Home News Guide Hardware Download Forum Glossario

Condividi:        

virus su pen drive chi mi aiuta

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: m.paolo, kadosh, Luke57

Regole del forum
Rispondi al post

virus su pen drive chi mi aiuta

Postdi mony_05 » 13/04/09 18:40

Salve a tutti,

sono Monica da Roma una vera inesperta in materia e vi chiedo un grosso aiuto prima di portare il mio pc a

ripare.

Sono andata a scaricarmi qualche file da un internet point e mi son ritrovata con le pen drive virulate.

- Ad ogni inserimento pennetta si presenta un maledetto autorun inf e una cartella restore che disabilita

l'opzione visualizza file nascosti. Riesco ad abilitarla rimettendo a posto le impostazioni sul registro (soluzione
letta da rivista pc) ma quando inserisco la pen drive se ne va di nuovo. Credo anche si siano infettati il mio pc e
gli hard disk esterni dove ho scaricato i file i quali anche loro hanno il file autorun inf.

- Mi sono accorta che è disabilitato la casella di spunta 'disattiva ripristino configurazione di sistema'
(disabilitata da criteri di gruppo).

- Non riesco più a connetermi sui siti microsoft e antivirus vari.
- Ho Norton scaduto e volevo comprarmi l'aggiornamento se non addirittura farmi il nuovo Norton 2009 che
dicono sia più leggero dei precedenti ma ho paura di avere un virus che non mi fa aggiornare niente.

- Il mio norton scaduto ha rilevato questo:

È stato rilevato e bloccato il tentativo di intrusione "HTTP Suspicious Executable Image Download" nel

computer in uso 93.146.57.234.
Autore dell'attacco: 93.146.57.234(9287).
Livello di rischio: Alto.
Protocollo: TCP.
IP attaccato: 93.146.57.234.
Porta attaccata: 1131.

- la porta 9287 l'ho vista tra le eccezioni del firewall di windows. L'ho tolta subito, ma penso si ripropone ad ogni
avvio di windows perchè quando mi connetto e controllo la trovo sempre.

- Ho fatto una scansione con hijackthis (ho la vers1.991) ma essendo una profana in materia non ci ho capito
molto.

Non so se ho un backdoor o qualche altro malefico virus. Sapete dirmi come posso fare a risolvere? Ho s.o. xp sp2 e uso firefox ver 1.5
Non so se avete dato già risposte per problemi simili al mio, in caso chiedo scusa in anticipo per non aver
spulciato nei thread ma sono tanti e con la mia connessione dial up prima che mi si apra una pagina ci impiega
tanto tempo.

Grazie in anticipo

Monica
mony_05
Utente Junior
 
Post: 15
Iscritto il: 13/04/09 18:34
Top
Sponsor
 

Re: virus su pen drive chi mi aiuta

Postdi MIKI68 » 13/04/09 19:28

Ciao, allora fai il log di hijackthis voglio vedere se c'è quel.... :diavolo: Knight :diavolo: e poi ti dico come fare per eliminare l'autorun.inf definitivamente!!!!
Trucchi e impostazioni per un computer sempre efficiente http://miki68news.blogspot.com/
Avatar utente
MIKI68
Utente Senior
 
Post: 1732
Iscritto il: 17/10/08 15:26
Località: Bari
Top

Re: virus su pen drive chi mi aiuta

Postdi shel » 14/04/09 15:32

ciao

prova a fare in questo modo

Disattiva l'antivirus e i programmi anti-spyware

Disconnetti il pc da internet

scarica combofix da qui:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Se hai delle icone di collegamento a programmi sul desktop, crea una cartella apposita e copiale al suo interno

Doppio click su combofix.exe e segui le istruzioni passo a passo

Quando avrà finito creerà il log C:\combofix.txt salvalo e postalo come gli altri report.

Nota bene : durante la scansione verranno creati dei file sul desktop e scompariranno le icone, potrebbe succedere che qualche programma ti chiede cosa fare per la rimozione dei drivers, in questo caso accossenti, si tratta probabilmente di drivers infetti.

Prima di inserire la pendrive infetta, tieni premuto il tasto SHIFT e' il tasto con la freccia un po' ''cicciottella'' in basso a sinistra della tastiera

Inserisci la pendrive sempre tenendo SHIFT premuto e rilascialo 10 secondi dopo

A questo punto avvia la scansione con combofix e posta il report che ti rilascia

NON TOCCARE NIENTE DURANTE LA SCANSIONE, NEMMENO IL MOUSE
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56
Top

Re: virus su pen drive chi mi aiuta

Postdi shel » 14/04/09 15:58

ovvio che devi fare la scansione nel modo specificato nell'altro post ma con la pendrive inserita
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56
Top

Re: virus su pen drive chi mi aiuta

Postdi mony_05 » 15/04/09 21:04

Salve a tutti,

innanzitutto grazie infinite per avermi risposto. Nel mio post non avevo scritto che tra le altre cose non riesco più ad entrare nei siti dei produttori di antivirus ne in quello della microsoft. Maledetto virus!!!
Grazie dei suggerimenti. Una precisazione su combofix, non è che cancellando i driver poi corro il rischio che xp mi si impalli? La scansione va bene anche per gli hard disk esterni? Ne uso due, uno di 640 gb l'altro da 500 gb.

Vi mando il log di hijackthis ho la vers 1.991, faccio copia e incolla. Spero sia questa la procedura.

