Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Autorun.inf file


  • Please log in to reply
35 replies to this topic

#1 blake.403

blake.403

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 28 February 2009 - 01:28 AM

Hi,

My brother got his system infected with the sever.exe virus, which then put the sever.exe and edited or placed the autorun.inf file into the root directory of each of his drives (external and internal)..

So just a quick example

C:\sever.exe
C:\autorun.inf

F:\sever.exe
F:\autorun.inf

Well, of course I was transferring some files and he neglected to tell me that he had that virus. So I got my system infected. Now I've appeared to clean my system up, however my 1 drive still has an issue. The drive giving me the issue is a 500gb External HDD. It must use the autorun.inf file which was overwritten by the sever.exe virus and now that the sever.exe virus is gone, whenever i try to open that drive by double clicking the icon from "My Computer" it asks me what do I want to open this file with.

I can still access my drive by just right clicking and choosing 'Explore', but personally I'd rather not have to do that.

Now the autorun.inf file I have on the drive has this inside

[AutoRun]
open=Sever.exe
shellexecute=Sever.exe
shell\Auto\command=Sever.exe

Obviously a result of the sever.exe virus. As I said, I've deleted all traces of sever.exe and ran multiple scans with both MalwareBytes Anti-Malware, Hijack This, and a few others that run off of Hirens and MiniPE. None of them have returned any trace or issues. (I scanned the HJT log @ www.hijackthis.de using their log reader).

Anyway's, I'm just more looking for a copy of an autorun file I can use that will fix this issue.. or a quick fix so that it doesnt prompt me to choose what to open my external drive with.

I'll attach a DxDiag log of my system so you can see the basic rundown of it, and a picture of the Prompt that I'm getting so you can see exactly what I mean.

Thanks :thumbsup:

Attached Files



BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:11:00 PM

Posted 28 February 2009 - 10:35 AM

I'll give you this fix here instead of moving you to AII

Not sure if this will work in your situation
-------------------------
Be sure to plug the drive in first
Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Edited by garmanma, 28 February 2009 - 10:35 AM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 blake.403

blake.403
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 28 February 2009 - 09:07 PM

Thanks for the response. I've downloaded the program and ran it, however it gives me no notification of what its doing, or if it has done anything. When i go to run the file, it prompts if I want to run, i click run, and then nothing happens. My autorun.inf file still says

[AutoRun]
open=Sever.exe
shellexecute=Sever.exe
shell\Auto\command=Sever.exe

Now again I dont have the sever.exe file on any of my drives any more, but my 500gb is still asking me what to do when I double click it.

Thanks for the reply, hopefully we can get this sorted :thumbsup:

I believe though, I just need an example autorun.inf so that I can configure mine similar, I think thats the issue here.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:00 PM

Posted 28 February 2009 - 10:19 PM

That doesn't look good from what I researched..

Take a read at the description:

This is an Internet worm. It may spread via e-mail attachments or through some networks and vulnerable programs. Once executed, the worm starts its spreading routine and may have a payload. It may infect personal documents, corrupt system files or delete several programs. The worm may be used by attackers to control your system remotely.


We may need to move you to the AII now and deal with it there.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 blake.403

blake.403
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 28 February 2009 - 11:46 PM

Well as I said, I know sever.exe is a virus and afaik its cleaned from my system. I've ran hijackthis, malwarebytes antimalware, Nod32 ran from MiniPE, and none of them have returned anything. The sever.exe file used to be found simply by searching my system; i renamed it to sever.exe.del, and searched my system for sever, and the only thing that came up was sever.exe.del, and only 1 copy.

None of my files have become corrupt, haven't had issues, the only issue began when i removed it from my 1 external HDD and I can no longer open my external drive normally. I have to 'explore' the drive to open it :thumbsup:

I've removed it from my C:\ drive and 2 other internal HDD's and 1 other external HDD, with seemingly no issues. Just this 1 external is giving issues with the autorun

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:00 PM

Posted 01 March 2009 - 09:25 AM

Hello.

Flash-drive disinfector does a good job of removing that problem away. Not sure why it isn't working for you right now..

Try renaming it to something else when downloading it such as: Random.exe

Try running it with administrative privileges. See if it works this time. Make sure your removable drive is plugged in when prompted. Let us know how it goes..

