\_Autorun]

[HKEY_USERS\S-1-5-21-3368850538-3122947942-4152638423-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b6-5429-11db-b445-806d6172696f}\_Autorun\DefaultIcon]

[HKEY_USERS\S-1-5-21-3368850538-3122947942-4152638423-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{058147b9-5429-11db-b445-806d6172696f}]
; Contents of value:
;    ßß_ß____ßß___ßßß___ßßß__ß_____ _____ÏÏ____ îÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ   
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,\
cf,5f,5f,5f,5f,01,01,00,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,08,02,00,00

[HKEY_USERS\S-1-5-21-3368850538-3122947942-4152638423-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{21866eae-28db-11db-8c3e-0016ecd49cce}]
; Contents of value:
;    ßß_ß____ßß___ßßß___ßßß__ß_____ îÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ   
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,08,03,00,00

[HKEY_USERS\S-1-5-21-3368850538-3122947942-4152638423-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d41-287f-11db-8c3a-806d6172696f}\Shell]
@="AutoRun"

[HKEY_USERS\S-1-5-21-3368850538-3122947942-4152638423-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d41-287f-11db-8c3a-806d6172696f}\Shell\AutoRun]

[HKEY_USERS\S-1-5-21-3368850538-3122947942-4152638423-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44099d41-287f-11db-8c3a-806d6172696f}\Shell\AutoRun\command]

[HKEY_USERS\S-1-5-21-3368850538-3122947942-4152638423-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{87e77264-7878-11db-b4ae-0016ecdd5bc2}]
; Contents of value:
;    ßß_ß____ßß___ßßß___ßßß__ß_____Ï_____ÏÏ____ÏÏÏÏÏîÿÿÿÿÿÿÿÿÿÿÿÿÿ   
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\
cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,01,01,01,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,08,00,00,00

[HKEY_USERS\S-1-5-21-3368850538-3122947942-4152638423-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d7694a70-59eb-11db-b455-0016ecdd5bc2}]
; Contents of value:
;    ßß_ß____ßß___ßßß___ßßß__ß_____ îÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ   
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,08,07,00,00

[HKEY_USERS\S-1-5-21-3368850538-3122947942-4152638423-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ef3043d4-fd6d-11da-a0ff-806d6172696f}]
; Contents of value:
;    ßß_ß____ßß___ßßß___ßßß__ß_____ îÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ   
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,08,03,00,00

[HKEY_USERS\S-1-5-21-3368850538-3122947942-4152638423-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ffb343d8-59e6-11db-b454-0016ecdd5bc2}]
; Contents of value:
;    ßß_ß____ßß___ßßß___ßßß__ß_____Ï_____ÏÏ____ÏÏÏÏÏîÿÿÿÿÿÿÿÿÿÿÿÿÿ   
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\
cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,01,01,01,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,08,00,00,00

[HKEY_USERS\S-1-5-21-3368850538-3122947942-4152638423-1006\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

; End Of The Log...


----------



## Mosaic1 (Aug 17, 2001)

It looks like the entries are gone for now. But if you connect the flash drive again, do you get that same problem?

We really need to find out. And please could you do that and then run the batch file I uploaded please. I would very much like to see those autorun files you saw indside it. Then after a closer look, we can see if we can clean up that flash drive. Don't delete anything until we see what those files are. And remember, don't try to access the flash drive using My Computer. Just load it and run the batch. Thanks. Good luck.


----------



## Drew345 (Dec 1, 2006)

I downloaded and unzipped the getit.bat into the nasties folder. I plugged in the Jrive memory stick. Now I right clicked in the &#8216;my computer&#8217; on the memory stick to see the menu. I see this:
(foreign text) (O)
AuotPlay
(foreign text) (X) 
Search&#8230;
Scan with AVG Anti-spyware
Sharing and security&#8230;
Open as portable media device
Scan
Add to Archive&#8230;
Add to &#8220;Archive.rar&#8221;
Compress and email&#8230;
Compress to &#8220;Archive.rar&#8221; and email
Format&#8230;
Eject
Cut
Copy 
Paste
Create Shortcut
Rename
Properties

When I say (foreign text), it is like something not readable on my computer, not really a language.

I searched all drives for &#8216;info.exe&#8217;

There were a number of files with &#8216;info.exe&#8217; at the end of the file name. For example &#8216;systeminfo.exe&#8217; in the &#8216;c:/windows/sys32&#8217; folder and mcinfo.exe&#8217; in the program files/mcafee folder. But nothing with just that name &#8216;info.exe&#8217;. I do have the J drive memory stick in now and it is searching it. 
Nothing was found on the J Drive with that name.

I am about to run the getit.bat and upload those files.

I am not sure what you mean in entry #44 where you say 'when you connect the j drive, do you get those same problems'. This is difficult to answer for this reason. The problem is that when I double click the j:drive memory stick in the 'my computer' window, I get the 'cannot find autorun.vbs error (and who knows what else happens). I am opperating under the premice of 'never double click on anything in the 'my computer window now'. So it is hard to know if I get the same problem. I'm not being a smarta--, just explaining. Is there some other way you wanted me to check on 'get those same problems' without double click openning it in the 'my computer window. 
I will do the getit.bat now, post those files. Then I think I need to do another registry search (now that I plugged in the j drive).


----------



## Mosaic1 (Aug 17, 2001)

Thanks. That's what the nasty adds to the context menu. 
(foreign text) (O)
AuotPlay
(foreign text) (X) 



Hopefully the files you send will shed some light. 


It is almost 3 am here but I'll wait a bit to see the files. 


Your registry search is going to show the changes which were made to the mountpoints2 key.


----------



## Mosaic1 (Aug 17, 2001)

Here's the link to your thread at SpyKiller Uploads so you can send those files up.

http://www.thespykiller.co.uk/forum/index.php?topic=3197.0

Thanks.


----------



## Drew345 (Dec 1, 2006)

I ran the gotit.bat and it copied all those autorun*.* files from my J : Drive memory stick to that nasties folder.
I used Suspicious File packer to pack them. I am not exactly sure if I used that correctly. In the Paste text window, I just put this list of filenames (No folder locations included). Then I hit continue and the file was created.

autorun.apm
autorun.bin
autorun.bmp
autorun.essss
autorun.esssssssssss
autorun.essssssssssssssss
Autorun.exe_被?蔽木?
AUTORUN.FCB
Autorun.ico
autorun.inf
AUTORUN.INF1
autorun.inf_被?蔽木?
Autorun.ini
AUTORUN.PNF
autorun.rar
autorun.reg

I posted this packed file at:

http://www.thespykiller.co.uk/forum/index.php?topic=3206.0
with the title requested files for autorun.vbs case.


----------



## Drew345 (Dec 1, 2006)

Oops, just sent them to a new posting, sorry for confusion. Our posts crossed in the either.


----------



## Mosaic1 (Aug 17, 2001)

Doj't worry about the cross posting. IT happens all the time.

The files weren't in the cab you sent. Let's do this. Right click on the nasties folder and select
Sendto> Compressed This will create a compressed file named nasties on your desktop. Please upload that to Spykiller. I'll let you know what I find in those files. 

Thanks.


----------



## Drew345 (Dec 1, 2006)

In response to #42.
The autoexec.bat file was located on the J: Drive memory stick. It was the only file positively identified by Kaspersky as a virus. I deleted the file (per cookiegal instructions). Since it was on the J Drive, it is not in the recycle bin, it is gone (sorry, good riddens)
Getting on to the new registry search now.


----------



## Drew345 (Dec 1, 2006)

Two problems with compressing the nasties folder as requested in #50.
When I try to compress, I get an error about 'to handle zipped files correctly, the application associated with them must be compressed. Do you want the folder 'nasties' to be listed as the application' (something like that). I can say yes or no, and then it goes on to the second error.
The second error is that the zip appication cannot handle the special characters in two of the file names ( two files have some junk in the name)
I guess I can move those two files to another folder, but I hate handling them that way.
Maybe you could give me the text that I should put in the first window of the suspisious file packer so I can get that to work correctly. (or you could sleep , thanks)


----------



## Mosaic1 (Aug 17, 2001)

Ok thanks. And that may be a good thing for sure. I didn;pt realize it was on the J: drive. It's getting close to the time of night when this forum is shut down for maintenance and backup. If that happens, I will sign off for the night. Please try to upload that nasties folder to Spykiller ASAP so we can get as much done as possible. I think it is those files, the autorun,inf responsible. But I would like to see the set of files and how exactly they did this so we can get the word out to the AV companies.


----------



## Drew345 (Dec 1, 2006)

You want me to upload that nasties folder, How ? By just going to spykiller and browsing to that folder? Or trying to get SFP to work again?


----------



## Mosaic1 (Aug 17, 2001)

Sorry Drew, I was answering your question at TSG when it was shutdown for the nightly backup.

Compress the entire nasties folder by right clicking on it and selecting send to > Compressed, don't use SFP, and upload it please. Go to your post at Spykiller and reply, uploading that new compressed file. It is those various autorun files causing your problem. We just have to get the specifics. Hang in there. 
You deleted that autoexec.bat from the J: drive. It was infected? 

Was or is that Flash drive bootable?


----------



## Drew345 (Dec 1, 2006)

Sorry I left when site shutdown. Had to go to my AA meeting; wouldn't want to drink over this. Thought you were asleep anyway.

When I try to compress the Nasties folder (by rightclicking, send to , compressed) I get two error problems. Right away I get this error:

For Compressed (zipped) Folders to handle ZIP files correctly, the application associated with them must be Compressed (zipped) Folders. Currently this is not the case.
Do you want to designate Compressed (zipped) Folders as the application for handling ZIP files? Yes button and No Button

I can press Yes or No and either way the compression begins, then the next error comes with no way around it.

The compression cannot be performed because the file or directory Nastie\Autorun.exe_被?蔽木 contains characters in its name that Compressed (zipped) Folders cannot store.

Remember the file names have two with just bizarre characters:

autorun.apm
autorun.bin
autorun.bmp
autorun.essss
autorun.esssssssssss
autorun.essssssssssssssss
Autorun.exe_被?蔽木?
AUTORUN.FCB
Autorun.ico
autorun.inf
AUTORUN.INF1
autorun.inf_被?蔽木?
Autorun.ini
AUTORUN.PNF
autorun.rar
autorun.reg

Those two filename with bizarre characters are stopping the compression.

I could delete those two files and compress the rest. I am afraid to just click them and delete them, because earlier when you moved them from my J: Drive memory stick to my desktop, you gave me a special script to do it. So I am thinking clicking and delete or dragging to trash might not be safe.

It would be nice to use that suspicious file packer. When I start SFP it I get the instructions:

Please paste the text you received from Team Spybot into the text box bellow, then press continue.

In the box, I just put the list of files that I listed above. But it seems to be wanting some text with some more directions than that, maybe pointing to the folder or something. Could you see what text I need to put into that SFP box to make that work.

You are correct. I deleted that autorun.bat from the J: Drive, and it was infected. The Kaspersky lof showing the infection is in post 11 of this thread. The last line of that Kaspersky log shows

J:\autorun.bat Infected: Virus.Win32.Small.k skipped

Then Cookiegal recommends to me in post number 15:
Then delete this file from your J drive:
J:\autorun.bat
(she didn't know about all the other autorun*.* files on that J drive yet.

I don't think that infected flash drive is or was bootable. I never made it bootable. Never used it that way. Strictly for file transfers.

I am really sorry I couldn't upload those files to you. I know you are going to wake up looking for them. I will wake up early and come check for a further recommendation for uploading those. I'll probably wake up only a couple of hours after you, since I am going to bed now. I don't have to split for work tomorrow either, no classes on Friday.

Can I ask a favor please.
Since this computer (my desktop) is 'down', I want to use my laptop for monitoring my bank accounts. I scanned it with Kaspersky and got inconsistent results from the scan. Could you take a look at this link for me and comment or pass it on. I really need to get one computer back online safe for internet banking.

http://forums.techguy.org/security/524752-kaspersky-scan-winvnc-infection-keylogger.html

Thanks,
Goodnight,
Drew


----------



## Drew345 (Dec 1, 2006)

Persistence Pays off!
I think I got the files into the suspicious file packer. Yes, I am sure, cause the output file has a bigger size than before. 
I put in the directory path in front of each filename like this:

C:\Documents and Settings\Owner.ANDREW\Desktop\Nasties\ filename

Then I pasted that into the Suspicious File packer box. Maybe I could have even packed them directly from the J: Drive if I had put the path in front of each name.

I posted the Suspicious file packer output in spykiller at this link:

http://www.thespykiller.co.uk/forum/index.php?topic=3156.0

OK, now goodnight.
Drew


----------



## Mosaic1 (Aug 17, 2001)

Thanks. I have a lot of questions.

Let's start by having you run that regfile to clean out the nountpoints2 entries again.

Did you ever have RAV AV installed on your system?

I'd like to see a few reports. If all doesn't fit into one response, please break them up so I can see  it in its entirety.