Grazie ancora

Monica

Logfile of HijackThis v1.99.1
Scan saved at 21.40.45, on 15/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
C:\Programmi\File comuni\Symantec Shared\AppCore\AppSvc32.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\File comuni\Symantec Shared\ccLgView.exe
C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\_a Monica\z_MIX-PICS-MEDICINA-TECNO\TECNO-PROGRAMMI\PROGRAMMI-ANTIVIRUS\_program-descrizioni\sistema-cleaner\sistema\DTaskManager\DTaskManager.exe
C:\WINDOWS\Explorer.EXE
D:\_a Monica\z_MIX-PICS-MEDICINA-TECNO\TECNO-PROGRAMMI\PROGRAMMI-ANTIVIRUS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Programmi\File comuni\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Programmi\File comuni\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] C:\Programmi\File comuni\Symantec Shared\ccApp.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{89224BC9-308C-451D-B968-3B8BD2634741}: NameServer = 193.12.150.2 212.247.152.2
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Programmi\File comuni\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Programmi\File comuni\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Utilità di pianificazione di LiveUpdate automatico - Symantec Corporation - C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe
mony_05
Utente Junior
 
Post: 15
Iscritto il: 13/04/09 18:34
Top

Re: virus su pen drive chi mi aiuta

Postdi shel » 16/04/09 14:49

la versione che hai di hijackthis la usava Nerone per accendersi le sigarette

usa questa ===> http://www.trendsecure.com/portal/en-US ... kthis.php#
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56
Top

Re: virus su pen drive chi mi aiuta

Postdi mony_05 » 18/04/09 15:35

Ciao ecco il log con la vers di hijack che mi hai suggerito

Codice: Seleziona tutto

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12.06.36, on 17/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
C:\Programmi\File comuni\Symantec Shared\AppCore\AppSvc32.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\WINDOWS\explorer.exe
D:\_a Monica\z_MIX-PICS-MEDICINA-TECNO\TECNO-PROGRAMMI\PROGRAMMI-ANTIVIRUS\HiJackThis 2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Programmi\File comuni\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Programmi\File comuni\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] C:\Programmi\File comuni\Symantec Shared\ccApp.exe
O4 - HKLM\..\Policies\Explorer\Run: [1] C:\WINDOWS\service32.exe
O4 - HKLM\..\Policies\Explorer\Run: [] 
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Utilità di pianificazione di LiveUpdate automatico - Symantec Corporation - C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe



combofix l'ho scaricato da un internet point. Non funziona forse sbaglio qualcosa. Anche se ho disabilitato norton, combofix mi dice che il mio antivirus è ancora attivo in relaltime e mi da schermata blu.
Non so che fare.

Un saluto

Monica
mony_05
Utente Junior
 
Post: 15
Iscritto il: 13/04/09 18:34
Top

Re: virus su pen drive chi mi aiuta

Postdi shel » 18/04/09 19:34

ciao Monica

prova a rinominare combofix in fase di scaricamento....usa un nome di fantasia...che ne so' ....... Biancaneve
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56
Top

Re: virus su pen drive chi mi aiuta

Postdi mony_05 » 19/04/09 11:03

Ciao,

ho fatto scansione con combofix. L'ho rinomita prova

Mi ha scansionato solo il disco dove ho il sistema operativo. Non scansiona anche le pen drive?
Combofix mi ha cancellato alcuni file e adesso ho possibilità di disabilitare il ripristino.
Sembra che sulle pen drive non ci sia più il file autorun. Invece di tenere premuto il tasto shift per impedire che si apra in automatico la pen drive o altri supporti esterni, c'è la possibilità di disattivare l'autoplay? Ecco il report di combofix.

Come sono messa tra il log di hijack e combo? Spero non troppo male.... Il log di combo lo devo mettere in più parti perchè un'avviso mi dice che il mio msg ha troppi caratteri

Codice: Seleziona tutto
ComboFix 09-04-18.05 - Monica 19/04/2009 11.03.28.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.39.1040.18.511.267 [GMT 2:00]
Eseguito da: c:\documents and settings\Monica\Desktop\prova.exe
AV: AVG 7.5.425 *On-access scanning disabled* (Outdated)
AV: Norton AntiVirus *On-access scanning enabled* (Outdated)
FW: Norton AntiVirus *enabled*

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

(((((((((((((((((((((((((   Files Creati Da 2009-03-19 al 2009-04-19  )))))))))))))))))))))))))))))))))))
.

2009-04-18 08:52 . 2009-04-18 08:52   26624   ----a-w   c:\windows\system32\drivers\fsbts.sys
2009-04-10 18:26 . 2009-04-10 18:26   8576   ----a-w   c:\windows\system32\drivers\jemwrgaqmjgk.sys
2009-04-10 18:26 . 2009-04-10 18:26   --------   d-----w   c:\documents and settings\Monica\Pavark
2009-04-10 11:56 . 2001-08-30 21:07   25600   -c--a-w   c:\windows\system32\dllcache\dc210_32.dll
2009-04-10 11:56 . 2001-08-30 21:07   25600   ----a-w   c:\windows\system32\dc210_32.dll
2009-04-10 11:56 . 2001-08-30 20:28   6912   -c--a-w   c:\windows\system32\dllcache\serscan.sys
2009-04-10 11:56 . 2001-08-30 20:28   6912   ----a-w   c:\windows\system32\drivers\serscan.sys
2009-04-10 11:56 . 2001-08-30 21:07   81408   -c--a-w   c:\windows\system32\dllcache\dc210usd.dll
2009-04-10 11:56 . 2001-08-30 21:07   81408   ----a-w   c:\windows\system32\dc210usd.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-18 14:17 . 2009-04-18 14:17   886   ----a-w   C:\avenger.txt
2009-04-15 19:34 . 2006-09-11 15:49   --------   d-----w   c:\programmi\File comuni\Symantec Shared
2009-04-13 20:42 . 2005-01-17 18:44   63904   -c--a-w   c:\documents and settings\Monica\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-04-06 08:43 . 2006-06-02 09:46   --------   d-----w   c:\documents and settings\All Users\Dati applicazioni\DVD Shrink
2009-03-29 09:25 . 2004-08-19 12:00   45874   ----a-w   c:\windows\system32\perfc010.dat
2009-03-29 09:25 . 2004-08-19 12:00   341286   ----a-w   c:\windows\system32\perfh010.dat
2009-03-02 21:19 . 2009-03-02 21:19   --------   d-----w   c:\documents and settings\Monica\Dati applicazioni\GRETECH
2006-09-21 17:2006-09-21 17:26      26:12 .   c:\programmi\mozilla firefox\components\jar50.dll
2006-09-21 17:2006-09-21 17:26      26:14 .   c:\programmi\mozilla firefox\components\jsd3250.dll
2006-09-21 17:2006-09-21 17:26      26:12 .   c:\programmi\mozilla firefox\components\xpinstal.dll
2008-09-16 11:37 . 2008-09-15 11:49   16416   --sha-w   c:\windows\system32\drivers\fidbox.dat
2008-09-16 11:37 . 2008-09-15 11:49   1056   --sha-w   c:\windows\system32\drivers\fidbox2.dat
.

