Vbs small autorun.vbs

well hi avast recently found a worn named VBS.Small in my pc and i proced to delete but still keep warning, well i read post in this forum download superantispyware make scan update avast and superspy and try restore but i think mi pc is fine now but i can’t open C: disk from my pc always says "can’t found comand archieve “C:/autorun.vbs”.i’ve window xp sp2

very apreciate is anyone can say me what should i do thx.
srry for mi english it’s sux xD.

Welcome the forum Xanter. Your English is just fine. :slight_smile:

Can you post the SuperAntiSpyware log, please.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/15/2007 at 06:37 PM

Application Version : 3.7.1018

Core Rules Database Version : 3238
Trace Rules Database Version: 1249

Scan type : Complete Scan
Total Scan Time : 00:22:33

Memory items scanned : 531
Memory threats detected : 0
Registry items scanned : 5245
Registry threats detected : 2
File items scanned : 27308
File threats detected : 7

Unclassified.Unknown Origin/System
[SW20] C:\WINDOWS\SYSTEM32\SW20.EXE
C:\WINDOWS\SYSTEM32\SW20.EXE
[SW24] C:\WINDOWS\SYSTEM32\SW24.EXE
C:\WINDOWS\SYSTEM32\SW24.EXE
C:\WINDOWS\Prefetch\SW20.EXE-1937B160.pf
C:\WINDOWS\Prefetch\SW24.EXE-0803863D.pf

Adware.Tracking Cookie
C:\Documents and Settings\Administrador\Cookies\administrador@mb[2].txt
C:\Documents and Settings\Administrador\Cookies\administrador@ads.miarroba[2].txt
C:\Documents and Settings\Administrador\Cookies\administrador@ads.elserver[2].txt
:slight_smile:

In order to fix this you will probably need to edit your registry but I would first like to verify a couple things.

Please look in C:\ for the presence of any file named autorun with any extension (autorun.*) and post what you find. If you have additional drives check the root on those too.

Then, using the search function, locate userinit.exe and post its location (do not delete this file).

SW20.exe and SW24.exe appear to be related to Dynamic_Overclocking_Technology,
http://www.bleepingcomputer.com/startups/sw20.exe-14629.html,
http://www.castlecops.com/s12549-sw24_exe.html, is this something you have installed ?

Another thing autorun i deleted yesterday :-\ like 3 files in C:

USERINIT.EXE-30B18140.pf C:/WINDOWS/prefetch
userinit C:windows/system32

Kasper posted a method to fix this here

http://forum.avast.com/index.php?topic=28222.msg231333#msg231333

but I cannot vouch for its safety or usefullness.

EDIT: I am recommending against Kasper’s method for reasons posted in that thread.

If you’re not comfortable with that method then here’s a link with instructions to back up your registry

http://support.microsoft.com/kb/322756

and a manual fix

Click Start>Run
Type regedit in the field and click OK.
Navigate to and highlight the following registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

In the right hand pane, right click Userinit and click Modify.
If the Value Data field reads C:\Windows\system32\userinit.exe,autorun.exe change it to

C:\WINDOWS\system32\userinit.exe,

Make sure to include the “,” at the end of the line.

If you changed this key click OK and save the change (otherwise just X out of the window).

Reboot.

Click Start>Run.
Type cmd and click OK.
In the window that opens type [b]cd[/b] and hit the enter Key
At the prompt type del autorun.* and hit the enter key

You may need to do the file deletions for each of your drives, including USB drives. These should be set to prevent them from auto-running before insertion or you may become infected again.

Click Start>Run
Type regedit in the field and click OK.
Navigate to and highlight the following registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

In the right hand pane, right click Userinit and click Modify.
If the Value Data field reads C:\Windows\system32\userinit.exe,autorun.exe change it to

C:\WINDOWS\system32\userinit.exe,

Make sure to include the “,” at the end of the line.

If you changed this key click OK and save the change (otherwise just X out of the window).

Reboot.