Download Autoruns from this page:
http://www.sysinternals.com/Utilities/Autoruns.html

Unzip to a folder and the double click on autoruns.exe

Wait until the program has finished running (the status line will show 'Ready')
Under the 'Options' menu, make sure that 'Include Empty Sections' is checked.
Wait again until ready.

Be sure the 'Everything' tab is selected.
Select 'File -> Save' and save the output file.

Copy the contents of the Autoruns text file and post its contents in your next reply here. 
-------------------


----------



## Drew345 (Dec 1, 2006)

I ran the 'fixdrew.reg' file that cookiegal sent me before to clean up.

I never had RAV AV. I bought this computer only 6 weeks ago (In San Diego, no Korea). Don't think it ever had RAV AV.

I downloaded Autoruns. I am about to run autoruns.exe now. I will paste the contents of the autoruns text file into the next reply or several replies if too big.


----------



## Mosaic1 (Aug 17, 2001)

Next. please search all drives, including J: for these files:
autoexec.exe
reper.exe
RavMon.exe
autorun.bat
rav.exe


This thing made changes to how files are displayed. So before you do the search please follow these instructions:
Reset your search settings first.

Open Folder Options>view and check your settings:
Select 
Show hidden files and folders 
Display the contents of system folders
Uncheck: Hide protected operating system files
Next go to Search and scrolldown using the scroll bar on the right. Go down to More advanced options and click.
Be sure the first three boxes are selected:
Search System folders
Search Hidden Files and folders
Search SubFolders



Let me know what you find.

Also search all for these folders:
rav
rfw

Did you use Panda online to scan all drives including the J: drive yet?

If not please do that and save the report. Post that too.


Now after you have finished, we are going to want to remove these infectors from yoru flash drive.

For now, you can remove these:
autorun.bin
autorun.inf 
autorun.bmp
Autorun.ico
autorun.reg
autorun.essssssssssssssss
autorun.essss
autorun.esssssssssss
autorun.rar
AUTORUN.FCB
AUTORUN.INF1

Some of the dates on these files differ. All may no be a part of the infector. But one looks like some kind of games installer? Do you know anyting about that?

Also the infectors dates show this may have been on your flash drive for a while. So be careful to check your other system for any problem too.


----------



## Drew345 (Dec 1, 2006)

HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms 

+ rdpclip	RDP Clip Monitor	Microsoft Corporation	c:\windows\system32\rdpclip.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit 

+ C:\WINDOWS\system32\userinit.exe	Userinit Logon Application	Microsoft Corporation	c:\windows\system32\userinit.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell 

+ Explorer.exe	Windows Explorer	Microsoft Corporation	c:\windows\explorer.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 

+ !AVG Anti-Spyware	AVG Anti-Spyware	Anti-Malware Development a.s.	c:\program files\grisoft\avg anti-spyware 7.5\avgas.exe

+ AlwaysReady Power Message APP	ARPowerMessage Application	Microsoft	c:\windows\arpwrmsg.exe

+ CHotkey	Multimedia Keyboard Driver c:\windows\zhotkey.exe

+ ehTray	Media Center Tray Applet	Microsoft Corporation	c:\windows\ehome\ehtray.exe

+ Google Desktop Search c:\program files\google\google desktop search\googledesktop.exe

+ iTunesHelper	iTunesHelper Module	Apple Computer, Inc.	c:\program files\itunes\ituneshelper.exe

+ MCAgentExe	McAfee SecurityCenter Agent	McAfee, Inc	c:\program files\mcafee.com\agent\mcagent.exe

+ MCUpdateExe	McAfee SecurityCenter Update Engine	McAfee, Inc	c:\program files\mcafee.com\agent\mcupdate.exe

+ MPFExe	McAfee Personal Firewall Tray Monitor	McAfee Security	c:\program files\mcafee.com\personal firewall\mpftray.exe

+ MSKAGENTEXE	McAfee SpamKiller Agent Interface module	McAfee Inc.	c:\program files\mcafee\spamkiller\mskagent.exe

+ MSKDetectorExe	McAfee SpamKiller Account Detector	McAfee, Inc.	c:\program files\mcafee\spamkiller\mskdetct.exe

+ NvCplDaemon	NVIDIA Display Properties Extension	NVIDIA Corporation	c:\windows\system32\nvcpl.dll

+ NvMediaCenter	NVIDIA Media Center Library	NVIDIA Corporation	c:\windows\system32\nvmctray.dll

+ nwiz	NVIDIA nView Wizard, Version 110.13 NVIDIA Corporation	c:\windows\system32\nwiz.exe

+ OASClnt	McAfee VirusScan OAS Client	McAfee, Inc.	c:\program files\mcafee.com\vso\oasclnt.exe

+ QuickTime Task	QuickTime Task	Apple Computer, Inc.	c:\program files\quicktime\qttask.exe

+ readericon	Sunkist	Alcor Micro, Corp.	c:\program files\digital media reader\readericon45g.exe

+ Recguard	Recguard MFC Application c:\windows\sminst\recguard.exe

+ Reminder	Application Remind_XP	SoftThinks	c:\windows\creator\remind_xp.exe

+ RTHDCPL	Realtek HD Audio Control Panel	Realtek Semiconductor Corp.	c:\windows\rthdcpl.exe

+ VirusScan Online	McAfee VirusScan ActiveShield Resource	McAfee, Inc.	c:\program files\mcafee.com\vso\mcvsshld.exe

+ VSOCheckTask	McAfee VirusScan Command Handler	McAfee, Inc.	c:\program files\mcafee.com\vso\mcmnhdlr.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup 

+ Acrobat Assistant.lnk	AcroTray	Adobe Systems Inc.	c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe

+ BigFix.lnk	BigFix Client Application	BigFix Inc.	c:\program files\bigfix\bigfix.exe

+ Microsoft Office.lnk	Microsoft Office XP component	Microsoft Corporation	c:\program files\microsoft office\office10\osa.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run 

+ ctfmon.exe	CTF Loader	Microsoft Corporation	c:\windows\system32\ctfmon.exe

+ MSMSGS	Windows Messenger	Microsoft Corporation	c:\program files\messenger\msmsgs.exe

HKLM\SOFTWARE\Classes\Protocols\Filter 

+ application/octet-stream	Microsoft .NET Runtime Execution Engine	Microsoft Corporation	c:\windows\system32\mscoree.dll

+ application/x-complus	Microsoft .NET Runtime Execution Engine	Microsoft Corporation	c:\windows\system32\mscoree.dll

+ application/x-msdownload	Microsoft .NET Runtime Execution Engine	Microsoft Corporation	c:\windows\system32\mscoree.dll

+ Class Install Handler	OLE32 Extensions for Win32	Microsoft Corporation	c:\windows\system32\urlmon.dll

+ deflate	OLE32 Extensions for Win32	Microsoft Corporation	c:\windows\system32\urlmon.dll

+ gzip	OLE32 Extensions for Win32	Microsoft Corporation	c:\windows\system32\urlmon.dll

+ lzdhtml	OLE32 Extensions for Win32	Microsoft Corporation	c:\windows\system32\urlmon.dll

+ text/webviewhtml	Windows Shell Common Dll	Microsoft Corporation	c:\windows\system32\shell32.dll

+ text/xml	Microsoft Office XML MIME Filter	Microsoft Corporation	c:\program files\common files\microsoft shared\office11\msoxmlmf.dll

HKLM\SOFTWARE\Classes\Protocols\Handler 

+ about	Microsoft (R) HTML Viewer	Microsoft Corporation	c:\windows\system32\mshtml.dll

+ cdl	OLE32 Extensions for Win32	Microsoft Corporation	c:\windows\system32\urlmon.dll

+ cdo	Microsoft SharePoint Portal Server Object Model	Microsoft Corporation	c:\program files\common files\microsoft shared\web folders\pkmcdo.dll

+ dvd	ActiveX control for streaming video	Microsoft Corporation	c:\windows\system32\msvidctl.dll

+ file	OLE32 Extensions for Win32	Microsoft Corporation	c:\windows\system32\urlmon.dll

+ ftp	OLE32 Extensions for Win32	Microsoft Corporation	c:\windows\system32\urlmon.dll

+ gopher	OLE32 Extensions for Win32	Microsoft Corporation	c:\windows\system32\urlmon.dll

+ http	OLE32 Extensions for Win32	Microsoft Corporation	c:\windows\system32\urlmon.dll

+ https	OLE32 Extensions for Win32	Microsoft Corporation	c:\windows\system32\urlmon.dll

+ its	Microsoft® InfoTech Storage System Library	Microsoft Corporation	c:\windows\system32\itss.dll

+ javascript	Microsoft (R) HTML Viewer	Microsoft Corporation	c:\windows\system32\mshtml.dll

+ local	OLE32 Extensions for Win32	Microsoft Corporation	c:\windows\system32\urlmon.dll

+ mailto	Microsoft (R) HTML Viewer	Microsoft Corporation	c:\windows\system32\mshtml.dll

+ mhtml	Microsoft Internet Messaging API	Microsoft Corporation	c:\windows\system32\inetcomm.dll

+ mk	OLE32 Extensions for Win32	Microsoft Corporation	c:\windows\system32\urlmon.dll

+ ms-its	Microsoft® InfoTech Storage System Library	Microsoft Corporation	c:\windows\system32\itss.dll

+ ms-itss	Microsoft® InfoTech Storage System Library	Microsoft Corporation	c:\program files\common files\microsoft shared\information retrieval\msitss.dll

+ mso-offdap	Microsoft Office XP Web Components	Microsoft Corporation	c:\program files\common files\microsoft shared\web components\10\owc10.dll

+ mso-offdap11	Microsoft Office Web Components 2003	Microsoft Corporation	c:\program files\common files\microsoft shared\web components\11\owc11.dll

+ res	Microsoft (R) HTML Viewer	Microsoft Corporation	c:\windows\system32\mshtml.dll

+ sysimage	Microsoft (R) HTML Viewer	Microsoft Corporation	c:\windows\system32\mshtml.dll

+ tv	ActiveX control for streaming video	Microsoft Corporation	c:\windows\system32\msvidctl.dll

+ vbscript	Microsoft (R) HTML Viewer	Microsoft Corporation	c:\windows\system32\mshtml.dll

+ wia	WIA Scripting Layer	Microsoft Corporation	c:\windows\system32\wiascr.dll

HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components 

+ 0 File not found: About:Home

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components 

+ Address Book 6	Outlook Express Setup Library	Microsoft Corporation	c:\program files\outlook express\setup50.exe

+ Internet Explorer	Windows NT User Data Migration Tool	Microsoft Corporation	c:\windows\system32\shmgrate.exe

+ Internet Explorer	Windows Setup API	Microsoft Corporation	c:\windows\system32\setupapi.dll

+ Internet Explorer 6	IE 5.0 Per-User Install Utility	Microsoft Corporation	c:\windows\system32\ie4uinit.exe

+ KB910393	ADVPACK	Microsoft Corporation	c:\windows\system32\advpack.dll

+ Media Center	Windows Setup API	Microsoft Corporation	c:\windows\system32\setupapi.dll

+ Microsoft Outlook Express 6	Outlook Express Setup Library	Microsoft Corporation	c:\program files\outlook express\setup50.exe

+ Microsoft Windows Media Player	Microsoft Windows Media Player Setup Utility	Microsoft Corporation	c:\windows\inf\unregmp2.exe

+ Microsoft Windows Media Player	ADVPACK	Microsoft Corporation	c:\windows\system32\advpack.dll

+ n/a	Microsoft .NET IE SECURITY REGISTRATION	Microsoft Corporation	c:\windows\system32\mscories.dll

+ NetMeeting 3.01	ADVPACK	Microsoft Corporation	c:\windows\system32\advpack.dll

+ Outlook Express	Windows NT User Data Migration Tool	Microsoft Corporation	c:\windows\system32\shmgrate.exe

+ Themes Setup	Microsoft(C) Register Server	Microsoft Corporation	c:\windows\system32\regsvr32.exe

+ Windows Desktop Update	Microsoft(C) Register Server	Microsoft Corporation	c:\windows\system32\regsvr32.exe

+ Windows Messenger 4.7	ADVPACK	Microsoft Corporation	c:\windows\system32\advpack.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler 

+ Browseui preloader	Shell Browser UI Library	Microsoft Corporation	c:\windows\system32\browseui.dll

+ Component Categories cache daemon	Shell Browser UI Library	Microsoft Corporation	c:\windows\system32\browseui.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 

+ CDBurn	Windows Shell Common Dll	Microsoft Corporation	c:\windows\system32\shell32.dll

+ PostBootReminder	Windows Shell Common Dll	Microsoft Corporation	c:\windows\system32\shell32.dll

+ SysTray	Systray shell service object	Microsoft Corporation	c:\windows\system32\stobject.dll

+ WebCheck	Web Site Monitor	Microsoft Corporation	c:\windows\system32\webcheck.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks 