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 blake.403

blake.403
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 01 March 2009 - 10:05 AM

My account I have on my system is the Administrator Account. It's the primary account and no other sub-user is on my system. Not even a User with the Computer Admin rights.

When I click Run As it says Current User: (BLAKE-DESKTOP\Administrator). When I choose Run as following user, it defaults to Administrator, but I have no password and errors when I try to run it that ay. I also notice when I right click and run as, by default it selects Current User, and when its chosen by that, there's another option that is checked off called "Run this program with restricted access". I unchecked that as well, and it again doesn't do anything.

I just downloaded the program as well using IE and saved it as test.exe, and still no change. I've tried running the program with both my External HDD plugged in before running it, and with my External drive disconnected then running it to see if it prompts.

Could this be just because it's not a true flash drive? It's literally a 500gb External HDD.

I just came across an Old flash drive of mine as well that actually had an autorun.inf

I replaced the autorun.inf file with

[autorun]
action=Open Files On Folder

Still no effect.

I think i remember a while researching something about this issue now that I think about it... I fixed it by deleting a registry key.. I'll see if I can find that again.

Edited by blake.403, 01 March 2009 - 10:06 AM.


#8 Pandy

Pandy

    Bleepin'


  • Members
  • 9,559 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:00 PM

Posted 01 March 2009 - 10:35 AM

Moved to Am I Infected from Windows XP Home and Professional.

Do not anticipate trouble, or worry about what may never happen. Keep in the sunlight.

Hide not your talents. They for use were made. What's a sundial in the shade?

~ Benjamin Franklin

I am a Bleeping Computer fan! Are you?

Facebook

Follow us on Twitter


#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:00 PM

Posted 01 March 2009 - 02:32 PM

Hello.

I don't think that's the problem. DO the following.

Create and Run Batch Script
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "code".
    @Echo Off
    
    reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2" /s >Log.txt
    start notepad Log
    del %0
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input look.bat
  • Hit OK.
When done properly, the icon should look like Posted Image.

Double click look.bat and then a notepad window should open post the contents of that log in your next reply please.
If you are using Windows Vista, right click the icon and select "Run as Administrator".

Post back with that log.txt in your next reply, it can also be found on your desktop if you closed it.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
  • After the reboot, run Gmer again and click on the Rootkit tab.[list]
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Important!:Please do not select the Show all checkbox during the scan..

Let me know how it goes and post the logs back.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 blake.403

blake.403
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 01 March 2009 - 11:21 PM

Create and Run Batch Script[list]
[*]Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "code".

@Echo Off

reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2" /s >Log.txt
start notepad Log
del %0


This part here reminded me of how I fixed a similar problem on my brothers computer. I was told to delete the Mountpoints2 registry folder. I, in fear of an error, simply changed the name to MountPoints2.old. I'm fairly certain that fixed his issue, as all his drives when he connected rescanned and re-registered them self basically.

As you'll see in the .log file I will attach to this post.. but this is whats like causing my issue here.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{61f71d82-df96-11dd-9148-806e6f6e6963}\Shell\Auto\command
(Default) REG_SZ Sever.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{61f71d82-df96-11dd-9148-806e6f6e6963}\Shell\AutoRun\command
(Default) REG_SZ C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Sever.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8fe1246b-f681-11dd-81b0-001fbc000dc1}\Shell\Auto\command
(Default) REG_SZ F:\Sever.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8fe1246b-f681-11dd-81b0-001fbc000dc1}\Shell\AutoRun\command
(Default) REG_SZ C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Sever.exe



As for GMER.

I downloaded GMER, but whenever I run it it gives me the following error:

System\CurrentControlSet\Services\gmer: The handle is invalid.

It gives me that error in both Safe mode and normal boot. I also have all programs shut down as requested and disabled my internet access.

Now despite the error, the program will still run. I went to the Settings tab, and enabled the first 5 options as you said. Clicked ok, and chose to reboot. I rebooted normally, and ran GMER again (clicked ok to that error again aswell). Now in the Rootkit/Malware tab. You said click all settings except for "Show All".

The only settings I'm able to select are

Services
Registry
Files
>C:\
>D:\
>E:\
>J:\
ADS

The rest are grayed out and I cannot select them (may be an issue with the services error)

By default; Services, Registry, Files -> C:\, ADS are selected.