Click Start>Run.
Type cmd and click OK.
In the window that opens type cd\ and hit the enter Key
At the prompt type del autorun.* and hit the enter key

i do that but when i write cd/ next del autorun.vbs says can’t find that archieve and still have the same problem with can’t open C: because dont found autorun.vbs =/

Check the registry key again - how does it read now?

name of value
userinit

value info
userinit.exe,

and the log of avast i scan today and found again the worn =/ well log when everithing start:

13/05/2007 07:15:56 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 07:17:00 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 07:18:05 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 07:19:16 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 07:29:24 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 07:30:34 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 07:31:39 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 07:32:47 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 07:33:56 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 07:35:06 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 07:44:44 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 07:45:48 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 07:46:52 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 07:47:56 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 07:48:58 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 07:50:03 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 07:51:06 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 07:52:09 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 07:53:13 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 07:54:16 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 07:55:33 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 07:56:46 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 08:17:17 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 08:18:20 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 08:19:27 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 08:20:31 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 08:21:34 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 08:25:49 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 08:27:00 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 08:28:32 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 08:29:37 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 08:30:41 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 08:31:44 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 08:32:51 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 08:33:54 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 08:34:58 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 08:36:01 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 08:37:03 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 08:38:05 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 08:39:09 p.m. SYSTEM 1272 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
13/05/2007 10:40:46 p.m. Administrador 2696 Sign of “VBS:Small” has been found in “C:\Archivos de programa\Alwil Software\Avast4\DATA\moved\AUTORUN.VVBS.vir” file.
15/05/2007 02:56:27 p.m. Administrador 3024 Sign of “VBS:Small” has been found in “C:\Archivos de programa\Alwil Software\Avast4\DATA\moved\AUTORUN.VVBS.vir” file.
15/05/2007 03:31:00 p.m. Administrador 3024 Sign of “VBS:Small” has been found in “C:\autorun.ra_\autorun.ar\autorun.r\autorun.\autorun.vbs” file.
15/05/2007 03:31:41 p.m. Administrador 3024 Sign of “VBS:Small” has been found in “C:\AUTORUN.VVBS” file.
15/05/2007 03:31:51 p.m. Administrador 3024 Sign of “VBS:Small” has been found in “C:\autorun.ar\autorun.r\autorun.\autorun.vbs” file.
15/05/2007 03:31:55 p.m. Administrador 3024 Sign of “VBS:Small” has been found in “C:\autorun.r\autorun.\autorun.vbs" file.
15/05/2007 03:31:57 p.m. Administrador 3024 Sign of “VBS:Small” has been found in "C:\autorun.
\autorun.vbs" file.
15/05/2007 04:05:06 p.m. Administrador 3024 Sign of “VBS:Small” has been found in "C:\WINDOWS\system32\autorun.ra
\autorun.ar\autorun.r\autorun.\autorun.vbs" file.
15/05/2007 04:05:06 p.m. Administrador 3024 Sign of “VBS:Small” has been found in “C:\WINDOWS\system32\AUTORUN.VVBS” file.
15/05/2007 04:05:07 p.m. Administrador 3024 Sign of “VBS:Small” has been found in “C:\WINDOWS\system32\autorun.ar\autorun.r\autorun.\autorun.vbs” file.
15/05/2007 04:05:07 p.m. Administrador 3024 Sign of “VBS:Small” has been found in "C:\WINDOWS\system32\autorun.r\autorun.
\autorun.vbs” file.
15/05/2007 04:05:07 p.m. Administrador 3024 Sign of “VBS:Small” has been found in “C:\WINDOWS\system32\autorun.\autorun.vbs" file.
19/05/2007 05:10:05 p.m. Administrador 204 Sign of “VBS:Small” has been found in "C:\autorun.ra
\autorun.ar\autorun.r\autorun.\autorun.vbs" file.
19/05/2007 05:47:37 p.m. Administrador 204 Sign of “VBS:Small” has been found in "C:\WINDOWS\system32\autorun.ra
\autorun.ar\autorun.r\autorun.\autorun.vbs" file.
19/05/2007 05:58:35 p.m. Administrador 204 Sign of “VBS:Small” has been found in “C:\WINDOWS\system32\autorun.ar\autorun.r\autorun.\autorun.vbs” file.
19/05/2007 05:58:37 p.m. Administrador 204 Sign of “VBS:Small” has been found in "C:\WINDOWS\system32\autorun.r\autorun.
\autorun.vbs” file.

Download Deckard’s System Scanner (DSS) to your Desktop.
[*]Close all applications and windows.
[*]Double-click on DSS.exe to run it, and follow the prompts.
[*]The scan may take a minute. When the scan is complete, a text file will open - Main.txt
Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the Deckard’s System Scanner to run and don’t let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)

Post the main.txt from the C:\Deckard\System Scanner folder into your next reply.

Deckard’s System Scanner v20070426.43
Run by Administrador on 2007-05-20 at 02:07:23
Computer is in Normal Mode.