+ AVG Anti-Spyware 7.5	AVG Anti-Spyware shellexecutehook	Anti-Malware Development a.s.	c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll

+ shell32.dll	Windows Shell Common Dll	Microsoft Corporation	c:\windows\system32\shell32.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved 

+ %DESC_PublishDropTarget%	Photo Printing Wizard	Microsoft Corporation	c:\windows\system32\photowiz.dll

+ &Address	Shell Browser UI Library	Microsoft Corporation	c:\windows\system32\browseui.dll

+ .CAB file viewer	Cabinet File Viewer Shell Extension	Microsoft Corporation	c:\windows\system32\cabview.dll

+ Accessible	Shell Browser UI Library	Microsoft Corporation	c:\windows\system32\browseui.dll

+ ActiveX Cache Folder	Object Control Viewer	Microsoft Corporation	c:\windows\system32\occache.dll

+ Address EditBox	Shell Browser UI Library	Microsoft Corporation	c:\windows\system32\browseui.dll

+ Administrative Tools	Shell Doc Object and Control Library	Microsoft Corporation	c:\windows\system32\shdocvw.dll

+ Adobe.Acrobat.ContextMenu	Adobe Acrobat Elements	Adobe Systems Inc.	c:\program files\adobe\acrobat 6.0\acrobat elements\contextmenu.dll

+ Audio Media Properties Handler	Media File Property Extractor Shell Extension	Microsoft Corporation	c:\windows\system32\shmedia.dll

+ Augmented Shell Folder	Shell Browser UI Library	Microsoft Corporation	c:\windows\system32\browseui.dll

+ Augmented Shell Folder 2	Shell Browser UI Library	Microsoft Corporation	c:\windows\system32\browseui.dll

+ Auto Update Property Sheet Extension	Automatic Updates Control Panel	Microsoft Corporation	c:\windows\system32\wuaucpl.cpl

+ Avi Properties Handler	Media File Property Extractor Shell Extension	Microsoft Corporation	c:\windows\system32\shmedia.dll

+ BandProxy	Shell Browser UI Library	Microsoft Corporation	c:\windows\system32\browseui.dll

+ Briefcase	Windows Briefcase	Microsoft Corporation	c:\windows\system32\syncui.dll

+ CDF Extension Copy Hook	Shell Doc Object and Control Library	Microsoft Corporation	c:\windows\system32\shdocvw.dll

+ Channel File	Channel Definition File Viewer	Microsoft Corporation	c:\windows\system32\cdfview.dll

+ Channel Handler Object	Channel Definition File Viewer	Microsoft Corporation	c:\windows\system32\cdfview.dll

+ Channel Menu	Channel Definition File Viewer	Microsoft Corporation	c:\windows\system32\cdfview.dll

+ Channel Properties	Channel Definition File Viewer	Microsoft Corporation	c:\windows\system32\cdfview.dll

+ Channel Shortcut	Channel Definition File Viewer	Microsoft Corporation	c:\windows\system32\cdfview.dll

+ Code Download Agent	Web Site Monitor	Microsoft Corporation	c:\windows\system32\webcheck.dll

+ Compatibility Page	Compatibility Tab Shell Extension DLL	Microsoft Corporation	c:\windows\system32\slayerxp.dll

+ Compressed (zipped) Folder	Compressed (zipped) Folders	Microsoft Corporation	c:\windows\system32\zipfldr.dll

+ Compressed (zipped) Folder Right Drag Handler	Compressed (zipped) Folders	Microsoft Corporation	c:\windows\system32\zipfldr.dll

+ Compressed (zipped) Folder SendTo Target	Compressed (zipped) Folders	Microsoft Corporation	c:\windows\system32\zipfldr.dll

+ ConnectionAgent	Web Site Monitor	Microsoft Corporation	c:\windows\system32\webcheck.dll

+ Crypto PKO Extension	Crypto Shell Extensions	Microsoft Corporation	c:\windows\system32\cryptext.dll

+ Crypto Sign Extension	Crypto Shell Extensions	Microsoft Corporation	c:\windows\system32\cryptext.dll

+ Custom MRU AutoCompleted List	Shell Browser UI Library	Microsoft Corporation	c:\windows\system32\browseui.dll

+ Darwin App Publisher	Shell Application Manager	Microsoft Corporation	c:\windows\system32\appwiz.cpl

+ Desktop Explorer	NVIDIA Desktop Explorer, Version 110.13 NVIDIA Corporation	c:\windows\system32\nvshell.dll

+ Desktop Explorer Menu	NVIDIA Desktop Explorer, Version 110.13 NVIDIA Corporation	c:\windows\system32\nvshell.dll

+ DfsShell	Distributed File System shell extension	Microsoft Corporation	c:\windows\system32\dfsshlex.dll

+ Directory Context Menu Verbs	Directory Service Common UI	Microsoft Corporation	c:\windows\system32\dsuiext.dll

+ Directory Object Find	Directory Service Find	Microsoft Corporation	c:\windows\system32\dsquery.dll

+ Directory Property UI	Directory Service Common UI	Microsoft Corporation	c:\windows\system32\dsuiext.dll

+ Directory Query UI	Directory Service Find	Microsoft Corporation	c:\windows\system32\dsquery.dll

+ Directory Start/Search Find	Directory Service Find	Microsoft Corporation	c:\windows\system32\dsquery.dll

+ Disk Copy Extension	Windows DiskCopy	Microsoft Corporation	c:\windows\system32\diskcopy.dll

+ Disk Quota UI	Windows Shell Disk Quota UI DLL	Microsoft Corporation	c:\windows\system32\dskquoui.dll

+ Display Adapter CPL Extension	Advanced display adapter properties	Microsoft Corporation	c:\windows\system32\deskadp.dll

+ Display Monitor CPL Extension	Advanced display monitor properties	Microsoft Corporation	c:\windows\system32\deskmon.dll

+ Display Panning CPL Extension File not found: deskpan.dll

+ Display TroubleShoot CPL Extension	Advanced display performance properties	Microsoft Corporation	c:\windows\system32\deskperf.dll

+ Download Status	Shell Browser UI Library	Microsoft Corporation	c:\windows\system32\browseui.dll

+ DS Security Page	Directory Service Security UI	Microsoft Corporation	c:\windows\system32\dssec.dll

+ E-mail	Shell Doc Object and Control Library	Microsoft Corporation	c:\windows\system32\shdocvw.dll

+ Explorer Band	Shell Doc Object and Control Library	Microsoft Corporation	c:\windows\system32\shdocvw.dll

+ Extensions Manager Folder	Extensions Manager	Microsoft Corporation	c:\windows\system32\extmgr.dll

+ Favorites Band	Shell Doc Object and Control Library	Microsoft Corporation	c:\windows\system32\shdocvw.dll

+ Fonts	Windows Font Folder	Microsoft Corporation	c:\windows\system32\fontext.dll

+ Fonts	Shell Doc Object and Control Library	Microsoft Corporation	c:\windows\system32\shdocvw.dll

+ For &People...	Find People	Microsoft Corporation	c:\program files\outlook express\wabfind.dll

+ FTP Folders Webview	Microsoft Internet Explorer FTP Folder Shell Extension	Microsoft Corporation	c:\windows\system32\msieftp.dll

+ Fusion Cache	Microsoft .NET Runtime Execution Engine	Microsoft Corporation	c:\windows\system32\mscoree.dll

+ GDI+ file thumbnail extractor	Windows Picture and Fax Viewer	Microsoft Corporation	c:\windows\system32\shimgvw.dll

+ Get a Passport Wizard	Map Network Drives/Network Places Wizard	Microsoft Corporation	c:\windows\system32\netplwiz.dll

+ Global Folder Settings	Shell Browser UI Library	Microsoft Corporation	c:\windows\system32\browseui.dll

+ Help and Support	Shell Doc Object and Control Library	Microsoft Corporation	c:\windows\system32\shdocvw.dll

+ Help and Support	Shell Doc Object and Control Library	Microsoft Corporation	c:\windows\system32\shdocvw.dll

+ History	Shell Doc Object and Control Library	Microsoft Corporation	c:\windows\system32\shdocvw.dll

+ HTML Thumbnail Extractor	Windows Picture and Fax Viewer	Microsoft Corporation	c:\windows\system32\shimgvw.dll

+ HyperTerminal Icon Ext	HyperTerminal Applet Library	Hilgraeve, Inc.	c:\windows\system32\hticons.dll

+ ICC Profile	Microsoft Color Matching System User Interface DLL	Microsoft Corporation	c:\windows\system32\icmui.dll

+ ICM Monitor Management	Microsoft Color Matching System User Interface DLL	Microsoft Corporation	c:\windows\system32\icmui.dll

+ ICM Printer Management	Microsoft Color Matching System User Interface DLL	Microsoft Corporation	c:\windows\system32\icmui.dll

+ ICM Scanner Management	Microsoft Color Matching System User Interface DLL	Microsoft Corporation	c:\windows\system32\icmui.dll

+ IE4 Suite Splash Screen	Shell Doc Object and Control Library	Microsoft Corporation	c:\windows\system32\shdocvw.dll

+ In-pane search	Shell Browser UI Library	Microsoft Corporation	c:\windows\system32\browseui.dll

+ Installed Apps Enumerator	Shell Application Manager	Microsoft Corporation	c:\windows\system32\appwiz.cpl

+ Internet	Shell Doc Object and Control Library	Microsoft Corporation	c:\windows\system32\shdocvw.dll

+ Internet Name Space	Shell Doc Object and Control Library	Microsoft Corporation	c:\windows\system32\shdocvw.dll

+ InternetShortcut	Shell Doc Object and Control Library	Microsoft Corporation	c:\windows\system32\shdocvw.dll

+ ISFBand OC	Shell Doc Object and Control Library	Microsoft Corporation	c:\windows\system32\shdocvw.dll

+ iTunes	iTunes Mini Player DLL	Apple Computer, Inc.	c:\program files\itunes\itunesminiplayer.dll

+ MediaCenter Property Page	ARPower Dynamic Link Library COM	Microsoft	c:\windows\arpower.dll

+ Microsoft Agent Character Property Sheet Handler	Microsoft Agent Property Sheet Handler	Microsoft Corporation	c:\windows\msagent\agentpsh.dll

+ Microsoft AutoComplete	Shell Browser UI Library	Microsoft Corporation	c:\windows\system32\browseui.dll

+ Microsoft Browser Architecture	Shell Doc Object and Control Library	Microsoft Corporation	c:\windows\system32\shdocvw.dll

+ Microsoft BrowserBand	Shell Browser UI Library	Microsoft Corporation	c:\windows\system32\browseui.dll

+ Microsoft Data Link	Microsoft Data Access - OLE DB Core Services	Microsoft Corporation	c:\program files\common files\system\ole db\oledb32.dll

+ Microsoft DocProp Inplace Calendar Control	Microsoft DocProp Shell Ext	Microsoft Corporation	c:\windows\system32\docprop2.dll

+ Microsoft DocProp Inplace Droplist Combo Control	Microsoft DocProp Shell Ext	Microsoft Corporation	c:\windows\system32\docprop2.dll

+ Microsoft DocProp Inplace Edit Box Control	Microsoft DocProp Shell Ext	Microsoft Corporation	c:\windows\system32\docprop2.dll

+ Microsoft DocProp Inplace ML Edit Box Control	Microsoft DocProp Shell Ext	Microsoft Corporation	c:\windows\system32\docprop2.dll

+ Microsoft DocProp Inplace Time Control	Microsoft DocProp Shell Ext	Microsoft Corporation	c:\windows\system32\docprop2.dll

+ Microsoft DocProp Shell Ext	Microsoft DocProp Shell Ext	Microsoft Corporation	c:\windows\system32\docprop2.dll

+ Microsoft History AutoComplete List	Shell Browser UI Library	Microsoft Corporation	c:\windows\system32\browseui.dll

+ Microsoft Internet Toolbar	Shell Browser UI Library	Microsoft Corporation	c:\windows\system32\browseui.dll

+ Microsoft Multiple AutoComplete List Container	Shell Browser UI Library	Microsoft Corporation	c:\windows\system32\browseui.dll

+ Microsoft Office HTML Icon Handler	Microsoft Office XP component	Microsoft Corporation	c:\program files\microsoft office\office10\msohev.dll

+ Microsoft Office Outlook Desktop Icon Handler	Microsoft Shell Extension Library	Microsoft Corporation	c:\program files\microsoft office\office10\mlshext.dll

+ Microsoft Outlook Custom Icon Handler	Outlook Shell Hook for Start/Find	Microsoft Corporation	c:\program files\microsoft office\office10\olkfstub.dll

+ Microsoft Shell Folder AutoComplete List	Shell Browser UI Library	Microsoft Corporation	c:\windows\system32\browseui.dll

+ Microsoft Url History Service	Shell Doc Object and Control Library	Microsoft Corporation	c:\windows\system32\shdocvw.dll