I ran the scan regardless, and the scan came back clean. I would give you the log.. but when clicking copy, it copy's nothing. I also clicked "Save..." and saved to a log file that way, the log file is empty any ways.

Well.. I believe I did each step as you requested, and I gave you all the errors I ran into. I truly do believe that simply changing MountPoints2 will fix my problem.

As I had said before I'm certain that my computer doesn't have a virus/malware/spyware infection, and as Hijack this (latest executable; scanned log @ hijackthis.de), Spybot (latest install), NOD32 (Ran via Hirens 9.5), Malwarebytes Anti-Malware (latest download available from their site), GMER (your direct link) and a handful of others have reported 0 issues, I'm quiet certain its just those 4 registry entry's that are giving me issue's.

I think I'm going to alter the MountPoints2 registry file. I'll report my findings back here.

Thanks for the help so far.

Edit: I forgot to add the .log file you had me create using the batch file.

On a side note the usual "Upload File" is missing.. so I will paste the full log here.. Sorry for the length

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C    BaseClass    REG_SZ    DriveHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D    BaseClass    REG_SZ    DriveHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E    BaseClass    REG_SZ    DriveHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F    BaseClass    REG_SZ    Drive    _AutorunStatus    REG_BINARY    01000100000100DFDF5F01000101EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF002000000009000000HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell    (Default)    REG_SZ    AutoRunHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell\AutoRun    (Default)    REG_SZ    Auto&PlayHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell\AutoRun\command    (Default)    REG_SZ    F:\LaunchU3.exe -aHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\_AutorunHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\_Autorun\DefaultIcon    (Default)    REG_SZ    F:\LaunchU3.exe,0HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G    BaseClass    REG_SZ    DriveHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\H    BaseClass    REG_SZ    DriveHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\I    BaseClass    REG_SZ    DriveHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\I\Shell    (Default)    REG_SZ    AutoRunHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\I\Shell\AutoRun    (Default)    REG_SZ    Auto&PlayHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\I\Shell\AutoRun\command    (Default)    REG_SZ    I:\Autorun.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\I\_AutorunHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\I\_Autorun\DefaultIcon    (Default)    REG_SZ    I:\Autorun.exe,0HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\J    BaseClass    REG_SZ    Drive    _AutorunStatus    REG_BINARY    01000100000100DFDF5F01000101EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF002000000009000000HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\J\_AutorunHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\J\_Autorun\DefaultIcon    (Default)    REG_SZ    J:\LaunchU3.exe,0HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\K    BaseClass    REG_SZ    DriveHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{61f71d7a-df96-11dd-9148-806e6f6e6963}    BaseClass    REG_SZ    Drive    _AutorunStatus    REG_BINARY    01000100000100DFDF5F010000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00E000000009000000HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{61f71d7a-df96-11dd-9148-806e6f6e6963}\_AutorunHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{61f71d7a-df96-11dd-9148-806e6f6e6963}\_Autorun\DefaultIcon    (Default)    REG_SZ    G:\autorun.icoHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{61f71d7b-df96-11dd-9148-806e6f6e6963}    BaseClass    REG_SZ    DriveHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{61f71d7b-df96-11dd-9148-806e6f6e6963}\_AutorunHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{61f71d7b-df96-11dd-9148-806e6f6e6963}\_Autorun\DefaultIcon    (Default)    REG_SZ    H:\setup.exe,0HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{61f71d82-df96-11dd-9148-806e6f6e6963}    BaseClass    REG_SZ    Drive    _AutorunStatus    REG_BINARY    01000100000100DFDF5FDF5F5F5F5FDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5FDF5F5F5F5F5F01000101EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000100000009070000HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{61f71d82-df96-11dd-9148-806e6f6e6963}\Shell    (Default)    REG_SZ    AutoRunHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{61f71d82-df96-11dd-9148-806e6f6e6963}\Shell\AutoHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{61f71d82-df96-11dd-9148-806e6f6e6963}\Shell\Auto\command    (Default)    REG_SZ    Sever.