(((((((((((((((((((((((((((((   SnapShot@2009-04-19_08.55.29   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-03 17:29 . 2008-01-03 17:29   7402              c:\windows\SoftwareDistribution\EventCache\{4E941B89-3CF7-45C7-8761-F8CD01E46431}.bin
.
(((((((((((((((((((((((((((((((((((((   Punti Reg Caricati   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"= "c:\programmi\Yahoo!\Companion\Installs\cpn\yt.dll" [2006-06-07 399352]

[HKEY_CLASSES_ROOT\clsid\{ef99bd32-c1fb-11d2-892f-0090271d4f88}]
[HKEY_CLASSES_ROOT\yt.YToolbarBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YToolbarBand]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"= "c:\programmi\Yahoo!\Companion\Installs\cpn\yt.dll" [2006-06-07 399352]

[HKEY_CLASSES_ROOT\clsid\{ef99bd32-c1fb-11d2-892f-0090271d4f88}]
[HKEY_CLASSES_ROOT\yt.YToolbarBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YToolbarBand]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="c:\programmi\File comuni\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Manager HotSync.lnk]
path=c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Manager HotSync.lnk
backup=c:\windows\pss\Manager HotSync.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ERSvc"=2 (0x2)
"wuauserv"=2 (0x2)
"RSVP"=3 (0x3)
"LiveUpdate"=3 (0x3)
"Utilità di pianificazione di LiveUpdate automatico"=2 (0x2)
"Schedule"=2 (0x2)
"InCDsrv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Programmi\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9287:TCP"= 9287:TCP:fhspfaq

R3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter; [x]
R3 MEMSWEEP2;MEMSWEEP2; [x]
R3 SIVDRIVER;SIV Kernel Driver;c:\windows\system32\Drivers\SIVX32.sys [2008-06-14 48736]
R4 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2006-09-16 23856]
R4 Utilità di pianificazione di LiveUpdate automatico;Utilità di pianificazione di LiveUpdate automatico;c:\programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2007-09-26 554352]
S0 fsbts;fsbts;c:\windows\system32\Drivers\fsbts.sys [2009-04-18 26624]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\programmi\File comuni\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-05 99376]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RUNdLl32.ExE  .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1b73cc36-79e3-11dd-ae9a-000b6a92c309}]
\Shell\AutoRun\command - G:\6x8be16.cmd
\Shell\explore\Command - G:\6x8be16.cmd
\Shell\open\Command - G:\6x8be16.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d9dc3316-9c1d-11dc-acb7-000b6a92c309}]
\Shell\AutoRun\command - "Launch.exe" /run
.
Contenuto della cartella 'Scheduled Tasks'

2007-09-24 c:\windows\Tasks\Norton AntiVirus - Scansione completa sistema - Monica.job
- c:\programmi\Norton AntiVirus\Navw32.exe [2007-01-14 01:09]
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

WebBrowser-{C4069E3A-68F1-403E-B40E-20066696354B} - (no file)
SSODL-CDBurn-{fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\system32\SHELL32.dll
SSODL-WebCheck-{E6FB5E20-DE35-11CF-9C87-00AA005127ED} - %SystemRoot%\system32\webcheck.dll