+ Microsoft Url Search Hook	Shell Doc Object and Control Library	Microsoft Corporation	c:\windows\system32\shdocvw.dll

+ Midi Properties Handler	Media File Property Extractor Shell Extension	Microsoft Corporation	c:\windows\system32\shmedia.dll

+ MMC Icon Handler	MMC Shell Extension DLL	Microsoft Corporation	c:\windows\system32\mmcshext.dll

+ MRU AutoComplete List	Shell Browser UI Library	Microsoft Corporation	c:\windows\system32\browseui.dll

+ Multimedia File Property Sheet	Control Panel Drivers Applet	Microsoft Corporation	c:\windows\system32\mmsys.cpl

+ MyDocs Copy Hook	My Documents Folder UI	Microsoft Corporation	c:\windows\system32\mydocs.dll

+ MyDocs Drop Target	My Documents Folder UI	Microsoft Corporation	c:\windows\system32\mydocs.dll

+ MyDocs Properties	My Documents Folder UI	Microsoft Corporation	c:\windows\system32\mydocs.dll

+ Network Connections	Network Connections Shell	Microsoft Corporation	c:\windows\system32\netshell.dll

+ Network Connections	Network Connections Shell	Microsoft Corporation	c:\windows\system32\netshell.dll

+ NTFS Security Page	Security Shell Extension	Microsoft Corporation	c:\windows\system32\rshx32.dll

+ NvCpl DesktopContext Class	NVIDIA Display Properties Extension	NVIDIA Corporation	c:\windows\system32\nvcpl.dll

+ nView Desktop Context Menu	NVIDIA Desktop Explorer, Version 110.13 NVIDIA Corporation	c:\windows\system32\nvshell.dll

+ Offline Files Folder	Client Side Caching UI	Microsoft Corporation	c:\windows\system32\cscui.dll

+ Offline Files Folder Options	Client Side Caching UI	Microsoft Corporation	c:\windows\system32\cscui.dll

+ Offline Files Menu	Client Side Caching UI	Microsoft Corporation	c:\windows\system32\cscui.dll

+ OLE Docfile Property Page	OLE DocFile Property Page	Microsoft Corporation	c:\windows\system32\docprop.dll


----------



## Drew345 (Dec 1, 2006)

+ Play on my TV helper	NVIDIA Display Properties Extension	NVIDIA Corporation	c:\windows\system32\nvcpl.dll

+ PlusPack CPL Extension	Windows Theme API	Microsoft Corporation	c:\windows\system32\themeui.dll

+ Portable Media Devices	Portable Media Devices Shell Extension	Microsoft Corporation	c:\windows\system32\audiodev.dll

+ Portable Media Devices Menu	Portable Media Devices Shell Extension	Microsoft Corporation	c:\windows\system32\audiodev.dll

+ PostAgent	Web Site Monitor	Microsoft Corporation	c:\windows\system32\webcheck.dll

+ Previous Versions	Previous Versions property page	Microsoft Corporation	c:\windows\system32\twext.dll

+ Previous Versions Property Page	Previous Versions property page	Microsoft Corporation	c:\windows\system32\twext.dll

+ Print Ordering via the Web	Map Network Drives/Network Places Wizard	Microsoft Corporation	c:\windows\system32\netplwiz.dll

+ Printers Security Page	Security Shell Extension	Microsoft Corporation	c:\windows\system32\rshx32.dll

+ Registry Tree Options Utility	Shell Browser UI Library	Microsoft Corporation	c:\windows\system32\browseui.dll

+ Remote Sessions CPL Extension	Remote Sessions CPL Extension	Microsoft Corporation	c:\windows\system32\remotepg.dll

+ Run...	Shell Doc Object and Control Library	Microsoft Corporation	c:\windows\system32\shdocvw.dll

+ SampleView	ShellvRTF	XSS	c:\windows\system32\shellvrtf.dll

+ Scanners & Cameras	Imaging Devices Shell Folder UI	Microsoft Corporation	c:\windows\system32\wiashext.dll

+ Scanners & Cameras	Imaging Devices Shell Folder UI	Microsoft Corporation	c:\windows\system32\wiashext.dll

+ Scanners & Cameras	Imaging Devices Shell Folder UI	Microsoft Corporation	c:\windows\system32\wiashext.dll

+ Scanners & Cameras	Imaging Devices Shell Folder UI	Microsoft Corporation	c:\windows\system32\wiashext.dll

+ Scanners & Cameras	Imaging Devices Shell Folder UI	Microsoft Corporation	c:\windows\system32\wiashext.dll

+ Scheduled Tasks	Task Scheduler interface DLL	Microsoft Corporation	c:\windows\system32\mstask.dll

+ Search	Shell Doc Object and Control Library	Microsoft Corporation	c:\windows\system32\shdocvw.dll

+ Search Assistant OC	Shell Doc Object and Control Library	Microsoft Corporation	c:\windows\system32\shdocvw.dll

+ Search Band	Shell Browser UI Library	Microsoft Corporation	c:\windows\system32\browseui.dll

+ Sendmail service	Send Mail	Microsoft Corporation	c:\windows\system32\sendmail.dll

+ Sendmail service	Send Mail	Microsoft Corporation	c:\windows\system32\sendmail.dll

+ Set Program Access and Defaults	Shell Doc Object and Control Library	Microsoft Corporation	c:\windows\system32\shdocvw.dll

+ Shell Application Manager	Shell Application Manager	Microsoft Corporation	c:\windows\system32\appwiz.cpl

+ Shell Automation Inproc Service	Shell Doc Object and Control Library	Microsoft Corporation	c:\windows\system32\shdocvw.dll

+ Shell Band Site Menu	Shell Browser UI Library	Microsoft Corporation	c:\windows\system32\browseui.dll

+ Shell DeskBar	Shell Browser UI Library	Microsoft Corporation	c:\windows\system32\browseui.dll

+ Shell DeskBarApp	Shell Browser UI Library	Microsoft Corporation	c:\windows\system32\browseui.dll

+ Shell DocObject Viewer	Shell Doc Object and Control Library	Microsoft Corporation	c:\windows\system32\shdocvw.dll

+ Shell extensions for Microsoft Windows Network objects	Network object shell UI	Microsoft Corporation	c:\windows\system32\ntlanui2.dll

+ Shell extensions for sharing	Shell extensions for sharing	Microsoft Corporation	c:\windows\system32\ntshrui.dll

+ Shell extensions for sharing	Shell extensions for sharing	Microsoft Corporation	c:\windows\system32\ntshrui.dll

+ Shell extensions for Windows Script Host	Microsoft (r) Shell Extension for Windows Script Host	Microsoft Corporation	c:\windows\system32\wshext.dll

+ Shell Icon Handler for Application References	Application Deployment Support Library	Microsoft Corporation	c:\windows\system32\dfshim.dll

+ Shell Image Data Factory	Windows Picture and Fax Viewer	Microsoft Corporation	c:\windows\system32\shimgvw.dll

+ Shell Image Property Handler	Windows Picture and Fax Viewer	Microsoft Corporation	c:\windows\system32\shimgvw.dll

+ Shell Image Verbs	Windows Picture and Fax Viewer	Microsoft Corporation	c:\windows\system32\shimgvw.dll

+ Shell properties for a DS object	Directory Service Find	Microsoft Corporation	c:\windows\system32\dsquery.dll

+ Shell Publishing Wizard Object	Map Network Drives/Network Places Wizard	Microsoft Corporation	c:\windows\system32\netplwiz.dll

+ Shell Rebar BandSite	Shell Browser UI Library	Microsoft Corporation	c:\windows\system32\browseui.dll

+ Shell Scrap DataHandler	Shell scrap object handler	Microsoft Corporation	c:\windows\system32\shscrap.dll

+ Shell Search Band	Shell Browser UI Library	Microsoft Corporation	c:\windows\system32\browseui.dll

+ ShellLink for Application References	Application Deployment Support Library	Microsoft Corporation	c:\windows\system32\dfshim.dll

+ Subscription Folder	Web Site Monitor	Microsoft Corporation	c:\windows\system32\webcheck.dll

+ Subscription Mgr	Web Site Monitor	Microsoft Corporation	c:\windows\system32\webcheck.dll

+ Summary Info Thumbnail handler (DOCFILES)	Windows Picture and Fax Viewer	Microsoft Corporation	c:\windows\system32\shimgvw.dll

+ Taskbar and Start Menu	Windows Shell Common Dll	Microsoft Corporation	c:\windows\system32\shell32.dll

+ Tasks Folder Icon Handler	Task Scheduler interface DLL	Microsoft Corporation	c:\windows\system32\mstask.dll

+ Tasks Folder Shell Extension	Task Scheduler interface DLL	Microsoft Corporation	c:\windows\system32\mstask.dll

+ Temporary Internet Files	Shell Doc Object and Control Library	Microsoft Corporation	c:\windows\system32\shdocvw.dll

+ Temporary Internet Files	Shell Doc Object and Control Library	Microsoft Corporation	c:\windows\system32\shdocvw.dll

+ The Internet	Shell Doc Object and Control Library	Microsoft Corporation	c:\windows\system32\shdocvw.dll

+ Track Popup Bar	Shell Browser UI Library	Microsoft Corporation	c:\windows\system32\browseui.dll

+ TrayAgent	Web Site Monitor	Microsoft Corporation	c:\windows\system32\webcheck.dll

+ TridentImageExtractor	Shell Browser UI Library	Microsoft Corporation	c:\windows\system32\browseui.dll

+ User Accounts	Map Network Drives/Network Places Wizard	Microsoft Corporation	c:\windows\system32\netplwiz.dll

+ User Assist	Shell Browser UI Library	Microsoft Corporation	c:\windows\system32\browseui.dll

+ Video Media Properties Handler	Media File Property Extractor Shell Extension	Microsoft Corporation	c:\windows\system32\shmedia.dll

+ Video Thumbnail Extractor	Media File Property Extractor Shell Extension	Microsoft Corporation	c:\windows\system32\shmedia.dll

+ Wav Properties Handler	Media File Property Extractor Shell Extension	Microsoft Corporation	c:\windows\system32\shmedia.dll

+ Web Folders	Microsoft Web Folders	Microsoft Corporation	c:\program files\common files\microsoft shared\web folders\msonsext.dll

+ Web Printer Shell Extension	Print UI DLL	Microsoft Corporation	c:\windows\system32\printui.dll

+ Web Publishing Wizard	Map Network Drives/Network Places Wizard	Microsoft Corporation	c:\windows\system32\netplwiz.dll

+ Web Search	Shell Browser UI Library	Microsoft Corporation	c:\windows\system32\browseui.dll

+ WebCheck	Web Site Monitor	Microsoft Corporation	c:\windows\system32\webcheck.dll

+ WebCheck SyncMgr Handler	Web Site Monitor	Microsoft Corporation	c:\windows\system32\webcheck.dll

+ WebCheckChannelAgent	Web Site Monitor	Microsoft Corporation	c:\windows\system32\webcheck.dll

+ WebCheckWebCrawler	Web Site Monitor	Microsoft Corporation	c:\windows\system32\webcheck.dll

+ Windows Media Player Add to Playlist Context Menu Handler	Windows Media Player Launcher	Microsoft Corporation	c:\windows\system32\wmpshell.dll

+ Windows Media Player Burn Audio CD Context Menu Handler	Windows Media Player Launcher	Microsoft Corporation	c:\windows\system32\wmpshell.dll

+ Windows Media Player Play as Playlist Context Menu Handler	Windows Media Player Launcher	Microsoft Corporation	c:\windows\system32\wmpshell.dll

+ WinRAR shell extension c:\program files\winrar\rarext.dll

HKLM\Software\Classes\Folder\Shellex\ColumnHandlers 

+ {0D2E74C4-3C34-11d2-A27E-00C04FC30871}	Windows Shell Common Dll	Microsoft Corporation	c:\windows\system32\shell32.dll

+ {24F14F01-7B1C-11d1-838f-0000F80461CF}	Windows Shell Common Dll	Microsoft Corporation	c:\windows\system32\shell32.dll

+ {24F14F02-7B1C-11d1-838f-0000F80461CF}	Windows Shell Common Dll	Microsoft Corporation	c:\windows\system32\shell32.dll

+ {66742402-F9B9-11D1-A202-0000F81FEDEE}	Windows Shell Common Dll	Microsoft Corporation	c:\windows\system32\shell32.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects 

+ AcroIEHlprObj Class	Adobe Acrobat IE Helper Version 6.0 for ActivieX	Adobe Systems Incorporated	c:\program files\adobe\acrobat 6.0\acrobat\activex\acroiehelper.dll

+ AcroIEToolbarHelper Class c:\program files\adobe\acrobat 6.0\acrobat\acroiefavclient.dll

+ CBrowserHelperObject Object	BAE.dll	Gateway Inc.	c:\windows\system32\bae.dll

+ Google Toolbar Helper	Google IE Client Toolbar	Google Inc.	c:\program files\google\googletoolbar3.dll