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{61f71d82-df96-11dd-9148-806e6f6e6963}\Shell\Autoplay    MUIVerb    REG_SZ    @shell32.dll,-8504HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{61f71d82-df96-11dd-9148-806e6f6e6963}\Shell\Autoplay\DropTarget    CLSID    REG_SZ    {f26a669a-bcbb-4e37-abf9-7325da15f931}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{61f71d82-df96-11dd-9148-806e6f6e6963}\Shell\AutoRun    Extended    REG_SZ        (Default)    REG_SZ    Auto&PlayHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{61f71d82-df96-11dd-9148-806e6f6e6963}\Shell\AutoRun\command    (Default)    REG_SZ    C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Sever.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{61f71d83-df96-11dd-9148-806e6f6e6963}    BaseClass    REG_SZ    DriveHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{61f71d84-df96-11dd-9148-806e6f6e6963}    BaseClass    REG_SZ    Drive    _AutorunStatus    REG_BINARY    01000100000100DFDF5FDF5F5F5F5FDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5FDF5F5F5F5F5FCF5F5F5F5F5FCFCF5F5F5F5FCFCFCFCFCFDFDFDF5FDFDF0101FFFFFFFFFFFFFFFFFF000100000008000000HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{61f71d85-df96-11dd-9148-806e6f6e6963}    BaseClass    REG_SZ    Drive    _AutorunStatus    REG_BINARY    01000100000100DFDF5FDF5F5F5F5FDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5FDF5F5F5F5F5FCF5F5F5F5F5FCFCF5F5F5F5FCFCFCFCFCFDFDFDF5FDFDF0101FFFFFFFFFFFFFFFFFF000100000008000000HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6eac7f17-e9bb-11dd-8ae0-001fbc000dc1}    BaseClass    REG_SZ    Drive    _AutorunStatus    REG_BINARY    01000100000100DFDF5FDF5F5F5F5FDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5FDF5F5F5F5F5F01000101EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000100000008060000HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6eac7f17-e9bb-11dd-8ae0-001fbc000dc1}\shell    (Default)    REG_SZ    NoneHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6eac7f17-e9bb-11dd-8ae0-001fbc000dc1}\shell\Autoplay    MUIVerb    REG_SZ    @shell32.dll,-8504HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6eac7f17-e9bb-11dd-8ae0-001fbc000dc1}\shell\Autoplay\DropTarget    CLSID    REG_SZ    {f26a669a-bcbb-4e37-abf9-7325da15f931}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8fe1244e-f681-11dd-81b0-001fbc000dc1}    BaseClass    REG_SZ    Drive    _AutorunStatus    REG_BINARY    01000100000100DFDF5F01000101EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF002000000009000000HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8fe1244e-f681-11dd-81b0-001fbc000dc1}\Shell    (Default)    REG_SZ    AutoRunHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8fe1244e-f681-11dd-81b0-001fbc000dc1}\Shell\AutoRun    (Default)    REG_SZ    Auto&PlayHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8fe1244e-f681-11dd-81b0-001fbc000dc1}\Shell\AutoRun\command    (Default)    REG_SZ    F:\LaunchU3.exe -aHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8fe1244e-f681-11dd-81b0-001fbc000dc1}\_AutorunHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8fe1244e-f681-11dd-81b0-001fbc000dc1}\_Autorun\DefaultIcon    (Default)    REG_SZ    F:\LaunchU3.exe,0HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8fe1244f-f681-11dd-81b0-001fbc000dc1}    BaseClass    REG_SZ    Drive    _AutorunStatus    REG_BINARY    01000100000100DFDF5F01000101EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000010000008020000HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8fe1246b-f681-11dd-81b0-001fbc000dc1}    BaseClass    REG_SZ    Drive    _AutorunStatus    REG_BINARY    01000100000100DFDF5FDF5F5F5F5FDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5FDF5F5F5F5F5F01000101EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000100000009060000HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8fe1246b-f681-11dd-81b0-001fbc000dc1}\Shell    (Default)    REG_SZ    AutoRunHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8fe1246b-f681-11dd-81b0-001fbc000dc1}\Shell\AutoHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8fe1246b-f681-11dd-81b0-001fbc000dc1}\Shell\Auto\command    (Default)    REG_SZ    F:\Sever.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8fe1246b-f681-11dd-81b0-001fbc000dc1}\Shell\Autoplay    MUIVerb    REG_SZ    @shell32.dll,-8504HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8fe1246b-f681-11dd-81b0-001fbc000dc1}\Shell\Autoplay\DropTarget    CLSID    REG_SZ    {f26a669a-bcbb-4e37-abf9-7325da15f931}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8fe1246b-f681-11dd-81b0-001fbc000dc1}\Shell\AutoRun    Extended    REG_SZ        (Default)    REG_SZ    Auto&PlayHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8fe1246b-f681-11dd-81b0-001fbc000dc1}\Shell\AutoRun\command    (Default)    REG_SZ    C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Sever.