– System Restore --------------------------------------------------------------

Successfully created a Deckard’s System Scanner Restore Point.

– Last 5 Restore Point(s) –
30: 2007-05-20 06:07:27 UTC - RP86 - Deckard’s System Scanner Restore Point
29: 2007-05-19 01:54:07 UTC - RP85 - Punto de control del sistema
28: 2007-05-15 22:47:33 UTC - RP84 - Operación de restauración
27: 2007-05-15 22:44:45 UTC - RP83 - Operación de restauración
26: 2007-05-15 21:53:27 UTC - RP82 - Installed SUPERAntiSpyware Professional

– First Restore Point –
1: 2007-02-21 01:48:04 UTC - RP57 - Instalado J2SE Runtime Environment 5.0 Update 11

Backed up registry hives.

Performed disk cleanup.

– HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-05-20 02:13:01
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.0.2900.2180)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\soundman.exe
C:\Archivos de programa\Alwil Software\Avast4\ashDisp.exe
C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe
C:\Archivos de programa\HP\HP Software Update\hpwuSchd2.exe
C:\Archivos de programa\DAP\DAP.exe
C:\WINDOWS\sm56hlpr.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\Microsoft Encarta\Encarta 2006 Biblioteca Premium\EDICT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Archivos de programa\MSI\Core Center\CoreCenter.exe
C:\Archivos de programa\MSI\DigiCell\DigiCell.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
C:\Archivos de programa\Media Key\MagicKey.exe
C:\Archivos de programa\Media Key\OSD.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqgalry.exe
C:\Documents and Settings\Administrador\Mis documentos\My Completed Downloads\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.ve/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Complemento del Asistente para Internet de Encarta - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: Asistente para Internet de Encarta - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [avast!] C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [RemoteControl] “C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [HP Software Update] “C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe”
O4 - HKLM..\Run: [DownloadAccelerator] “C:\Archivos de programa\DAP\DAP.EXE” /STARTUP
O4 - HKLM..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Archivos de programa\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [MsnMsgr] “C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [E06EDXRC_5576859] “C:\Archivos de programa\Microsoft Encarta\Encarta 2006 Biblioteca Premium\EDICT.EXE” -m
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: CoreCenter.lnk = C:\Archivos de programa\MSI\Core Center\CoreCenter.exe
O4 - Global Startup: DigiCell.lnk = C:\Archivos de programa\MSI\DigiCell\DigiCell.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Inicio rápido de HP Image Zone.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Media Key.lnk = C:\Archivos de programa\Media Key\MagicKey.exe
O8 - Extra context menu item: &Clean Traces - C:\Archivos de programa\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Archivos de programa\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Archivos de programa\DAP\dapextie2.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra ‘Tools’ menuitem: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - (file missing)
O9 - Extra ‘Tools’ menuitem: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O17 - HKLM\SYSTEM\CCS\Services\Tcpip..{9920DC66-91E8-4241-84EF-E7467B95DE20}: NameServer = 200.44.32.12 200.11.248.12
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\ARCHIV~1\MSNMES~1\msgrapp.dll” (file missing)
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - “C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe”
O23 - Service: avast! Antivirus - ALWIL Software - “C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe”
O23 - Service: avast! Mail Scanner - ALWIL Software - “C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe” /service
O23 - Service: avast! Web Scanner - ALWIL Software - “C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe” /service
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - Microsoft Corp., VERITAS Software - C:\WINDOWS\System32\dmadmin.exe /com
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

– File Associations -----------------------------------------------------------

All associations okay.

– Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 kbfilter (Keyboard Filter Driver) - c:\windows\system32\drivers\kbfilter.sys <Not Verified; WayTech Development, Inc.; Keyboard filter driver>
R1 SASDIFSV - c:\archivos de programa\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\archivos de programa\superantispyware\saskutil.sys
R1 UsbFltr (WayTechUSBFilterDriver) - c:\windows\system32\drivers\usbfltr.sys <Not Verified; Waytech Development, Inc.; Ortek USB Keypad>
R3 DigiCellDriver - c:\archivos de programa\msi\digicell\ntglm7x.sys <Not Verified; Your Corporation; Your Product Name>
R3 NVR0Dev - c:\windows\nvoclock.sys <Not Verified; NVidia Corp.; NVidia System Utility Driver>
R3 PCAlertDriver - c:\archivos de programa\msi\core center\ntglm7x.sys <Not Verified; MICRO-STAR INT’L CO., LTD.; MSI PCAlert 4>
R3 PCASp50 (PCASp50 NDIS Protocol Driver) - c:\windows\system32\drivers\pcasp50.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
R3 RushTopDevice - c:\archivos de programa\msi\core center\rushtop.sys <Not Verified; MICRO-STAR INT’L CO., LTD.; MSI CoreCenter>
R3 SASENUM - c:\archivos de programa\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S3 GMSIPCI - d:\install\gmsipci.sys (file missing)
S3 MSICPL - d:\install4\msicpl.sys (file missing)
S3 npkcrypt - d:\ancient ragnarok online\npkcrypt.sys (file missing)
S3 NTACCESS - d:\ntaccess.sys (file missing)
S3 SetupNTGLM7X - d:\ntglm7x.sys (file missing)
S3 usbsermpt (Motorola USB Modem Driver for MPT) - c:\windows\system32\drivers\usbsermpt.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>

– Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.

– Files created between 2007-04-20 and 2007-05-20 -----------------------------

2007-05-15 18:46:33 0 d-------- C:\Archivos de programa\Archivos comunes\Wise Installation Wizard
2007-05-15 17:53:28 0 d-------- C:\Archivos de programa\SUPERAntiSpyware
2007-05-07 19:19:15 0 d-------- C:\WINDOWS\Motorola
2007-05-05 14:20:37 0 d-------- C:\Archivos de programa\Tibia
2007-05-04 20:32:25 4682 --a------ C:\WINDOWS\system32\npptNT2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
2007-05-02 19:41:37 560 -rahs---- C:\WINDOWS\system32\autorun.reg
2007-05-02 19:41:37 967 -rahs---- C:\WINDOWS\system32\autorun.pif
2007-05-02 19:41:37 959 -rahs---- C:\WINDOWS\system32\autorun.bin
2007-05-02 19:41:37 653 -rahs---- C:\WINDOWS\system32\autorun.bat
2007-05-02 19:41:35 560 -rahs---- C:\autorun.reg
2007-05-02 19:41:35 967 -rahs---- C:\autorun.pif
2007-05-02 19:41:35 959 -rahs---- C:\autorun.bin
2007-05-02 19:41:35 653 -rahs---- C:\autorun.bat

– Find3M Report ---------------------------------------------------------------

2007-05-19 09:00:01 0 d-------- C:\Documents and Settings\Administrador\Datos de programa\WinRAR
2007-05-18 19:59:30 0 d-------- C:\Archivos de programa\eMule
2007-05-15 17:53:28 0 d-------- C:\Documents and Settings\Administrador\Datos de programa\SUPERAntiSpyware.com
2007-05-15 17:53:16 0 d-------- C:\Archivos de programa\Archivos comunes
2007-05-15 14:54:08 53 --a------ C:\biosinfo
2007-05-05 11:05:19 0 d-------- C:\Archivos de programa\Lineage II
2007-05-05 09:55:52 0 d-------- C:\Archivos de programa\Call of Duty
2007-05-04 20:23:26 0 d–h----- C:\Archivos de programa\InstallShield Installation Information
2007-03-27 10:12:14 0 d-------- C:\Archivos de programa\Playboy - The Mansion
2007-02-20 21:10:00 0 --a------ C:\WINDOWS\mozver.dat

– Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
{955BE0B8-BC85-4CAF-856E-8E0D8B610560} C:\Archivos de programa\Archivos comunes\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
“SoundMan”=“SOUNDMAN.EXE”
“NvCplDaemon”=“RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup”
“nwiz”=“nwiz.exe /install”
“avast!”=“C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe”
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe”
“RemoteControl”=“"C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe"”
“NvMediaCenter”=“RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit”
“HP Software Update”=“"C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe"”
“DownloadAccelerator”=“"C:\Archivos de programa\DAP\DAP.EXE" /STARTUP”
“SMSERIAL”=“sm56hlpr.exe”

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
“MSMSGS”=“"C:\Archivos de programa\Messenger\msmsgs.exe" /background”
“MsnMsgr”=“"C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background”
“E06EDXRC_5576859”=“"C:\Archivos de programa\Microsoft Encarta\Encarta 2006 Biblioteca Premium\EDICT.EXE" -m”
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe”
“SUPERAntiSpyware”=“C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe”

[HKEY_USERS.default\software\microsoft\windows\currentversion\run]
“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”=“”