+ McAfee AntiPhishing Filter	McApfBHO	McAfee, Inc.	c:\program files\mcafee\spamkiller\mcapfbho.dll

HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks 

+ shdocvw.dll	Shell Doc Object and Control Library	Microsoft Corporation	c:\windows\system32\shdocvw.dll

HKLM\Software\Microsoft\Internet Explorer\Toolbar 

+ acroiefavclient.dll c:\program files\adobe\acrobat 6.0\acrobat\acroiefavclient.dll

+ googletoolbar3.dll	Google IE Client Toolbar	Google Inc.	c:\program files\google\googletoolbar3.dll

+ McAfee VirusScan	McAfee VirusScan Shell Extension Module	McAfee, Inc.	c:\program files\mcafee.com\vso\mcvsshl.dll

HKLM\Software\Microsoft\Internet Explorer\Extensions 

+ Windows Messenger	Windows Messenger	Microsoft Corporation	c:\program files\messenger\msmsgs.exe

Task Scheduler 

+ ISP signup reminder 1.job	Windows OOBE Balloon Reminder	Microsoft Corporation	c:\windows\system32\oobe\oobebaln.exe

HKLM\System\CurrentControlSet\Services 

+ ARSVC	ARService	Microsoft	c:\windows\arservice.exe

+ AudioSrv	Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.	Microsoft Corporation	c:\windows\system32\svchost.exe

+ AVG Anti-Spyware Guard	AVG Anti-Spyware guard	Anti-Malware Development a.s.	c:\program files\grisoft\avg anti-spyware 7.5\guard.exe

+ Browser	Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.	Microsoft Corporation	c:\windows\system32\svchost.exe

+ CryptSvc	Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.	Microsoft Corporation	c:\windows\system32\svchost.exe

+ DcomLaunch	Provides launch functionality for DCOM services.	Microsoft Corporation	c:\windows\system32\svchost.exe

+ Dhcp	Manages network configuration by registering and updating IP addresses and DNS names.	Microsoft Corporation	c:\windows\system32\svchost.exe

+ dmserver	Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start.	Microsoft Corporation	c:\windows\system32\svchost.exe

+ Dnscache	Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.	Microsoft Corporation	c:\windows\system32\svchost.exe

+ ehRecvr	Media Center Service for TV and FM broadcast reception	Microsoft Corporation	c:\windows\ehome\ehrecvr.exe

+ ehSched	Media Center Scheduler Service	Microsoft Corporation	c:\windows\ehome\ehsched.exe

+ ERSvc	Allows error reporting for services and applictions running in non-standard environments.	Microsoft Corporation	c:\windows\system32\svchost.exe

+ Eventlog	Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.	Microsoft Corporation	c:\windows\system32\services.exe

+ helpsvc	Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.	Microsoft Corporation	c:\windows\system32\svchost.exe

+ HidServ	Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start.	Microsoft Corporation	c:\windows\system32\svchost.exe

+ lanmanserver	Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.	Microsoft Corporation	c:\windows\system32\svchost.exe

+ lanmanworkstation	Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.	Microsoft Corporation	c:\windows\system32\svchost.exe

+ LmHosts	Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.	Microsoft Corporation	c:\windows\system32\svchost.exe

+ McDetect.exe	McAfee WSC Integration Service	McAfee, Inc	c:\program files\mcafee.com\agent\mcdetect.exe

+ McrdSvc	MCRD Device Service	Microsoft Corporation	c:\windows\ehome\mcrdsvc.exe

+ McShield	On-Access Scanner service	McAfee Inc.	c:\program files\mcafee.com\vso\mcshield.exe

+ McTskshd.exe	McAfee Task Scheduler	McAfee, Inc	c:\program files\mcafee.com\agent\mctskshd.exe

+ MpfService	McAfee Personal Firewall Service	McAfee Corporation	c:\program files\mcafee.com\personal firewall\mpfservice.exe

+ MskService	McAfee SpamKiller Server	McAfee Inc.	c:\program files\mcafee\spamkiller\msksrvr.exe

+ NVSvc	Provides system and desktop level support to the NVIDIA display driver	NVIDIA Corporation	c:\windows\system32\nvsvc32.exe

+ PlugPlay	Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.	Microsoft Corporation	c:\windows\system32\services.exe

+ PolicyAgent	Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.	Microsoft Corporation	c:\windows\system32\lsass.exe

+ PrismXL	PrismXL Service	New Boundary Technologies, Inc.	c:\program files\common files\new boundary\prismxl\prismxl.sys

+ ProtectedStorage	Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.	Microsoft Corporation	c:\windows\system32\lsass.exe

+ RemoteRegistry	Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start.	Microsoft Corporation	c:\windows\system32\svchost.exe

+ RpcSs	Provides the endpoint mapper and other miscellaneous RPC services.	Microsoft Corporation	c:\windows\system32\svchost.exe

+ SamSs	Stores security information for local user accounts.	Microsoft Corporation	c:\windows\system32\lsass.exe

+ Schedule	Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.	Microsoft Corporation	c:\windows\system32\svchost.exe

+ seclogon	Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.	Microsoft Corporation	c:\windows\system32\svchost.exe

+ SENS	Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.	Microsoft Corporation	c:\windows\system32\svchost.exe

+ SharedAccess	Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.	Microsoft Corporation	c:\windows\system32\svchost.exe

+ ShellHWDetection	Provides notifications for AutoPlay hardware events.	Microsoft Corporation	c:\windows\system32\svchost.exe

+ Spooler	Loads files to memory for later printing.	Microsoft Corporation	c:\windows\system32\spoolsv.exe

+ srservice	Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties	Microsoft Corporation	c:\windows\system32\svchost.exe

+ SSDPSRV	Enables discovery of UPnP devices on your home network.	Microsoft Corporation	c:\windows\system32\svchost.exe

+ Themes	Provides user experience theme management.	Microsoft Corporation	c:\windows\system32\svchost.exe

+ TrkWks	Maintains links between NTFS files within a computer or across computers in a network domain.	Microsoft Corporation	c:\windows\system32\svchost.exe

+ W32Time	Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

Microsoft Corporation	c:\windows\system32\svchost.exe

+ WebClient	Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.	Microsoft Corporation	c:\windows\system32\svchost.exe

+ winmgmt	Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.	Microsoft Corporation	c:\windows\system32\svchost.exe

+ wscsvc	Monitors system security settings and configurations.	Microsoft Corporation	c:\windows\system32\svchost.exe

+ wuauserv	Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site.	Microsoft Corporation	c:\windows\system32\svchost.exe

+ WZCSVC	Provides automatic configuration for the 802.11 adapters	Microsoft Corporation	c:\windows\system32\svchost.exe

HKLM\System\CurrentControlSet\Services 

+ abp480n5	AdvanSys SCSI Controller Driver	Microsoft Corporation	c:\windows\system32\drivers\abp480n5.sys

+ ACPI	ACPI Driver for NT	Microsoft Corporation	c:\windows\system32\drivers\acpi.sys

+ ACPIEC	ACPI Embedded Controller Driver	Microsoft Corporation	c:\windows\system32\drivers\acpiec.sys

+ adpu160m	Adaptec Ultra160 SCSI miniport	Microsoft Corporation	c:\windows\system32\drivers\adpu160m.sys

+ aec	Microsoft Acoustic Echo Canceller	Microsoft Corporation	c:\windows\system32\drivers\aec.sys

+ AFD	AFD Networking Support Environment	Microsoft Corporation	c:\windows\system32\drivers\afd.sys

+ agp440	440 NT AGP Filter	Microsoft Corporation	c:\windows\system32\drivers\agp440.sys

+ agpCPQ	CompatNT AGP Filter	Microsoft Corporation	c:\windows\system32\drivers\agpcpq.sys

+ Aha154x	Adaptec AHA-154x series SCSI miniport	Microsoft Corporation	c:\windows\system32\drivers\aha154x.sys

+ aic78u2	Adaptec Ultra2 SCSI miniport	Microsoft Corporation	c:\windows\system32\drivers\aic78u2.sys

+ aic78xx	Adaptec Ultra SCSI miniport	Microsoft Corporation	c:\windows\system32\drivers\aic78xx.sys

+ AliIde	ALi mini IDE Driver	Acer Laboratories Inc.	c:\windows\system32\drivers\aliide.sys

+ alim1541	ALi M1541 NT AGP Filter	Microsoft Corporation	c:\windows\system32\drivers\alim1541.sys

+ amdagp	AMD Win2000 AGP Filter	Advanced Micro Devices, Inc.	c:\windows\system32\drivers\amdagp.sys

+ AmdK8	AMD Processor Driver	Advanced Micro Devices	c:\windows\system32\drivers\amdk8.sys

+ amsint	AMD SCSI/NET Controller	Microsoft Corporation	c:\windows\system32\drivers\amsint.sys

+ aracpi	Microsoft AR ACPI Driver (Beta 2 Release 2)	Microsoft Corporation	c:\windows\system32\drivers\aracpi.sys

+ arhidfltr	Microsoft AR HID Filter Driver (Beta 2 Release 2)	Microsoft Corporation	c:\windows\system32\drivers\arhidfltr.sys

+ arkbcfltr	Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)	Microsoft Corporation	c:\windows\system32\drivers\arkbcfltr.sys

+ armoucfltr	Microsoft AR PS/2 Mouse Filter Driver (Beta 2 Release 2)	Microsoft Corporation	c:\windows\system32\drivers\armoucfltr.sys

+ Arp1394	1394 ARP Client Protocol	Microsoft Corporation	c:\windows\system32\drivers\arp1394.sys

+ ARPolicy	Microsoft AR Policy Driver (Beta 2 Release 2)	Microsoft Corporation	c:\windows\system32\drivers\arpolicy.sys

+ asc	AdvanSys SCSI Controller Driver	Advanced System Products, Inc.	c:\windows\system32\drivers\asc.sys

+ asc3350p	AdvanSys SCSI Card Driver	Microsoft Corporation	c:\windows\system32\drivers\asc3350p.sys

+ asc3550	AdvanSys Ultra-Wide PCI SCSI Driver	Advanced System Products, Inc.	c:\windows\system32\drivers\asc3550.sys

+ AsyncMac	RAS Asynchronous Media Driver	Microsoft Corporation	c:\windows\system32\drivers\asyncmac.sys

+ atapi	IDE/ATAPI Port Driver	Microsoft Corporation	c:\windows\system32\drivers\atapi.sys

+ Atmarpc	ATM ARP Client Protocol	Microsoft Corporation	c:\windows\system32\drivers\atmarpc.sys

+ audstub	AudStub Driver	Microsoft Corporation	c:\windows\system32\drivers\audstub.sys

+ AVG Anti-Spyware Driver c:\program files\grisoft\avg anti-spyware 7.5\guard.sys

+ AvgAsCln	AVG7 Clean Driver	GRISOFT, s.r.o.	c:\windows\system32\drivers\avgascln.sys

+ cbidf	CardBus/PCMCIA IDE Miniport Driver	Microsoft Corporation	c:\windows\system32\drivers\cbidf2k.sys

+ cd20xrnt	IBM Portable CD-ROM Drive Miniport	Microsoft Corporation	c:\windows\system32\drivers\cd20xrnt.sys

+ Cdrom	SCSI CD-ROM Driver	Microsoft Corporation	c:\windows\system32\drivers\cdrom.sys

+ CmBatt	Control Method Battery Driver	Microsoft Corporation	c:\windows\system32\drivers\cmbatt.sys

+ CmdIde	CMD PCI IDE Bus Driver	CMD Technology, Inc.	c:\windows\system32\drivers\cmdide.sys

+ Compbatt	Composite Battery Driver	Microsoft Corporation	c:\windows\system32\drivers\compbatt.sys

+ Cpqarray	Compaq Drive Array Controllers SCSI Miniport Driver	Microsoft Corporation	c:\windows\system32\drivers\cpqarray.sys

+ dac2w2k	Mylex Disk Array Controller Driver	Mylex Corporation	c:\windows\system32\drivers\dac2w2k.sys

+ dac960nt	Mylex Disk Array Controller Driver	Microsoft Corporation	c:\windows\system32\drivers\dac960nt.sys

+ Disk	PnP Disk Driver	Microsoft Corporation	c:\windows\system32\drivers\disk.sys

+ dmio	NT Disk Manager I/O Driver	Microsoft Corp., Veritas Software	c:\windows\system32\drivers\dmio.sys

+ dmload	NT Disk Manager Startup Driver	Microsoft Corp., Veritas Software.	c:\windows\system32\drivers\dmload.sys

+ DMusic	Microsoft Kernel DLS Synthesizer	Microsoft Corporation	c:\windows\system32\drivers\dmusic.sys

+ dpti2o	DPT SmartRAID miniport	Microsoft Corporation	c:\windows\system32\drivers\dpti2o.sys