.
------- Scansione supplementare -------
.
uStart Page = about:blank
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: http\[u]0[/u]x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\programmi\File comuni\System\Ole DB\MSDAIPP.DLL
Handler: http\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\programmi\File comuni\System\Ole DB\MSDAIPP.DLL
Handler: https\[u]0[/u]x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\programmi\File comuni\System\Ole DB\MSDAIPP.DLL
Handler: https\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\programmi\File comuni\System\Ole DB\MSDAIPP.DLL
Handler: ipp\[u]0[/u]x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\programmi\File comuni\System\Ole DB\MSDAIPP.DLL
Handler: msdaipp\[u]0[/u]x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\programmi\File comuni\System\Ole DB\MSDAIPP.DLL
Handler: msdaipp\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\programmi\File comuni\System\Ole DB\MSDAIPP.DLL
Handler: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - c:\windows\system32\msvidctl.dll
Name-Space Handler: ftp\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\progra~1\GetRight\ie2gr.dll
Name-Space Handler: http\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\progra~1\GetRight\ie2gr.dll
FF - ProfilePath - c:\documents and settings\Monica\Dati applicazioni\Mozilla\Firefox\Profiles\749fipr2.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia [it]
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it
FF - component: c:\documents and settings\Monica\Dati applicazioni\Mozilla\Firefox\Profiles\749fipr2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\documents and settings\Monica\Dati applicazioni\Mozilla\Firefox\Profiles\749fipr2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - component: c:\programmi\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel",             1); // 0=low, 1=medium, 2=high, 3=custom
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.enablePad",                   false); // Allow client to do proxy autodiscovery
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom",  "chrome://branding/content/searchconfig.properties");
.
.
------- Associazioni dei file -------
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-19 11:05
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\60D.tmp"
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\41\44]
@DACL=(02 0000)
"NodeSlot"=dword:000006f5
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\41\45]
@DACL=(02 0000)
"NodeSlot"=dword:00000206
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\41\46]
@DACL=(02 0000)
"NodeSlot"=dword:00000645
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\41\47]
@DACL=(02 0000)
"NodeSlot"=dword:00000644
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\41\48]
@DACL=(02 0000)
"NodeSlot"=dword:00000643
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\41\49]
@DACL=(02 0000)
"NodeSlot"=dword:00000a17
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\41\5]
@DACL=(02 0000)
"NodeSlot"=dword:00000dd5
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\41\50]
@DACL=(02 0000)
"NodeSlot"=dword:00000642
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\41\51]
@DACL=(02 0000)
"NodeSlot"=dword:00000641
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\41\52]
@DACL=(02 0000)
"NodeSlot"=dword:0000072b
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\41\53]
@DACL=(02 0000)
"NodeSlot"=dword:0000070d
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\41\54]
@DACL=(02 0000)
"NodeSlot"=dword:0000072c
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\41\55]
@DACL=(02 0000)
"NodeSlot"=dword:0000073d
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\41\56]
@DACL=(02 0000)
"NodeSlot"=dword:0000073e
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\41\57]
@DACL=(02 0000)
"NodeSlot"=dword:0000072e
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\41\58]
@DACL=(02 0000)
"NodeSlot"=dword:0000072d
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\41\59]
@DACL=(02 0000)
"NodeSlot"=dword:00000711
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\41\6]
@DACL=(02 0000)
"NodeSlot"=dword:000010de
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\41\60]
@DACL=(02 0000)
"NodeSlot"=dword:00000207
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\41\61]
@DACL=(02 0000)
"NodeSlot"=dword:00000196
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\41\62]
@DACL=(02 0000)
"NodeSlot"=dword:00000560
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\41\63]
@DACL=(02 0000)
"NodeSlot"=dword:00000197
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\41\64]
@DACL=(02 0000)
"NodeSlot"=dword:00000047
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\41\65]
@DACL=(02 0000)
"NodeSlot"=dword:000006c3
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\41\66]
@DACL=(02 0000)
"NodeSlot"=dword:000006ca
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\41\67]
@DACL=(02 0000)
"NodeSlot"=dword:000006c5
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\41\68]
@DACL=(02 0000)
"NodeSlot"=dword:000000df
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\41\69]
@DACL=(02 0000)
"NodeSlot"=dword:0000029a
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\41\7]
@DACL=(02 0000)
"NodeSlot"=dword:000010e7
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\41\70]
@DACL=(02 0000)
"NodeSlot"=dword:000006c4
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\41\71]
@DACL=(02 0000)
"NodeSlot"=dword:00001000
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\41\8]
@DACL=(02 0000)
"NodeSlot"=dword:00001371
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\41\9]
@DACL=(02 0000)
"0"=hex:a8,00,32,00,99,8c,02,00,b6,36,71,3b,20,00,50,4f,53,49,5a,49,7e,34,2e,
   4d,48,54,00,00,8c,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,fa,5b,14,00,00,00,\
"MRUListEx"=hex:15,00,00,00,10,00,00,00,14,00,00,00,13,00,00,00,12,00,00,00,0f,
   00,00,00,0d,00,00,00,08,00,00,00,05,00,00,00,1b,00,00,00,1e,00,00,00,1a,00,\
"1"=hex:a2,00,32,00,8f,92,02,00,b6,36,f6,3b,20,00,50,4f,35,44,38,31,7e,31,2e,
   4d,48,54,00,00,86,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,fa,5b,14,00,00,00,\
"2"=hex:b0,00,32,00,da,b3,02,00,b6,36,d4,3b,20,00,50,4f,32,46,32,45,7e,31,2e,
   4d,48,54,00,00,94,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,fa,5b,14,00,00,00,\
"3"=hex:a2,00,32,00,f7,9d,02,00,b6,36,85,3c,20,00,50,4f,35,41,37,46,7e,31,2e,
   4d,48,54,00,00,86,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,fa,5b,14,00,00,00,\
"4"=hex:a8,00,32,00,d6,97,02,00,b6,36,79,3b,20,00,50,4f,31,36,32,33,7e,31,2e,
   4d,48,54,00,00,8c,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,fa,5b,14,00,00,00,\
"5"=hex:a0,00,32,00,9e,d8,02,00,b6,36,0e,3b,20,00,50,4f,43,45,35,42,7e,31,2e,
   4d,48,54,00,00,84,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,fa,5b,14,00,00,00,\
"6"=hex:a0,00,32,00,63,d7,02,00,b6,36,03,3b,20,00,50,4f,39,45,36,46,7e,31,2e,
   4d,48,54,00,00,84,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,fa,5b,14,00,00,00,\
"7"=hex:ae,00,32,00,c2,97,02,00,b6,36,70,3c,20,00,50,4f,31,37,46,37,7e,31,2e,
   4d,48,54,00,00,92,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,fa,5b,14,00,00,00,\
"8"=hex:a4,00,32,00,01,c4,02,00,b6,36,d7,3a,20,00,50,4f,33,34,41,37,7e,31,2e,
   4d,48,54,00,00,88,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,fa,5b,14,00,00,00,\
"9"=hex:a8,00,32,00,63,82,02,00,b6,36,b5,3a,20,00,50,4f,41,32,42,42,7e,31,2e,
   4d,48,54,00,00,8c,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,fa,5b,14,00,00,00,\
"10"=hex:ae,00,32,00,37,93,02,00,b6,36,8d,3c,20,00,50,4f,43,31,36,39,7e,31,2e,
   4d,48,54,00,00,92,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,44,64,14,00,00,00,\
"11"=hex:ac,00,32,00,28,9e,02,00,b6,36,ea,3b,20,00,50,4f,35,44,34,31,7e,31,2e,
   4d,48,54,00,00,90,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,fa,5b,14,00,00,00,\
"12"=hex:a6,00,32,00,b9,83,02,00,b6,36,cc,3a,20,00,50,4f,30,35,46,44,7e,31,2e,
   4d,48,54,00,00,8a,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,53,64,14,00,00,00,\
"13"=hex:ac,00,32,00,2d,d7,02,00,b6,36,ee,3a,20,00,50,4f,35,33,39,34,7e,31,2e,
   4d,48,54,00,00,90,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,c7,64,14,00,00,00,\
"14"=hex:a6,00,32,00,2f,d9,02,00,b6,36,e3,3a,20,00,50,4f,46,38,31,36,7e,31,2e,
   4d,48,54,00,00,8a,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,d4,64,14,00,00,00,\
"15"=hex:ba,00,32,00,ae,8f,02,00,b6,36,3c,3b,20,00,50,4f,45,43,44,44,7e,31,2e,
   4d,48,54,00,00,9e,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,bd,65,14,00,00,00,\
"16"=hex:a4,00,32,00,79,c5,02,00,b6,36,f8,3a,20,00,50,4f,53,49,5a,49,7e,31,2e,
   4d,48,54,00,00,88,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,ce,65,14,00,00,00,\
"17"=hex:a8,00,32,00,95,86,02,00,b6,36,c3,3a,20,00,50,4f,53,49,5a,49,7e,32,2e,
   4d,48,54,00,00,8c,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,f0,65,14,00,00,00,\
"18"=hex:a4,00,32,00,9e,bc,02,00,b6,36,31,3b,20,00,50,4f,42,34,41,30,7e,31,2e,
   4d,48,54,00,00,88,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,4b,67,14,00,00,00,\
"19"=hex:a8,00,32,00,23,98,02,00,b6,36,4f,3b,20,00,50,4f,35,35,38,32,7e,31,2e,
   4d,48,54,00,00,8c,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,13,68,14,00,00,00,\
"20"=hex:bc,00,32,00,45,bc,02,00,b6,36,24,3c,20,00,50,4f,45,42,38,41,7e,31,2e,
   4d,48,54,00,00,a0,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,cc,65,14,00,00,00,\
"21"=hex:c4,00,32,00,db,84,02,00,b6,36,46,3c,20,00,50,4f,30,45,37,37,7e,31,2e,
   4d,48,54,00,00,a8,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,6a,68,14,00,00,00,\
"22"=hex:aa,00,32,00,9b,96,02,00,b6,36,f3,3b,20,00,50,4f,34,44,37,41,7e,31,2e,
   4d,48,54,00,00,8e,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,4c,68,14,00,00,00,\
"23"=hex:aa,00,32,00,4d,91,02,00,b6,36,39,3c,20,00,50,4f,43,39,42,42,7e,31,2e,
   4d,48,54,00,00,8e,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,0d,69,14,00,00,00,\
"24"=hex:a0,00,32,00,ca,ab,02,00,b6,36,93,3c,20,00,50,4f,39,34,46,37,7e,31,2e,
   4d,48,54,00,00,84,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,15,69,14,00,00,00,\
"25"=hex:a6,00,32,00,f5,89,02,00,b6,36,33,3c,20,00,50,4f,44,42,43,38,7e,31,2e,
   4d,48,54,00,00,8a,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,52,69,14,00,00,00,\
"26"=hex:a6,00,32,00,69,98,02,00,b6,36,01,3c,20,00,50,4f,45,41,33,34,7e,31,2e,
   4d,48,54,00,00,8a,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,d9,69,14,00,00,00,\
"27"=hex:aa,00,32,00,01,86,02,00,b6,36,ca,3b,20,00,50,4f,46,31,37,42,7e,31,2e,
   4d,48,54,00,00,8e,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,fb,69,14,00,00,00,\
"28"=hex:aa,00,32,00,52,8f,02,00,b6,36,58,3b,20,00,50,4f,35,45,44,34,7e,31,2e,
   4d,48,54,00,00,8e,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,41,6a,14,00,00,00,\
"29"=hex:a0,00,32,00,fb,80,02,00,b6,36,65,3b,20,00,50,4f,34,30,35,34,7e,31,2e,
   4d,48,54,00,00,84,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,e5,6a,14,00,00,00,\
"30"=hex:a2,00,32,00,55,c6,02,00,b6,36,18,3b,20,00,50,4f,45,33,46,33,7e,31,2e,
   4d,48,54,00,00,86,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,4a,6b,14,00,00,00,\
"31"=hex:aa,00,32,00,e4,86,02,00,b6,36,46,3b,20,00,50,4f,35,43,30,41,7e,31,2e,
   4d,48,54,00,00,8e,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,58,6b,14,00,00,00,\
"32"=hex:a8,00,32,00,49,cf,02,00,b6,36,26,3b,20,00,50,4f,33,45,34,32,7e,31,2e,
   4d,48,54,00,00,8c,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,f9,6b,14,00,00,00,\
"33"=hex:a8,00,32,00,b8,94,02,00,b6,36,16,3c,20,00,50,4f,44,39,36,31,7e,31,2e,
   4d,48,54,00,00,8c,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,1d,6c,14,00,00,00,\
"34"=hex:bc,00,32,00,dc,58,02,00,b6,36,75,3c,20,00,50,4f,43,33,31,37,7e,31,2e,
   4d,48,54,00,00,a0,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,45,6c,14,00,00,00,\
"35"=hex:e8,00,32,00,56,34,06,00,b6,36,e3,3d,20,00,50,52,4f,53,45,47,7e,31,2e,
   4d,48,54,00,00,cc,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,8a,6c,14,00,00,00,\
"36"=hex:76,00,32,00,48,44,02,00,b6,36,9a,3a,20,00,4b,41,4d,41,53,55,7e,32,2e,
   4d,48,54,00,00,5a,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,bb,6c,14,00,00,00,\
"37"=hex:78,00,32,00,a9,44,02,00,b6,36,68,3c,20,00,4b,41,4d,41,53,55,7e,31,2e,
   4d,48,54,00,00,5c,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,c0,6c,14,00,00,00,\
"38"=hex:a4,00,32,00,6b,48,06,00,b6,36,f1,3d,20,00,4c,45,50,52,49,4d,7e,31,2e,
   4d,48,54,00,00,88,00,03,00,04,00,ef,be,b6,36,fa,5b,b6,36,c3,6c,14,00,00,00,\
"NodeSlot"=dword:000005bc