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8fe124a2-f681-11dd-81b0-001fbc000dc1}    BaseClass    REG_SZ    Drive    _AutorunStatus    REG_BINARY    01000100000100DFDF5FDF5F5F5F5FDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5FDF5F5F5F5F5F01000101EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000010000009020000HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8fe124a2-f681-11dd-81b0-001fbc000dc1}\Shell    (Default)    REG_SZ    AutoRunHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8fe124a2-f681-11dd-81b0-001fbc000dc1}\Shell\Autoplay    MUIVerb    REG_SZ    @shell32.dll,-8504HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8fe124a2-f681-11dd-81b0-001fbc000dc1}\Shell\Autoplay\DropTarget    CLSID    REG_SZ    {f26a669a-bcbb-4e37-abf9-7325da15f931}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8fe124a2-f681-11dd-81b0-001fbc000dc1}\Shell\AutoRun    (Default)    REG_SZ    Auto&PlayHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8fe124a2-f681-11dd-81b0-001fbc000dc1}\Shell\AutoRun\command    (Default)    REG_SZ    C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL nircmd.exe execmd CALL batexe\progstart.batHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8fe124a2-f681-11dd-81b0-001fbc000dc1}\_AutorunHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8fe124a2-f681-11dd-81b0-001fbc000dc1}\_Autorun\Action    (Default)    REG_SZ    Open Files On FolderHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8fe124a2-f681-11dd-81b0-001fbc000dc1}\_Autorun\DefaultIcon    (Default)    REG_SZ    F:\icons\drive.icoHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b2c83fa6-dfdc-11dd-9c60-001fbc000dc1}    BaseClass    REG_SZ    Drive    _AutorunStatus    REG_BINARY    01000100000100DFDF5F01000101EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF002000000009000000HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b2c83fa6-dfdc-11dd-9c60-001fbc000dc1}\Shell    (Default)    REG_SZ    AutoRunHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b2c83fa6-dfdc-11dd-9c60-001fbc000dc1}\Shell\AutoRun    (Default)    REG_SZ    Auto&PlayHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b2c83fa6-dfdc-11dd-9c60-001fbc000dc1}\Shell\AutoRun\command    (Default)    REG_SZ    F:\LaunchU3.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b2c83fa6-dfdc-11dd-9c60-001fbc000dc1}\_AutorunHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b2c83fa6-dfdc-11dd-9c60-001fbc000dc1}\_Autorun\DefaultIcon    (Default)    REG_SZ    F:\LaunchU3.exe,0HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b2c83fa7-dfdc-11dd-9c60-001fbc000dc1}    BaseClass    REG_SZ    Drive    _AutorunStatus    REG_BINARY    01000100000100DFDF5F01000101EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000010000008020000HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b2c83fa7-dfdc-11dd-9c60-001fbc000dc1}\shell    (Default)    REG_SZ    NoneHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b2c83fa7-dfdc-11dd-9c60-001fbc000dc1}\shell\Autoplay    MUIVerb    REG_SZ    @shell32.dll,-8504HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b2c83fa7-dfdc-11dd-9c60-001fbc000dc1}\shell\Autoplay\DropTarget    CLSID    REG_SZ    {f26a669a-bcbb-4e37-abf9-7325da15f931}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPCHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\VolumeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{61f71d7a-df96-11dd-9148-806e6f6e6963}    Data    REG_BINARY    000000005C005C003F005C0049004400450023004300640052006F006D00500049004F004E004500450052005F004400560044002D00520057005F005F004400560052002D0031003100310044005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F0031002E00320033005F005F005F005F002300340036005F00300034003400340039003300370035003000330031003300350033003300330037003500370033003100320030003400630032003000320030003200300032003000320030003200300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005C005C003F005C0056006F006C0075006D0065007B00360031006600370031006400370061002D0064006600390036002D0031003100640064002D0039003100340038002D003800300036006500360066003600650036003900360033007D005C00000049006E00760061006C00690064000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000049006E00760061006C00690064000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000100000007F010000BDADDBBABDADDBBABDADDBBABDADDBBABDADDBBA0000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000    Generation    REG_DWORD    0x1HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{61f71d7b-df96-11dd-9148-806e6f6e6963}    Data    REG_BINARY    