+ drmkaud	Microsoft Kernel DRM Audio Descrambler Filter	Microsoft Corporation	c:\windows\system32\drivers\drmkaud.sys

+ DVC	Description string for DVC driver	Your Corporation	c:\windows\system32\drivers\dvc.sys

+ Fdc	Floppy Disk Controller Driver	Microsoft Corporation	c:\windows\system32\drivers\fdc.sys

+ FsVga	Full Screen Video Driver	Microsoft Corporation	c:\windows\system32\drivers\fsvga.sys

+ Ftdisk	FT Disk Driver	Microsoft Corporation	c:\windows\system32\drivers\ftdisk.sys

+ GEARAspiWDM	CDRom Class Filter Driver	GEAR Software Inc.	c:\windows\system32\drivers\gearaspiwdm.sys

+ Gpc	Generic Packet Classifier	Microsoft Corporation	c:\windows\system32\drivers\msgpc.sys

+ HDAudBus	High Definition Audio Bus Driver v1.0a	Windows (R) Server 2003 DDK provider	c:\windows\system32\drivers\hdaudbus.sys

+ HidUsb	USB Miniport Driver for Input Devices	Microsoft Corporation	c:\windows\system32\drivers\hidusb.sys

+ hpn	NetRAID-4M Miniport Driver	Microsoft Corporation	c:\windows\system32\drivers\hpn.sys

+ HSF_DPV	HSF_DP driver	Conexant Systems, Inc.	c:\windows\system32\drivers\hsf_dpv.sys

+ HSFHWBS2	HSF_HWB2 WDM driver	Conexant Systems, Inc.	c:\windows\system32\drivers\hsfhwbs2.sys

+ HTTP	This service implements the hypertext transfer protocol (HTTP). If this service is disabled, any services that explicitly depend on it will fail to start.	Microsoft Corporation	c:\windows\system32\drivers\http.sys

+ i2omp	I2O Miniport Driver	Microsoft Corporation	c:\windows\system32\drivers\i2omp.sys

+ i8042prt	i8042 Port Driver	Microsoft Corporation	c:\windows\system32\drivers\i8042prt.sys

+ Imapi	IMAPI Kernel Driver	Microsoft Corporation	c:\windows\system32\drivers\imapi.sys

+ ini910u	INITIO ini910u SCSI miniport	Microsoft Corporation	c:\windows\system32\drivers\ini910u.sys

+ IntcAzAudAddService	Realtek(r) High Definition Audio Function Driver	Realtek Semiconductor Corp.	c:\windows\system32\drivers\rtkhdaud.sys

+ IntelIde	Intel PCI IDE Driver	Microsoft Corporation	c:\windows\system32\drivers\intelide.sys

+ Ip6Fw	Provides intrusion prevention service for a home or small office network.	Microsoft Corporation	c:\windows\system32\drivers\ip6fw.sys

+ IpFilterDriver	IP Traffic Filter Driver	Microsoft Corporation	c:\windows\system32\drivers\ipfltdrv.sys

+ IpInIp	IP in IP Tunnel Driver	Microsoft Corporation	c:\windows\system32\drivers\ipinip.sys

+ IpNat	IP Network Address Translator	Microsoft Corporation	c:\windows\system32\drivers\ipnat.sys

+ IPSec	IPSEC driver	Microsoft Corporation	c:\windows\system32\drivers\ipsec.sys

+ IRENUM	Infra-Red Bus Enumerator	Microsoft Corporation	c:\windows\system32\drivers\irenum.sys

+ isapnp	PNP ISA Bus Driver	Microsoft Corporation	c:\windows\system32\drivers\isapnp.sys

+ Kbdclass	Keyboard Class Driver	Microsoft Corporation	c:\windows\system32\drivers\kbdclass.sys

+ kbdhid	HID Mouse Filter Driver	Microsoft Corporation	c:\windows\system32\drivers\kbdhid.sys

+ kmixer	Kernel Mode Audio Mixer	Microsoft Corporation	c:\windows\system32\drivers\kmixer.sys

+ mdmxsdk	Diagnostic Interface DRIVER	Conexant	c:\windows\system32\drivers\mdmxsdk.sys

+ MHNDRV	Multimedia Home Network component driver	Microsoft Corporation	c:\windows\system32\drivers\mhndrv.sys

+ Mouclass	Mouse Class Driver	Microsoft Corporation	c:\windows\system32\drivers\mouclass.sys

+ mouhid	HID Mouse Filter Driver	Microsoft Corporation	c:\windows\system32\drivers\mouhid.sys

+ MPFIREWL	McAfee Personal Firewall Driver	McAfee	c:\windows\system32\drivers\mpfirewall.sys

+ mraid35x	MegaRAID RAID Controller Driver for Windows Whistler 32	American Megatrends Inc.	c:\windows\system32\drivers\mraid35x.sys

+ MSKSSRV	MS KS Server	Microsoft Corporation	c:\windows\system32\drivers\mskssrv.sys

+ MSPCLOCK	MS Proxy Clock	Microsoft Corporation	c:\windows\system32\drivers\mspclock.sys

+ MSPQM	MS Proxy Quality Manager	Microsoft Corporation	c:\windows\system32\drivers\mspqm.sys

+ mssmbios	System Management BIOS Driver	Microsoft Corporation	c:\windows\system32\drivers\mssmbios.sys

+ NaiAvFilter1	Anti-Virus File System Filter Driver	McAfee Inc.	c:\windows\system32\drivers\naiavf5x.sys


----------



## Drew345 (Dec 1, 2006)

+ NdisTapi	Remote Access NDIS TAPI Driver	Microsoft Corporation	c:\windows\system32\drivers\ndistapi.sys

+ Ndisuio	NDIS Usermode I/O Protocol	Microsoft Corporation	c:\windows\system32\drivers\ndisuio.sys

+ NdisWan	Remote Access NDIS WAN Driver	Microsoft Corporation	c:\windows\system32\drivers\ndiswan.sys

+ NetBT	NetBios over Tcpip	Microsoft Corporation	c:\windows\system32\drivers\netbt.sys

+ NIC1394	IEEE1394 Ndis Miniport and Call Manager	Microsoft Corporation	c:\windows\system32\drivers\nic1394.sys

+ nv	NVIDIA Compatible Windows 2000 Miniport Driver, Version 81.97 NVIDIA Corporation	c:\windows\system32\drivers\nv4_mini.sys

+ NVENETFD	NVIDIA Networking Function Driver.	NVIDIA Corporation	c:\windows\system32\drivers\nvenetfd.sys

+ nvnetbus	NVIDIA Networking Bus Driver.	NVIDIA Corporation	c:\windows\system32\drivers\nvnetbus.sys

+ NwlnkFlt	IPX Traffic Filter Driver	Microsoft Corporation	c:\windows\system32\drivers\nwlnkflt.sys

+ NwlnkFwd	IPX Traffic Forwarder Driver	Microsoft Corporation	c:\windows\system32\drivers\nwlnkfwd.sys

+ ohci1394	1394 OpenHCI Port Driver	Microsoft Corporation	c:\windows\system32\drivers\ohci1394.sys

+ Parport	Parallel Port Driver	Microsoft Corporation	c:\windows\system32\drivers\parport.sys

+ PCI	NT Plug and Play PCI Enumerator	Microsoft Corporation	c:\windows\system32\drivers\pci.sys

+ PCIIde	Generic PCI IDE Bus Driver	Microsoft Corporation	c:\windows\system32\drivers\pciide.sys

+ Pcmcia	PCMCIA Bus Driver	Microsoft Corporation	c:\windows\system32\drivers\pcmcia.sys

+ perc2	PERC 2 Miniport Driver	Microsoft Corporation	c:\windows\system32\drivers\perc2.sys

+ perc2hib	PERC 2 Hibernate Driver	Microsoft Corporation	c:\windows\system32\drivers\perc2hib.sys

+ PptpMiniport	WAN Miniport (PPTP)	Microsoft Corporation	c:\windows\system32\drivers\raspptp.sys

+ Processor	Processor Device Driver	Microsoft Corporation	c:\windows\system32\drivers\processr.sys

+ PSched	QoS Packet Scheduler	Microsoft Corporation	c:\windows\system32\drivers\psched.sys

+ Ptilink	Direct Parallel Link Driver	Parallel Technologies, Inc.	c:\windows\system32\drivers\ptilink.sys

+ PxHelp20	Px Engine Device Driver for Windows 2000/XP	Sonic Solutions	c:\windows\system32\drivers\pxhelp20.sys

+ ql1080	Miniport Driver for QLogic ISP PCI Adapters	QLogic Corporation	c:\windows\system32\drivers\ql1080.sys

+ Ql10wnt	Miniport Driver for QLogic ISP PCI Adapters	Microsoft Corporation	c:\windows\system32\drivers\ql10wnt.sys

+ ql12160	Miniport Driver for QLogic ISP PCI Adapters	QLogic Corporation	c:\windows\system32\drivers\ql12160.sys

+ ql1240	QLogic ISP PCI Adapters	Microsoft Corporation	c:\windows\system32\drivers\ql1240.sys

+ ql1280	Miniport Driver for QLogic ISP PCI Adapters	QLogic Corporation	c:\windows\system32\drivers\ql1280.sys

+ RasAcd	Remote Access Auto Connection Driver	Microsoft Corporation	c:\windows\system32\drivers\rasacd.sys

+ Rasl2tp	WAN Miniport (L2TP)	Microsoft Corporation	c:\windows\system32\drivers\rasl2tp.sys

+ RasPppoe	Remote Access PPPOE Driver	Microsoft Corporation	c:\windows\system32\drivers\raspppoe.sys

+ Raspti	Direct Parallel	Microsoft Corporation	c:\windows\system32\drivers\raspti.sys

+ RDPCDD	RDP Miniport	Microsoft Corporation	c:\windows\system32\drivers\rdpcdd.sys

+ rdpdr	Microsoft RDP Device redirector	Microsoft Corporation	c:\windows\system32\drivers\rdpdr.sys

+ redbook	Redbook Audio Filter Driver	Microsoft Corporation	c:\windows\system32\drivers\redbook.sys

+ scsk4	SCSK4	SoftCamp Co., Inc.	c:\windows\system32\drivers\scsk4.sys

+ sdbus	SecureDigital Bus Driver	Microsoft Corporation	c:\windows\system32\drivers\sdbus.sys

+ SDVC05	SDvcap Driver	HaSoInTech	c:\windows\system32\drivers\sdvc05.sys

+ Secdrv	SafeDisc driver	Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.	c:\windows\system32\drivers\secdrv.sys

+ Serenum	Serial Port Enumerator	Microsoft Corporation	c:\windows\system32\drivers\serenum.sys

+ Serial	Serial Device Driver	Microsoft Corporation	c:\windows\system32\drivers\serial.sys

+ sisagp	SiS NT AGP Filter	Silicon Integrated Systems Corporation	c:\windows\system32\drivers\sisagp.sys

+ Sparrow	Adaptec AIC-6x60 series SCSI miniport	Adaptec, Inc.	c:\windows\system32\drivers\sparrow.sys

+ splitter	Microsoft Kernel Audio Splitter	Microsoft Corporation	c:\windows\system32\drivers\splitter.sys

+ sscdbus	SAMSUNG USB Composite Device Driver	MCCI	c:\windows\system32\drivers\sscdbus.sys

+ sscdmdfl	SAMSUNG CDMA Modem Filter	MCCI	c:\windows\system32\drivers\sscdmdfl.sys

+ sscdmdm	SAMSUNG CDMA Modem Drivers	MCCI	c:\windows\system32\drivers\sscdmdm.sys

+ swenum	Plug and Play Software Device Enumerator	Microsoft Corporation	c:\windows\system32\drivers\swenum.sys

+ swmidi	Microsoft GS Wavetable Synthesizer	Microsoft Corporation	c:\windows\system32\drivers\swmidi.sys

+ sym_hi	Symbios Hi-Perf SCSI Miniport Driver	LSI Logic	c:\windows\system32\drivers\sym_hi.sys

+ sym_u3	Symbios Ultra3 SCSI Miniport Driver	LSI Logic	c:\windows\system32\drivers\sym_u3.sys

+ symc810	Symbios Logic Inc. SCSI Miniport Driver	Symbios Logic Inc.	c:\windows\system32\drivers\symc810.sys

+ symc8xx	Symbios 8XX SCSI Miniport Driver	LSI Logic	c:\windows\system32\drivers\symc8xx.sys

+ sysaudio	System Audio WDM Filter	Microsoft Corporation	c:\windows\system32\drivers\sysaudio.sys

+ Tcpip	TCP/IP Protocol Driver	Microsoft Corporation	c:\windows\system32\drivers\tcpip.sys

+ TermDD	Terminal Server Driver	Microsoft Corporation	c:\windows\system32\drivers\termdd.sys

+ TosIde	Toshiba PCI IDE Controller	Microsoft Corporation	c:\windows\system32\drivers\toside.sys