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\42]
@DACL=(02 0000)
"0"=hex:5a,00,31,00,00,00,00,00,b1,34,81,73,10,00,54,45,43,4e,4f,2d,7e,31,00,
   00,42,00,03,00,04,00,ef,be,98,31,f4,a4,b1,34,81,73,14,00,00,00,54,00,45,00,\
"MRUListEx"=hex:08,00,00,00,10,00,00,00,0b,00,00,00,0f,00,00,00,0e,00,00,00,0d,
   00,00,00,02,00,00,00,04,00,00,00,0c,00,00,00,0a,00,00,00,05,00,00,00,07,00,\
"NodeSlot"=dword:00000997
"1"=hex:60,00,31,00,00,00,00,00,b9,34,cd,61,10,00,46,4f,54,4f,2d,33,7e,31,00,
   00,48,00,03,00,04,00,ef,be,98,31,03,a5,04,35,fa,54,14,00,00,00,46,00,4f,00,\
"2"=hex:34,00,31,00,00,00,00,00,98,31,ec,a4,10,00,56,41,52,49,00,00,20,00,03,
   00,04,00,ef,be,98,31,ec,a4,46,35,d0,50,14,00,00,00,56,00,41,00,52,00,49,00,\
"3"=hex:3c,00,31,00,00,00,00,00,4d,33,22,4c,10,00,52,49,43,45,54,54,45,00,26,
   00,03,00,04,00,ef,be,98,31,02,a5,7c,35,1b,6d,14,00,00,00,52,00,49,00,43,00,\
"4"=hex:4e,00,31,00,00,00,00,00,4d,33,22,4c,10,00,52,49,43,45,54,54,7e,31,00,
   00,36,00,03,00,04,00,ef,be,98,31,02,a5,7c,35,cd,99,14,00,00,00,52,00,49,00,\
"5"=hex:3c,00,31,00,00,00,00,00,b2,34,d1,93,10,00,50,41,54,45,4e,54,45,00,26,
   00,03,00,04,00,ef,be,b2,34,60,93,7c,35,1c,6d,14,00,00,00,50,00,41,00,54,00,\
"6"=hex:50,00,31,00,00,00,00,00,7b,35,bb,59,10,00,46,4f,54,4f,2d,33,7e,31,00,
   00,38,00,03,00,04,00,ef,be,98,31,03,a5,7c,35,f1,99,14,00,00,00,46,00,4f,00,\
"7"=hex:4e,00,31,00,00,00,00,00,7b,35,bb,59,10,00,46,4f,54,4f,2d,33,7e,31,00,
   00,36,00,03,00,04,00,ef,be,98,31,03,a5,7c,35,fa,99,14,00,00,00,46,00,4f,00,\
"8"=hex:4e,00,31,00,00,00,00,00,78,35,37,92,10,00,54,45,43,4e,4f,2d,7e,31,00,
   00,36,00,03,00,04,00,ef,be,98,31,f4,a4,7c,35,6c,9a,14,00,00,00,54,00,45,00,\
"9"=hex:4a,00,31,00,00,00,00,00,9c,31,18,6a,10,00,41,4e,49,4d,45,4d,7e,31,00,
   00,32,00,03,00,04,00,ef,be,98,31,07,a5,7c,35,c5,99,14,00,00,00,61,00,6e,00,\
"10"=hex:58,00,31,00,00,00,00,00,37,36,68,80,10,00,46,4f,54,4f,2d,52,7e,31,00,
   00,40,00,03,00,04,00,ef,be,98,31,02,a5,af,36,09,69,14,00,00,00,46,00,4f,00,\
"11"=hex:52,00,31,00,00,00,00,00,37,36,9d,7c,10,00,4d,45,44,49,43,49,7e,31,00,
   00,3a,00,03,00,04,00,ef,be,98,31,03,a5,b6,36,12,8f,14,00,00,00,4d,00,45,00,\
"12"=hex:5a,00,31,00,00,00,00,00,a6,36,97,72,10,00,43,52,45,53,43,49,7e,31,00,
   00,42,00,03,00,04,00,ef,be,2c,34,74,6d,c3,36,b4,6c,14,00,00,00,43,00,52,00,\
"13"=hex:44,00,31,00,00,00,00,00,71,37,54,58,10,00,46,4f,54,4f,2d,4c,7e,31,00,
   00,2c,00,03,00,04,00,ef,be,98,31,02,a5,72,37,eb,89,14,00,00,00,46,00,4f,00,\
"14"=hex:34,00,31,00,00,00,00,00,9f,39,63,ab,10,00,46,4f,54,4f,00,00,20,00,03,
   00,04,00,ef,be,98,31,02,a5,9f,39,85,ab,14,00,00,00,46,00,4f,00,54,00,4f,00,\
"15"=hex:64,00,31,00,00,00,00,00,7e,39,bd,8c,10,00,43,52,45,53,43,49,7e,31,00,
   00,4c,00,03,00,04,00,ef,be,2c,34,74,6d,9f,39,2b,a9,14,00,00,00,43,00,52,00,\
"16"=hex:36,00,31,00,00,00,00,00,8d,3a,60,a0,10,00,53,50,4f,52,54,00,22,00,03,
   00,04,00,ef,be,8d,3a,60,a0,8d,3a,60,a0,14,00,00,00,53,00,50,00,4f,00,52,00,\