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{23116908-3a43-11db-a9ec-806d6172696f}]
Shell\AutoRun\command D:\SETUP.EXE /AUTORUN
Shell\configure\command D:\SETUP.EXE
Shell\install\command D:\SETUP.EXE

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{4c1ac426-7d74-11db-83d4-00161793e47b}]
Shell\AutoRun\command E:
Shell\explore\Command WScript.exe .\autorun.vbs
Shell\open\Command WScript.exe .\autorun.vbs

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{54980842-3bec-11d8-b333-806d6172696f}]
Shell\AutoRun\command D:\Setup.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{913a9b3e-f906-11db-8551-00161793e47b}]
Shell\AutoRun\command E:
Shell\explore\Command WScript.exe .\autorun.vbs
Shell\open\Command WScript.exe .\autorun.vbs

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{96cc2f00-8a42-11db-8418-00161793e47b}]
Shell\Auto\command E:\RavMonE.exe e
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

– End of Deckard’s System Scanner: finished at 2007-05-20 at 02:13:24 ---------

Please Download Clean Autoruns.

Save Clean autoruns.zip to your desktop and extract (unzip) its contents to the desktop. It contains a batch file, Clean autoruns.bat, Written by Mosaic1. Once extracted, insert any USB drives, external drives, memory cards etc you have, open the Clean autoruns folder and double click Clean autoruns.bat to run the fix. The external drives must be connected prior to running the batch file.

  1. If any autoruns are found, the fix will move them to a backup folder.
  2. If any autoruns are found on the root of your drives, it will kill explorer so that the registry entries in the MountPoint(s) key are fixed.
  3. It will produce two files, Part1.txt and Part2.txt , that will show the state before and after the cleaning.
  4. Please post the contents of Part1.txt and Part2.txt in your next reply.