000000005C005C003F005C0049004400450023004300640052006F006D005000480049004C004900500053005F004400560044002B002D00520057005F0044005600440038003700300031005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F0035004400320034005F005F005F005F002300350039003400640034006400330030003300370033003900330033003300350033003000330037003300350033003100330035003300390034003600330036003300350033003000330034003500610023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005C005C003F005C0056006F006C0075006D0065007B00360031006600370031006400370062002D0064006600390036002D0031003100640064002D0039003100340038002D003800300036006500360066003600650036003900360033007D005C00000049006E00760061006C00690064000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000049006E00760061006C006900640000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000001000000000000000BDADDBBABDADDBBABDADDBBABDADDBBABDADDBBA0000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000    Generation    REG_DWORD    0x1HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{61f71d82-df96-11dd-9148-806e6f6e6963}    Data    REG_BINARY    360B00005C005C003F005C00530054004F005200410047004500230056006F006C0075006D006500230031002600330030006100390036003500390038002600300026005300690067006E0061007400750072006500340035003400430036004200350043004F006600660073006500740037004500300030004C0065006E00670074006800370034003700300039003800300034003000300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005C005C003F005C0056006F006C0075006D0065007B00360031006600370031006400380032002D0064006600390036002D0031003100640064002D0039003100340038002D003800300036006500360066003600650036003900360033007D005C0000004C00610043006900650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004E005400460053000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002F000000110000000800000001900000FF000700FF00000016000000E35F8938000000000000003000600000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000    Generation    REG_DWORD    0x1HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{61f71d83-df96-11dd-9148-806e6f6e6963}    Data    REG_BINARY    000000005C005C003F005C00530054004F005200410047004500230056006F006C0075006D006500230031002600330030006100390036003500390038002600300026005300690067006E0061007400750072006500410038004300430038004300380041004F006600660073006500740037004500300030004C0065006E00670074006800370034003700300042003800300032003000300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005C005C003F005C0056006F006C0075006D0065007B00360031006600370031006400380033002D0064006600390036002D0031003100640064002D0039003100340038002D003800300036006500360066003600650036003900360033007D005C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004E0054004600530000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000800000001100000FF000700FF000000160000007A285550000000000000003000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000    Generation    REG_DWORD    0x1HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{61f71d84-df96-11dd-9148-806e6f6e6963}    Data    REG_BINARY    000000005C005C003F005C00530054004F005200410047004500230056006F006C0075006D006500230031002600330030006100390036003500390038002600300026005300690067006E006100740075007200650044003200390030003800300043004F006600660073006500740037004500300030004C0065006E00670074006800340041003800350041004400300034003000300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005C005C003F005C0056006F006C0075006D0065007B00360031006600370031006400380034002D0064006600390036002D0031003100640064002D0039003100340038002D003800300036006500360066003600650036003900360033007D005C000000530074006F007200610067006500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004E0054004600530000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000800000001100000FF000700FF0000001600000058A46BD8000000000000003000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000    Generation    REG_DWORD    0x1HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{61f71d85-df96-11dd-9148-806e6f6e6963}    Data    REG_BINARY    000000005C005C003F005C00530054004F005200410047004500230056006F006C0075006D006500230031002600330030006100390036003500390038002600300026005300690067006E0061007400750072006500440030004600340037003300380043004F006600660073006500740032004600310030004300300030004C0065006E00670074006800320034003800440033003200310043003000300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005C005C003F005C0056006F006C0075006D0065007B00360031006600370031006400380035002D0064006600390036002D0031003100640064002D0039003100340038002D003800300036006500360066003600650036003900360033007D005C0000004F00740068006500720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004E0054004600530000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000800000001100000FF000700FF00000016000000185C5770000000000000003000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000    Generation    REG_DWORD    0x1