+ ultra	Promise Ultra66 Miniport Driver	Promise Technology, Inc.	c:\windows\system32\drivers\ultra.sys

+ Update	Update Driver	Microsoft Corporation	c:\windows\system32\drivers\update.sys

+ usbccgp	USB Common Class Generic Parent Driver	Microsoft Corporation	c:\windows\system32\drivers\usbccgp.sys

+ usbehci	EHCI eUSB Miniport Driver	Microsoft Corporation	c:\windows\system32\drivers\usbehci.sys

+ usbhub	Default Hub Driver for USB	Microsoft Corporation	c:\windows\system32\drivers\usbhub.sys

+ usbohci	OHCI USB Miniport Driver	Microsoft Corporation	c:\windows\system32\drivers\usbohci.sys

+ usbstor	USB Mass Storage Class Driver	Microsoft Corporation	c:\windows\system32\drivers\usbstor.sys

+ usbuhci	UHCI USB Miniport Driver	Microsoft Corporation	c:\windows\system32\drivers\usbuhci.sys

+ VgaSave	VGA/Super VGA Video Driver	Microsoft Corporation	c:\windows\system32\drivers\vga.sys

+ viaagp	VIA NT AGP Filter	Microsoft Corporation	c:\windows\system32\drivers\viaagp.sys

+ ViaIde	Generic PCI IDE Bus Driver	Microsoft Corporation	c:\windows\system32\drivers\viaide.sys

+ Wanarp	Remote Access IP ARP Driver	Microsoft Corporation	c:\windows\system32\drivers\wanarp.sys

+ wanatw	Wan Miniport (ATW)	America Online, Inc.	c:\windows\system32\drivers\wanatw4.sys

+ wdmaud	MMSYSTEM Wave/Midi API mapper	Microsoft Corporation	c:\windows\system32\drivers\wdmaud.sys

+ winachsf	HSF_CNXT driver	Conexant Systems, Inc.	c:\windows\system32\drivers\hsf_cnxt.sys

HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute

+ autocheck autochk *	Auto Check Utility	Microsoft Corporation	c:\windows\system32\autochk.exe

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

+ Your Image File Name Here without a path	Symbolic Debugger for Windows 2000	Microsoft Corporation	c:\windows\system32\ntsd.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls

+ C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL c:\program files\google\google desktop search\googledesktopnetwork3.dll

HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

+ advapi32	Advanced Windows 32 Base API	Microsoft Corporation	c:\windows\system32\advapi32.dll

+ comdlg32	Common Dialogs DLL	Microsoft Corporation	c:\windows\system32\comdlg32.dll

+ gdi32	GDI Client DLL	Microsoft Corporation	c:\windows\system32\gdi32.dll

+ imagehlp	Windows NT Image Helper	Microsoft Corporation	c:\windows\system32\imagehlp.dll

+ kernel32	Windows NT BASE API Client DLL	Microsoft Corporation	c:\windows\system32\kernel32.dll

+ lz32	LZ Expand/Compress API DLL	Microsoft Corporation	c:\windows\system32\lz32.dll

+ ole32	Microsoft OLE for Windows	Microsoft Corporation	c:\windows\system32\ole32.dll

+ oleaut32 Microsoft Corporation	c:\windows\system32\oleaut32.dll

+ olecli32	Object Linking and Embedding Client Library	Microsoft Corporation	c:\windows\system32\olecli32.dll

+ olecnv32	Microsoft OLE for Windows	Microsoft Corporation	c:\windows\system32\olecnv32.dll

+ olesvr32	Object Linking and Embedding Server Library	Microsoft Corporation	c:\windows\system32\olesvr32.dll

+ olethk32	Microsoft OLE for Windows	Microsoft Corporation	c:\windows\system32\olethk32.dll

+ rpcrt4	Remote Procedure Call Runtime	Microsoft Corporation	c:\windows\system32\rpcrt4.dll

+ shell32	Windows Shell Common Dll	Microsoft Corporation	c:\windows\system32\shell32.dll

+ url	Internet Shortcut Shell Extension DLL	Microsoft Corporation	c:\windows\system32\url.dll

+ urlmon	OLE32 Extensions for Win32	Microsoft Corporation	c:\windows\system32\urlmon.dll

+ user32	Windows XP USER API Client DLL	Microsoft Corporation	c:\windows\system32\user32.dll

+ version	Version Checking and File Installation Libraries	Microsoft Corporation	c:\windows\system32\version.dll

+ wininet	Internet Extensions for Win32	Microsoft Corporation	c:\windows\system32\wininet.dll

+ wldap32	Win32 LDAP API DLL	Microsoft Corporation	c:\windows\system32\wldap32.dll

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost

+ logonui.exe	Windows Logon UI	Microsoft Corporation	c:\windows\system32\logonui.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

+ crypt32chain	Crypto API32	Microsoft Corporation	c:\windows\system32\crypt32.dll

+ cryptnet	Crypto Network Related API	Microsoft Corporation	c:\windows\system32\cryptnet.dll

+ cscdll	Offline Network Agent	Microsoft Corporation	c:\windows\system32\cscdll.dll

+ ScCertProp	Common DLL to receive Winlogon notifications	Microsoft Corporation	c:\windows\system32\wlnotify.dll

+ Schedule	Common DLL to receive Winlogon notifications	Microsoft Corporation	c:\windows\system32\wlnotify.dll

+ sclgntfy	Secondary Logon Service Notification DLL	Microsoft Corporation	c:\windows\system32\sclgntfy.dll

+ SensLogn	Common DLL to receive Winlogon notifications	Microsoft Corporation	c:\windows\system32\wlnotify.dll

+ termsrv	Common DLL to receive Winlogon notifications	Microsoft Corporation	c:\windows\system32\wlnotify.dll

+ wlballoon	Common DLL to receive Winlogon notifications	Microsoft Corporation	c:\windows\system32\wlnotify.dll

HKCU\Control Panel\Desktop\Scrnsave.exe

+ C:\WINDOWS\system32\gtw_logo.scr c:\windows\system32\gtw_logo.scr

HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9

+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{506B92FB-A770-49DE-B465-8EA15A95D517}] DATAGRAM 1	Microsoft Windows Sockets 2.0 Service Provider	Microsoft Corporation	c:\windows\system32\mswsock.dll

+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{506B92FB-A770-49DE-B465-8EA15A95D517}] SEQPACKET 1	Microsoft Windows Sockets 2.0 Service Provider	Microsoft Corporation	c:\windows\system32\mswsock.dll

+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{855DE2D2-9B93-4A1E-9E31-E900B69D5FB2}] DATAGRAM 3	Microsoft Windows Sockets 2.0 Service Provider	Microsoft Corporation	c:\windows\system32\mswsock.dll

+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{855DE2D2-9B93-4A1E-9E31-E900B69D5FB2}] SEQPACKET 3	Microsoft Windows Sockets 2.0 Service Provider	Microsoft Corporation	c:\windows\system32\mswsock.dll

+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{E02061F1-C8BA-4BD9-9327-9B0269DD363E}] DATAGRAM 2	Microsoft Windows Sockets 2.0 Service Provider	Microsoft Corporation	c:\windows\system32\mswsock.dll

+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{E02061F1-C8BA-4BD9-9327-9B0269DD363E}] SEQPACKET 2	Microsoft Windows Sockets 2.0 Service Provider	Microsoft Corporation	c:\windows\system32\mswsock.dll

+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{EF95A741-2AC3-49C6-AF99-8FBA0CAAFA5D}] DATAGRAM 0	Microsoft Windows Sockets 2.0 Service Provider	Microsoft Corporation	c:\windows\system32\mswsock.dll

+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{EF95A741-2AC3-49C6-AF99-8FBA0CAAFA5D}] SEQPACKET 0	Microsoft Windows Sockets 2.0 Service Provider	Microsoft Corporation	c:\windows\system32\mswsock.dll

+ MSAFD Tcpip [RAW/IP]	Microsoft Windows Sockets 2.0 Service Provider	Microsoft Corporation	c:\windows\system32\mswsock.dll

+ MSAFD Tcpip [TCP/IP]	Microsoft Windows Sockets 2.0 Service Provider	Microsoft Corporation	c:\windows\system32\mswsock.dll

+ MSAFD Tcpip [UDP/IP]	Microsoft Windows Sockets 2.0 Service Provider	Microsoft Corporation	c:\windows\system32\mswsock.dll

+ RSVP TCP Service Provider	Microsoft Windows Rsvp 1.0 Service Provider	Microsoft Corporation	c:\windows\system32\rsvpsp.dll

+ RSVP UDP Service Provider	Microsoft Windows Rsvp 1.0 Service Provider	Microsoft Corporation	c:\windows\system32\rsvpsp.dll

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors

+ Adobe PDF Port	Acrobat ® PDF Port	Adobe Systems Incorporated.	c:\windows\system32\adobepdf.dll

+ BJ Language Monitor	Langage Monitor for Canon Bubble-Jet Printer	Microsoft Corporation	c:\windows\system32\cnbjmon.dll

+ Local Port	Local Spooler DLL	Microsoft Corporation	c:\windows\system32\localspl.dll

+ Microsoft Document Imaging Writer Monitor	Microsoft® Document Imaging	Microsoft Corporation	c:\windows\system32\mdimon.dll

+ PJL Language Monitor	PJL Language monitor	Microsoft Corporation	c:\windows\system32\pjlmon.dll

+ Standard TCP/IP Port	Standard TCP/IP Port Monitor DLL	Microsoft Corporation	c:\windows\system32\tcpmon.dll

+ USB Monitor	Standard Dynamic Printing Port Monitor DLL	Microsoft Corporation	c:\windows\system32\usbmon.dll

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders

+ digest.dll	Digest SSPI Authentication Package	Microsoft Corporation	c:\windows\system32\digest.dll

+ msapsspc.dll	DPA Client for 32 bit platforms	Microsoft Corporation	c:\windows\system32\msapsspc.dll

+ msnsspc.dll	MSN Internet Access	Microsoft Corporation	c:\windows\system32\msnsspc.dll

+ schannel.dll	TLS / SSL Security Provider	Microsoft Corporation	c:\windows\system32\schannel.dll

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages

+ msv1_0	Microsoft Authentication Package v1.0	Microsoft Corporation	c:\windows\system32\msv1_0.dll

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages

+ scecli	Windows Security Configuration Editor Client Engine	Microsoft Corporation	c:\windows\system32\scecli.dll

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages

+ kerberos	Kerberos Security Package	Microsoft Corporation	c:\windows\system32\kerberos.dll

+ msv1_0	Microsoft Authentication Package v1.0	Microsoft Corporation	c:\windows\system32\msv1_0.dll

+ schannel	TLS / SSL Security Provider	Microsoft Corporation	c:\windows\system32\schannel.dll

+ wdigest	Microsoft Digest Access	Microsoft Corporation	c:\windows\system32\wdigest.dll


----------



## Mosaic1 (Aug 17, 2001)

We cross posted.

If youy laready read the post where I told yo to delette file, please go back and read again. After seeing your reponse above it, I added some files to the delete list. 
link:
http://forums.techguy.org/security/523202-error-can-not-find-script-4.html#post4238012

I'll look at your reports and will be back in a bit.


----------



## Drew345 (Dec 1, 2006)

I made the changes to how files are displayed and the advanced search functions:

I searched for the following files on the hardrive and the J: Drive.
autoexec.exe
reper.exe
RavMon.exe
autorun.bat
rav.exe

None of the files were on any drive.

I searched for any folders with 
rav 
rfw

Nothing on any drive.

I will try Panda online next. But last time I had a problem with that one &#8216;hanging&#8217;. You can see post 6 of this thread:

Post #6 -- -- -- -- -- --
I ran the Panda Activescan
It stopped on file 325850 (give or take 50) three times. About 25% done according to the sliding progress bar.
The file it stops on is D:\i386\Apps\App10214\
When it stops, the window freezes and I have to go to the Windows Task Manager to close the window. 
-- -- -- -- --

I will try again though for Panda Active Scan
and then I will get on with the delete list.


----------



## Drew345 (Dec 1, 2006)

I ran the Panda Active Scan again.
First I scanned only my J: Drive Memory stick

Nothing malicious was found. I don't have a report. 

Now I will scan &#8216;my computer&#8217;
But last time I did this it got hung up (see post #6)
If it works, I will put the results in the next post.


----------



## Mosaic1 (Aug 17, 2001)

Ok Looks good so far. 

We'll have more to do. I'll let you catch up and then we can take it to the next step to take more scans with other utilities. 

Once you have cleaned up the J: drive, disconnect it and then put it back in as before. Do you get the same problem again?