** It is important that you follow these directions exactly as given.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{0d262ab9-3bf4-11d8-91ec-806d6172696f}]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{23116908-3a43-11db-a9ec-806d6172696f}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,01,00,01,01,ee,ff,ff,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,60,00,00,00,09,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{23116908-3a43-11db-a9ec-806d6172696f}\Shell]
@=“AutoRun”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{23116908-3a43-11db-a9ec-806d6172696f}\Shell\AutoRun]
@=“Reproducción &automática”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{23116908-3a43-11db-a9ec-806d6172696f}\Shell\AutoRun\command]
@=“D:\SETUP.EXE /AUTORUN”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{23116908-3a43-11db-a9ec-806d6172696f}\Shell\configure]
@=“&Configurar…”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{23116908-3a43-11db-a9ec-806d6172696f}\Shell\configure\command]
@=“D:\SETUP.EXE”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{23116908-3a43-11db-a9ec-806d6172696f}\Shell\install]
@=“&Instalar…”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{23116908-3a43-11db-a9ec-806d6172696f}\Shell\install\command]
@=“D:\SETUP.EXE”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{23116908-3a43-11db-a9ec-806d6172696f}_Autorun]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{23116908-3a43-11db-a9ec-806d6172696f}_Autorun\DefaultIcon]
@=“D:\SETUP.EXE,1”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{3fdf7144-7d21-11db-83ce-806d6172696f}]
“BaseClass”=“Drive”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{3fdf7145-7d21-11db-83ce-806d6172696f}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,cf,5f,5f,5f,5f,cf,cf,5f,5f,
5f,cf,cf,cf,5f,5f,5f,cf,cf,cf,5f,5f,cf,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,60,00,00,00,08,03,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{3fdf7145-7d21-11db-83ce-806d6172696f}\Name]
@=“Need for Speed Underground 2”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{4c1ac426-7d74-11db-83d4-00161793e47b}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,08,05,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{4c1ac426-7d74-11db-83d4-00161793e47b}\Shell]
@=“Open”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{4c1ac426-7d74-11db-83d4-00161793e47b}\Shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{4c1ac426-7d74-11db-83d4-00161793e47b}\Shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{4c1ac426-7d74-11db-83d4-00161793e47b}\Shell\AutoRun]
“Extended”=“”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{4c1ac426-7d74-11db-83d4-00161793e47b}\Shell\AutoRun\command]
@=“E:\”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{4c1ac426-7d74-11db-83d4-00161793e47b}\Shell\explore]
@=“×ÊÔ´¹ÜÀíÆ÷(&X)”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{4c1ac426-7d74-11db-83d4-00161793e47b}\Shell\explore\Command]
@=“WScript.exe .\autorun.vbs”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{4c1ac426-7d74-11db-83d4-00161793e47b}\Shell\open]
@=“´ò¿ª(&O)”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{4c1ac426-7d74-11db-83d4-00161793e47b}\Shell\open\Command]
@=“WScript.exe .\autorun.vbs”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{4c1ac426-7d74-11db-83d4-00161793e47b}\Shell\open\Default]
@=“1”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{54980842-3bec-11d8-b333-806d6172696f}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,01,00,01,01,ee,ff,ff,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,60,00,00,00,09,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{54980842-3bec-11d8-b333-806d6172696f}\Shell]
@=“AutoRun”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{54980842-3bec-11d8-b333-806d6172696f}\Shell\AutoRun]
@=“Reproducción &automática”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{54980842-3bec-11d8-b333-806d6172696f}\Shell\AutoRun\command]
@=“D:\Setup.exe”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{54980842-3bec-11d8-b333-806d6172696f}_Autorun]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{54980842-3bec-11d8-b333-806d6172696f}_Autorun\DefaultIcon]
@=“D:\MSIIco.ico”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{8b091306-3a45-11db-a9ef-0016174b6ce1}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,
cf,5f,5f,5f,5f,01,01,00,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,08,02,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{8b091306-3a45-11db-a9ef-0016174b6ce1}\shell]
@=“None”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{8b091306-3a45-11db-a9ef-0016174b6ce1}\shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{8b091306-3a45-11db-a9ef-0016174b6ce1}\shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{913a9b3e-f906-11db-8551-00161793e47b}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,
cf,5f,5f,5f,5f,01,01,00,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,08,01,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{913a9b3e-f906-11db-8551-00161793e47b}\Shell]
@=“Open”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{913a9b3e-f906-11db-8551-00161793e47b}\Shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{913a9b3e-f906-11db-8551-00161793e47b}\Shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{913a9b3e-f906-11db-8551-00161793e47b}\Shell\AutoRun]
“Extended”=“”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{913a9b3e-f906-11db-8551-00161793e47b}\Shell\AutoRun\command]
@=“E:\”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{913a9b3e-f906-11db-8551-00161793e47b}\Shell\explore]
@=“×ÊÔ´¹ÜÀíÆ÷(&X)”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{913a9b3e-f906-11db-8551-00161793e47b}\Shell\explore\Command]
@=“WScript.exe .\autorun.vbs”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{913a9b3e-f906-11db-8551-00161793e47b}\Shell\open]
@=“´ò¿ª(&O)”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{913a9b3e-f906-11db-8551-00161793e47b}\Shell\open\Command]
@=“WScript.exe .\autorun.vbs”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{913a9b3e-f906-11db-8551-00161793e47b}\Shell\open\Default]
@=“1”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{96cc2f00-8a42-11db-8418-00161793e47b}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,09,03,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{96cc2f00-8a42-11db-8418-00161793e47b}\Shell]
@=“Auto”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{96cc2f00-8a42-11db-8418-00161793e47b}\Shell\Auto]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{96cc2f00-8a42-11db-8418-00161793e47b}\Shell\Auto\command]
@=“E:\RavMonE.exe e”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{96cc2f00-8a42-11db-8418-00161793e47b}\Shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{96cc2f00-8a42-11db-8418-00161793e47b}\Shell\Autoplay\DropTarget]
“CLSID”=“{f26a669a-bcbb-4e37-abf9-7325da15f931}”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{96cc2f00-8a42-11db-8418-00161793e47b}\Shell\AutoRun]
“Extended”=“”
@=“Reproducción &automática”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{96cc2f00-8a42-11db-8418-00161793e47b}\Shell\AutoRun\command]
@=“C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{a175babc-8325-11db-83f6-00161793e47b}]
“BaseClass”=“Drive”
“_AutorunStatus”=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,00,00,10,00,00,08,03,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{a175babc-8325-11db-83f6-00161793e47b}\shell]
@=“None”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{a175babc-8325-11db-83f6-00161793e47b}\shell\Autoplay]
“MUIVerb”=“@shell32.dll,-8504”

part1txt

part2.txt srry for all that mess i find later uploader in options lol >.<

sorry - i was trying to post the logs for you

See if any of these files still exist

C:\AUTORUN.VVBS

C:\AUTORUN.VBS

C:\autorun.ra_\autorun.ar\autorun.r\autorun.\autorun.vbs

C:\autorun.r\autorun._\autorun.vbs

C:\autorun.___\autorun.vbs

And then post the Part 2 log (its difficult to work with as an attachment).