Edited by blake.403, 01 March 2009 - 11:32 PM.


#11 blake.403

blake.403
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 01 March 2009 - 11:38 PM

Just as an update. I renamed MountPoints2 to MountPoints2.old

Once I did that, I reconnected my 500gb External that was having issues. It rescanned the drive, and prompted me what to do the normal way (open folder, etc.) I can now open the drive normally through My Computer by double clicking it.

Thanks for your help. I've solved my issue.

If you still believe I have an infection, feel free to let me know and any others steps. But as it stands now, my system appears to be clean, and simply be deleting MountPoints2.. or at least altering the default path by renaming the Branch to something different (i.e. MountPoints2.old), the system thinks its deleted, and will create a new MountPoints2 Entry in the registry and rescan your drives. Assuming you've deleted Sever.exe from your system, and all traces this will fix your issue it seems :thumbsup:


Update:

After removing the MountPoints2 registry key, I did lose sound. If this happens to you, simply reboot your computer and it should be fixed. :flowers:

Edited by blake.403, 01 March 2009 - 11:49 PM.


#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:00 PM

Posted 02 March 2009 - 04:16 PM

Hello.

Glad the problem is resolved, but usually you don't delete the whole MounPoints2 registry key. You can but that's not the correct way to approach it :thumbsup:

If you want to make sure you are clean. Run an online scan.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner.

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 blake.403

blake.403
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 02 March 2009 - 08:10 PM

Well.. I ran the scan with Kaspersky Online scanner, which did find traces of _Sever.exe in my windows folder. 1 was in c:\windows\system32\_Sever.exe, the other one was in C:\Windows\SysWOW64\_Sever.exe

There was also a few other infections found in some restore sections.

Now for whatever reason my browser closed, and I was unable to get the log file from kaspersky, but I did rescan it.. however this time near the end (99%) it started going brutally slow (CPU/Memory usage was fine though), then the scan time actually stopped and froze. I clicked stop scan hoping to get a log but it hasnt given one yet, and appears to still be struggling to stop

This is the best I can get you at the moment

Files scanned 103701
Threat names 2
Infected objects 11
Suspicious objects 0
Duration of the scan 01:24:20

I know kaspersky online scanner doesn't allow you to remove any threats (or at least i've never seen any blatant way to tell it to remove threats), so I'm simply assuming you will give me another tool to run as now we know _Sever.exe is still present even though several programs were unable to find it.

As a side note.. Sever.exe is still not in my root drive locations on my external's or my internal HDD's, its just buried in my windows folder.

If i head out later tonight, I will attempt to run Kaspersky online scanner again, and leave it for 2+ hours and hope it finishes successfully

Edited by blake.403, 02 March 2009 - 08:12 PM.


#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:00 PM

Posted 02 March 2009 - 08:58 PM

Hello.

Sever.exe is not a pleasent infection. I should of warned you in the beginning.

Take a read over here. Your computer may be compromised.

I would like to check for rootkits, also let me know how the kaspersky scan goes. Without the location it's difficult to deal with it. You can try to search for the file name and delete it manually and see if it works if not we will deal with it afterwards.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
  • After the reboot, run Gmer again and click on the Rootkit tab.[list]
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Important!:Please do not select the Show all checkbox during the scan..

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 blake.403

blake.403
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 02 March 2009 - 09:05 PM

As for GMER.

I downloaded GMER, but whenever I run it it gives me the following error:

System\CurrentControlSet\Services\gmer: The handle is invalid.

It gives me that error in both Safe mode and normal boot. I also have all programs shut down as requested and disabled my internet access.

Now despite the error, the program will still run. I went to the Settings tab, and enabled the first 5 options as you said. Clicked ok, and chose to reboot. I rebooted normally, and ran GMER again (clicked ok to that error again aswell). Now in the Rootkit/Malware tab. You said click all settings except for "Show All".

The only settings I'm able to select are

Services
Registry
Files
>C:\
>D:\
>E:\
>J:\
ADS

The rest are grayed out and I cannot select them (may be an issue with the services error)

By default; Services, Registry, Files -> C:\, ADS are selected.

I ran the scan regardless, and the scan came back clean. I would give you the log.. but when clicking copy, it copy's nothing. I also clicked "Save..." and saved to a log file that way, the log file is empty any ways.


I did run GMER already as asked before, I am running it again and will update further but good chance that since nothing to much has changed i would imagine it will come back clean again




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users