----------



## Drew345 (Dec 1, 2006)

Incident Status Location

Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Owner.ANDREW\Cookies\[email protected][1].txt 
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner.ANDREW\Cookies\[email protected][1].txt 
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Owner.ANDREW\Cookies\[email protected][2].txt  
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Owner.ANDREW\Cookies\[email protected][2].txt 
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner.ANDREW\Cookies\[email protected][2].txt 
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Owner.ANDREW\Cookies\[email protected][2].txt 
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Owner.ANDREW\Cookies\[email protected][1].txt 
Possible Virus. Not disinfected C:\WINDOWS\system32\jesterss.dll


----------



## Drew345 (Dec 1, 2006)

The Panda Active Scan completed fine. It found 7 spyware and one suspicious, listed in the post above. 

I am now deleting the files recommended in post #60
The remaining files are now:

autorun.apm
Autorun.exe_&#34987;?&#34109;&#26408;?
autorun.inf_&#34987;?&#34109;&#26408;?
Autorun.ini
AUTORUN.PNF

And all of these files still exist in the &#8216;Nasties&#8217; folder. I never deleted them from &#8216;nasties&#8217;.

I removed and put in the J: Drive memory stick. 
Now I went to &#8216;My computer&#8217;. Double clicked on the J: Drive Memory stick. And it opens up just fine. No more error &#8216;cannot find autorun.vbs file&#8217;


----------



## Mosaic1 (Aug 17, 2001)

RE: Jesters.dll

Do you have FlashJester installed? Or a screensaver made with that program ? 

The other entries are cookies. You can delete those if you like.

If you have used that registry file to clean up the montpoints2 key and have removed the autorun* files I listedearlier, and it is still clean, can you quickly test now please? 
Insert the flash drive and see if the problem returns. Thanks.


----------



## Drew345 (Dec 1, 2006)

I don't know about flashjesters. Don't think I have it installed.
The drive worked fine just after removing those files (Post 69). I will run the registry file to clean up the Mousepoints2 and test it again.

You say "Insert the flash drive and see if the problem returns". Note that the flash drive always worked fine when I first inserted it. It would open just fine upon being incerted. No problem there. The problem came later when I try to open it from the 'My Computer" window.

You mentioned in one post about 'appears to be some sort of game installer. No I don't know anything about that, I am not much of a gamer. I will check my other laptop very carefully with AVG and Kaspersky and maybe even Panda. Not sure exactly what the best way to check that laptop is; for my laptop I am working through some instructions sent to me in my other post 
http://forums.techguy.org/security/524752-kaspersky-scan-winvnc-infection-keylogger.html

One sad note: Yesterday a collegue at work wanted to take a file from my office computer. He gave me his memory stick. I put it in, double clicked it, and got an error. Can't be sure it was the same error because work computers are all in Korean language. He said, 'what is that, that's been happening a lot around here'. Like I said, our work PCs are all in Korean language and protected by some Korean 'Ahnlab' software. Unfortunately I think this is spreading at my office. I guess I will just have to make sure my home AV can protect against it and always reformat any memory sticks I take to the office.


----------



## Drew345 (Dec 1, 2006)

I took out the J: Drive memory stick. Reran the fixdrew.reg file to clean up the registry. I put back in the memory stick. Upon incerting any USB device, a window opens up saying &#8220;What do you want windows to do?&#8221; And one option is &#8220;Open windows to view files&#8221;. There was never an error here, I can say &#8220;Open windows to view files&#8221; or &#8220;take no action&#8221;. Both work fine. Now I close the Jrive window and go to My Computer and double click on the J: Drive . Here, I used to get an error &#8220;cannot find autorun.vbs&#8221;, but now, no error and the J rive opens fine.

Short Answer: J Drive is back in, and the problem did not return.


----------



## Drew345 (Dec 1, 2006)

I think it must be getting really late for you. I am going to disconnect this desktop from the network and connect my laptop and do some of the downloading recommended for my laptop security. I'll keep an eye for messenges on this thread and come back when you want me to do some more scans.


----------



## Mosaic1 (Aug 17, 2001)

Sorry. I had a visitor her and had to leave you for a while. I am about to sign off for the night.
It sounds pretty good now. But tomorrow we'll see how you stand. 

Yes. I bet these flash drives are passing this infection around at the office. The problem is that if a file is running on the Computer at work, and it is the type which writes to any drive and it sees your Flash drive, it will write to your flash drive and you'll be infected. This is one way these things get passed around. They also get passed around through File sharing and email attachments. 

I saw that ahnlab download listed in your 016's in your Hijackthis log. That particular file listed is a protector against keylogging when you use Internet Explorer.


----------



## Drew345 (Dec 1, 2006)

Hello Mosiac.
Thanks for all your help.
I did another AVG scan in Safe mode and posted it at the bottom here. Then rebooted and scanned the J: Drive with AVG and it came out clean. I will be happy to do anymore scans you recommend.

My immediate concerns are these:

I still have Nasties folder on my desktop. I think just dragging it to the trash may not be the best idea. How can I clean that up?

I'm still not sure that Memory stick is 'blessed' as clean. It deosn't create the error anymore when I double click on it in 'my computer'. It scanned OK on Panda Active Scan and AVG scan. But it still has a few remaining autorun* files (
autorun.apm, 
Autorun.exe_被?蔽木?
autorun.inf_被?蔽木?
Autorun.ini
AUTORUN.PNF
Should I delete those (or just reformat the whole memory stick)?

Can you tell me the name of that virus that caused those autorun* nasties on my memory stick, so I can alert my school office administrator?

In my other case for my laptop, Khazars gave me some good general advice. Should I do all these things on this desktop computer when we finish (or something like this you recommend)
(Khazars good advice (edited)
get spywareblaster
get the hosts file from mvps
and put it into Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Get ie-spyad. 
Use Spyware Terminator
Use spybot's immunize button and use spywareblaster' enable protection
Switch to Mozilla's firefox browser)

Finally, here is the latest AVG scan in safe mode for this Laptop PC.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at:	9:14:44 PM 12/8/2006
+ Scan result:	
C:\Documents and Settings\Owner.ANDREW\Cookies\[email protected][1].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Owner.ANDREW\Cookies\[email protected][1].txt -> TrackingCookie.Statcounter : No action taken.
::Report end

(Nothing found on the J: Drive Memory Stick)


----------



## Mosaic1 (Aug 17, 2001)

Hi Drew,

You're welcome. 

You can delete these files from your memory stick:

autorun.apm, 
Autorun.exe_&#34987;?&#34109;&#26408;?
autorun.inf_&#34987;?&#34109;&#26408;?
Autorun.ini
AUTORUN.PNF


How many files are on the stick?

------------

To bypass the recycle bin and delete a file or folder:
Highlight the file or folder. Hold down the shift key and press the delete key.


Or right click on the file or folder and hold down the shift key and then click delete on the context menu.

------------

Khazars' advice is good. Upping security is always a good idea.

I would also suggest that if you do use this flash drive in any computer other than yours, that you look for new files being created. And most especailly if you see an autorun.inf that you immediately delete it. And never double click to open as a third line of defense. Never select any new program to open the drive on the autorun menu. That can be a ruse to get you to run a nasty. 

-----------

And warn your friends and colleagues about the dangers of using Flash Drives.

-----------

Although your AV got rid of the vbs, there was evidence of other possible infections. Olkd renamed Autorun.inf files were present on yoru drive. Maybe the AV caught those too.

Even after removing the vbs, you were left with annoying problem. 
Always keep your AV up to date and do supplementary online scans to supplement. 



How is the system behaving now?


----------



## Mosaic1 (Aug 17, 2001)

I have something to help you see at glance what's on that drive or in any folder without opening it.
I wrote this for myself a while ago.


It is a registry file which adds a context menu entry named contents.

When you right click on any folder or drive and then click contents, a dos command named dir will execute for that folder and all its subfolders. The results will be written to a file named contents.txt in that same folder. Contents.txt will open and you can see what's there, where and date created. 
To see the latest, use the context menu entry again to update contents.txt.


To install this context menu item:

Find attached zip. Extract contents.reg 
Double click on contents.reg to add the context menu entry. 

Hope it helps.


----------



## Cookiegal (Aug 27, 2003)

I just want to say a big thank you to Mosaic1 for stepping in here. I really appreciate it. :up:


----------



## Drew345 (Dec 1, 2006)

I deleted the extra autorun files from the memory stick.
The memory stick has 826 MB. Not sure how many files. Mostly old backups. I back up my home files on this stick, carry them to work, and save them on the work computer. Then I backup my office files on the disk ,carry them home, and save them on my home pc.

I deleted the nasties folder bypassing the recycle bin.

I installed that 'contents' program. Very nifty. I used it to see what's on my J Drive Memory stick without opening it. I got the list of files. I did a 'find' to look for any 'autorun.inf'. There is one in there:

Directory of J:\SecurDataStorRM\Files
07/14/2005 05:01 PM .
07/14/2005 05:01 PM ..
05/18/2005 10:17 AM 174,348 actskn43.ocxz
05/18/2005 10:17 AM 128 AppPrefs.ini
05/18/2005 10:17 AM 87 autorun.inf ------
05/18/2005 10:17 AM 2,736 Configuration.env

Is this often a legitimate program?

Computer is behaving well now.
One more bit of advise please I will put in next post.
Thanks,
Drew


----------



## Drew345 (Dec 1, 2006)

Yes, big thanks to Mosiac1, and you too cookiegal.

As a method of backup, I copy my home files (about 20Mb) onto a pen drive and carry them to my office and put them on my office computer. I then copy my office files (about 15Mb) and carry them home and put them on my home computer. That way I stay backed up in case one computer crashes. I am not reluctant to do this so boldly. Is there another way that might be better for transporting these files back and forth? If I zip them and email them, is that better? The home files zip down to 10 Mb.
My office computer runs in Korean language so I have much less control over it. I willtake all the steps I can to increase security now on that office computer.
Thanks, Drew


----------



## Cookiegal (Aug 27, 2003)

I only had a small part in this but you're most welcome. :up:


----------



## Mosaic1 (Aug 17, 2001)

Cookiegal,
You're welcome.

Drew,

Have a look here:
http://slickdeals.net/forums/showthread.php?t=83372&page=7



> The one I bought from Staples actually had encryption software already stored on the cruzer micro which consists of the "hidden" folders "SecurDataStor" and "SecurDataStorRM" and with these files in the root dir: "CruzerLock2.exe", "QuickStart.pdf", and "Tutorials" (shortcut)
> * While writing a huge file to the cruzer micro, the blue LED should pulsate between bright blue to a dull blue every 500ms.. so the total pulsating/toggle cycle is about 1 second... very easy to see


 I think this(SecurDataStorRM) is encryption software which came wth your drive. Maybe have a look at the flash drive's manual to see how it works.

-----------------

Are you on a network at work? These things can also spread through networks.

To protect yourself and your home system is very important.

Working in an environment where there is a language issue makes things more difficult for everyone. And you can't control what everyone else does.

Email is ok if you have a fast connection. I would also password protect those. 
to take files into work do you have a CD drive at Home capable of using rewriteable CD's? If so, that might do it too. I am not sure the nasty would be able to write to those.

Here's another really nice scan script which will take a while, but will get you a lot of useful information about your system. It will also tell you if there is an autorun.inf in the root of any drive connected to your system. It will take quite a while to run.

I can take a look at the reuslts if you like. Keep it and use it once in a while yourself. It's a good idea to know what to expect and then monitor any changes made to your system.

Download Silent Runners from here:

http://www.silentrunners.org/Silent Runners.vbs

Save it to your C:\ drive. 
So you should have c:\silent runners.vbs.

Click start> run> type: (or copy and paste in this line)

"c:\silent runners.vbs" -all

Click enter.

Ok the popup you get that tells you scan has started. 
If you get script warning from your antivirus, please allow script to run. It is not dangerous.

Once complete it will tell you and creates a file in c:\ called "Startup Programs [computername/date/time]"

Post contents of log here.

You may need 2 posts to get entire contents of log in.


----------



## Mosaic1 (Aug 17, 2001)

Once you have rebooted a time or two, be sure everything is in working order. It is time to flush your system restore points. Once you do that you will not be able to correct any problems you may have now by going back to a point before today.


After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points. 

Go to Start>Run and type msconfig Press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.

Check the box labeled Turn off System restore. 


Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.


----------



## Drew345 (Dec 1, 2006)

Thanks Mosaic,
I will flush my restore points after a day or so or rebooting.
Sincere thanks for all your help, I learned a lot.
Drew


----------



## Mosaic1 (Aug 17, 2001)

You're welcome. Glad to help. 

Since this effects the Current User Branch of the Registry, I should ask if you have other users on that system. If so, you should have a look at all of their MountPoints2 keys as well.


----------



## Drew345 (Dec 1, 2006)

Thanks, only one user, me, on this system in question. Should be no problem for flushing the restore setpoints.


----------



## Mosaic1 (Aug 17, 2001)

That's good. It's nice not having to share a system.

Have a Happy Holiday Season.


----------



## Flrman1 (Jul 26, 2002)

Since this problem has been solved, I'm closing this thread. If you need it reopened please PM me or one of the other mods.

Anyone else with a similar problem please start a "New Thread".


----------