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\43]
@DACL=(02 0000)
"0"=hex:90,00,32,00,34,72,09,00,ba,34,43,a2,20,00,46,49,4c,4d,55,50,7e,31,2e,
   4d,48,54,00,00,74,00,03,00,04,00,ef,be,ba,34,76,a8,ba,34,76,a8,14,00,00,00,\
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\44]
@DACL=(02 0000)
"NodeSlot"=dword:00000996
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\45]
@DACL=(02 0000)
"NodeSlot"=dword:00000998
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\46]
@DACL=(02 0000)
"NodeSlot"=dword:000009fb
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
"0"=hex:36,00,31,00,00,00,00,00,ce,34,b3,b5,10,00,6b,69,73,73,32,00,22,00,03,
   00,04,00,ef,be,ce,34,81,b5,ce,34,b3,b5,14,00,00,00,6b,00,69,00,73,00,73,00,\

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\47]
@DACL=(02 0000)
"NodeSlot"=dword:00000b92
"MRUListEx"=hex:03,00,00,00,01,00,00,00,00,00,00,00,02,00,00,00,ff,ff,ff,ff
"0"=hex:4e,00,31,00,00,00,00,00,f5,34,f2,53,10,00,53,54,49,4c,4c,4d,7e,31,00,
   00,36,00,03,00,04,00,ef,be,f1,34,11,5a,f5,34,f2,53,14,00,00,00,73,00,74,00,\
"1"=hex:44,00,31,00,00,00,00,00,f6,34,82,76,10,00,50,45,52,53,4f,4e,7e,31,00,
   00,2c,00,03,00,04,00,ef,be,98,31,22,a5,fe,34,38,af,14,00,00,00,70,00,65,00,\
"2"=hex:42,00,31,00,00,00,00,00,f9,34,cb,b0,10,00,5f,53,54,41,4d,50,7e,31,00,
   00,2a,00,03,00,04,00,ef,be,e1,34,99,7c,06,35,5b,b7,14,00,00,00,5f,00,73,00,\
"3"=hex:3a,00,31,00,00,00,00,00,07,35,fc,8b,10,00,70,6f,73,74,65,72,00,00,24,
   00,03,00,04,00,ef,be,98,31,22,a5,07,35,fc,8b,14,00,00,00,70,00,6f,00,73,00,\

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\48]
@DACL=(02 0000)
"NodeSlot"=dword:00000bdf
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\49]
@DACL=(02 0000)
"NodeSlot"=dword:00000ebd
"MRUListEx"=hex:04,00,00,00,01,00,00,00,00,00,00,00,05,00,00,00,07,00,00,00,06,
   00,00,00,0f,00,00,00,03,00,00,00,0e,00,00,00,0d,00,00,00,0c,00,00,00,0b,00,\
"0"=hex:42,00,31,00,00,00,00,00,23,35,2f,9f,10,00,5f,50,4f,50,53,4f,7e,31,00,
   00,2a,00,03,00,04,00,ef,be,9b,31,39,6e,5b,35,d4,84,14,00,00,00,5f,00,70,00,\
"1"=hex:4c,00,31,00,00,00,00,00,25,35,6d,a2,10,00,43,4f,4c,4f,4e,4e,7e,31,00,
   00,34,00,03,00,04,00,ef,be,45,32,65,5a,5a,35,f8,88,14,00,00,00,43,00,6f,00,\
"2"=hex:36,00,31,00,00,00,00,00,5c,35,9b,68,10,00,4c,75,69,73,61,00,22,00,03,
   00,04,00,ef,be,5c,35,9b,68,5c,35,9b,68,14,00,00,00,4c,00,75,00,69,00,73,00,\
"3"=hex:3e,00,31,00,00,00,00,00,54,35,29,83,10,00,4e,45,57,41,47,45,7e,31,00,
   00,26,00,03,00,04,00,ef,be,3a,33,4a,51,5c,35,39,63,14,00,00,00,4e,00,65,00,\
"4"=hex:54,00,31,00,00,00,00,00,9b,31,20,6f,10,00,53,49,47,4c,45,43,7e,31,00,
   00,3c,00,03,00,04,00,ef,be,9b,31,dc,6e,5c,35,39,63,14,00,00,00,73,00,69,00,\
"5"=hex:36,00,31,00,00,00,00,00,17,37,4e,97,10,00,61,6e,69,6d,65,00,22,00,03,
   00,04,00,ef,be,9b,31,42,6d,28,37,b9,72,14,00,00,00,61,00,6e,00,69,00,6d,00,\
"6"=hex:4e,00,31,00,00,00,00,00,ed,36,da,63,10,00,52,4f,4e,44,56,45,7e,31,00,
   00,36,00,03,00,04,00,ef,be,6a,36,d0,65,2f,37,02,9c,14,00,00,00,52,00,6f,00,\
"7"=hex:30,00,31,00,00,00,00,00,46,37,89,75,10,00,5f,54,39,00,1e,00,03,00,04,
   00,ef,be,46,37,89,75,46,37,89,75,14,00,00,00,5f,00,54,00,39,00,00,00,12,00,\
"8"=hex:42,00,31,00,00,00,00,00,47,37,f3,7d,10,00,41,4c,42,55,4d,50,7e,31,00,
   00,2a,00,03,00,04,00,ef,be,01,37,a2,89,72,37,7d,57,14,00,00,00,61,00,6c,00,\
"9"=hex:2a,00,31,00,00,00,00,00,7a,37,a0,84,10,00,32,00,1a,00,03,00,04,00,ef,
   be,7a,37,28,7e,7a,37,a0,84,14,00,00,00,32,00,00,00,10,00,00,00
"10"=hex:8e,00,32,00,bd,7f,03,00,89,37,0a,9c,20,00,48,4f,57,54,4f,57,7e,31,2e,
   4d,48,54,00,00,72,00,03,00,04,00,ef,be,88,37,da,aa,61,38,bc,b8,14,00,00,00,\
"11"=hex:a4,00,32,00,f3,92,1d,00,88,37,9a,a1,20,00,43,4c,49,50,4e,41,7e,31,2e,
   4d,48,54,00,00,88,00,03,00,04,00,ef,be,88,37,99,a1,79,38,eb,ac,14,00,00,00,\
"12"=hex:68,00,32,00,f7,84,06,00,79,38,59,af,20,00,50,4f,53,49,5a,49,7e,31,2e,
   4d,48,54,00,00,4c,00,03,00,04,00,ef,be,79,38,58,af,79,38,59,af,14,00,00,00,\
"13"=hex:6a,00,32,00,5b,cb,03,00,79,38,bc,b0,20,00,50,4f,53,49,5a,49,7e,32,2e,
   4d,48,54,00,00,4e,00,03,00,04,00,ef,be,79,38,bc,b0,79,38,bc,b0,14,00,00,00,\
"14"=hex:6e,00,32,00,15,d5,02,00,79,38,e0,b0,20,00,50,4f,53,49,5a,49,7e,33,2e,
   4d,48,54,00,00,52,00,03,00,04,00,ef,be,79,38,e0,b0,79,38,e0,b0,14,00,00,00,\
"15"=hex:48,00,31,00,00,00,00,00,6b,38,71,a3,10,00,43,4f,4d,50,49,4c,7e,31,00,
   00,30,00,03,00,04,00,ef,be,68,38,0c,9e,84,38,af,a8,14,00,00,00,63,00,6f,00,\

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\5]
@DACL=(02 0000)
"NodeSlot"=dword:00001248
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\50]
@DACL=(02 0000)
"NodeSlot"=dword:00001060
"MRUListEx"=hex:04,00,00,00,03,00,00,00,05,00,00,00,00,00,00,00,01,00,00,00,02,
   00,00,00,ff,ff,ff,ff
"0"=hex:34,00,31,00,00,00,00,00,63,35,01,a4,10,00,5f,4a,70,67,00,00,20,00,03,
   00,04,00,ef,be,1b,35,82,51,7a,35,6a,7f,14,00,00,00,5f,00,4a,00,70,00,67,00,\
"1"=hex:30,00,31,00,00,00,00,00,70,35,d6,8d,10,00,72,65,63,00,1e,00,03,00,04,
   00,ef,be,70,35,31,8c,7a,35,6a,7f,14,00,00,00,72,00,65,00,63,00,00,00,12,00,\
"2"=hex:40,00,31,00,00,00,00,00,6e,35,ea,62,10,00,4e,49,50,54,55,43,7e,31,00,
   00,28,00,03,00,04,00,ef,be,18,35,72,8a,7a,35,6a,7f,14,00,00,00,6e,00,69,00,\
"3"=hex:38,00,31,00,00,00,00,00,8d,35,58,ae,10,00,58,4d,45,4e,7e,31,00,00,22,
   00,03,00,04,00,ef,be,10,35,a3,69,9a,35,91,ac,14,00,00,00,58,00,20,00,4d,00,\
"4"=hex:46,00,31,00,00,00,00,00,45,35,e8,88,10,00,31,35,58,32,30,32,7e,31,00,
   00,2e,00,03,00,04,00,ef,be,1c,35,92,5e,2a,36,10,6d,14,00,00,00,31,00,35,00,\
"5"=hex:36,00,31,00,00,00,00,00,83,35,29,79,10,00,31,32,78,31,38,00,22,00,03,
   00,04,00,ef,be,83,35,29,79,2a,36,10,6d,14,00,00,00,31,00,32,00,78,00,31,00,\

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\51]
@DACL=(02 0000)
"NodeSlot"=dword:000010e2
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\52]
@DACL=(02 0000)
"NodeSlot"=dword:000010e3
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\53]
@DACL=(02 0000)
"NodeSlot"=dword:000010e6
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\54]
@DACL=(02 0000)
"NodeSlot"=dword:000011d5
"MRUListEx"=hex:00,00,00,00,01,00,00,00,ff,ff,ff,ff
"0"=hex:62,00,31,00,00,00,00,00,8e,35,00,bf,10,00,50,45,52,4d,41,53,7e,31,00,
   00,4a,00,03,00,04,00,ef,be,8e,35,b2,be,24,36,66,9e,14,00,00,00,70,00,65,00,\
"1"=hex:44,00,31,00,00,00,00,00,8e,35,05,bf,10,00,50,45,52,4d,41,53,7e,32,00,
   00,2c,00,03,00,04,00,ef,be,8e,35,05,bf,24,36,66,9e,14,00,00,00,70,00,65,00,\

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\55]
@DACL=(02 0000)
"NodeSlot"=dword:00001315
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\56]
@DACL=(02 0000)
"NodeSlot"=dword:00001316
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\57]
@DACL=(02 0000)
"NodeSlot"=dword:00000eb6
"MRUListEx"=hex:01,00,00,00,00,00,00,00,ff,ff,ff,ff
"0"=hex:46,00,31,00,00,00,00,00,38,36,4c,6a,10,00,44,41,52,4f,47,52,7e,31,00,
   00,2e,00,03,00,04,00,ef,be,38,36,4c,6a,38,36,4c,6a,14,00,00,00,64,00,61,00,\
"1"=hex:5a,00,31,00,00,00,00,00,38,36,4c,6a,10,00,32,34,2d,30,31,2d,7e,31,00,
   00,42,00,03,00,04,00,ef,be,38,36,4c,6a,38,36,57,6a,14,00,00,00,32,00,34,00,\

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\58]
@DACL=(02 0000)
"NodeSlot"=dword:000006bb
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\59]
@DACL=(02 0000)
"NodeSlot"=dword:00000f83
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\6]
@DACL=(02 0000)
"0"=hex:60,00,31,00,00,00,00,00,9d,31,ad,90,10,00,46,4f,54,4f,2d,33,7e,31,00,
   00,48,00,03,00,04,00,ef,be,98,31,03,a5,88,32,25,5a,14,00,00,00,46,00,4f,00,\
"MRUListEx"=hex:04,00,00,00,05,00,00,00,02,00,00,00,03,00,00,00,01,00,00,00,00,
   00,00,00,ff,ff,ff,ff
"NodeSlot"=dword:000003c3
"1"=hex:4e,00,31,00,00,00,00,00,09,33,a3,72,10,00,53,48,4f,50,50,49,7e,31,00,
   00,36,00,03,00,04,00,ef,be,09,33,62,72,46,33,64,89,14,00,00,00,53,00,48,00,\
"2"=hex:4e,00,31,00,00,00,00,00,1a,33,15,53,10,00,54,45,43,4e,4f,2d,7e,31,00,
   00,36,00,03,00,04,00,ef,be,98,31,f4,a4,46,33,64,89,14,00,00,00,54,00,45,00,\
"3"=hex:3c,00,31,00,00,00,00,00,4a,33,6d,90,10,00,52,49,43,45,54,54,45,00,26,
   00,03,00,04,00,ef,be,98,31,02,a5,4a,33,6d,90,14,00,00,00,52,00,49,00,43,00,\
"4"=hex:5a,00,31,00,00,00,00,00,6d,33,cd,b3,10,00,54,45,43,4e,4f,2d,7e,31,00,
   00,42,00,03,00,04,00,ef,be,98,31,f4,a4,72,33,67,9e,14,00,00,00,54,00,45,00,\
"5"=hex:34,00,31,00,00,00,00,00,98,31,ec,a4,10,00,56,41,52,49,00,00,20,00,03,
   00,04,00,ef,be,98,31,ec,a4,4f,34,59,95,14,00,00,00,56,00,41,00,52,00,49,00,\

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\60]
@DACL=(02 0000)
"NodeSlot"=dword:00000408
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
"0"=hex:36,00,31,00,00,00,00,00,42,36,14,af,10,00,74,6f,6c,74,69,00,22,00,03,
   00,04,00,ef,be,39,36,d4,4c,46,36,46,7b,14,00,00,00,74,00,6f,00,6c,00,74,00,\

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\61]
@DACL=(02 0000)
"NodeSlot"=dword:000000bf
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\62]
@DACL=(02 0000)
"NodeSlot"=dword:0000137f
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\63]
@DACL=(02 0000)
"0"=hex:b8,00,32,00,4c,d6,03,00,50,36,d9,78,20,00,4d,45,47,41,4c,41,7e,31,2e,
   4d,48,54,00,00,9c,00,03,00,04,00,ef,be,50,36,0f,9e,50,36,02,aa,14,00,00,00,\
"MRUListEx"=hex:13,00,00,00,12,00,00,00,0d,00,00,00,01,00,00,00,11,00,00,00,10,
   00,00,00,0f,00,00,00,0e,00,00,00,0c,00,00,00,00,00,00,00,0b,00,00,00,03,00,\
"1"=hex:e8,00,32,00,94,5b,02,00,50,36,12,79,20,00,50,52,49,4d,4f,54,7e,31,2e,
   4d,48,54,00,00,cc,00,03,00,04,00,ef,be,50,36,14,9e,50,36,03,aa,14,00,00,00,\
"2"=hex:64,00,32,00,e3,cd,01,00,50,36,75,78,20,00,52,4f,4f,54,4b,49,7e,31,2e,
   4d,48,54,00,00,48,00,03,00,04,00,ef,be,50,36,14,9e,50,36,03,aa,14,00,00,00,\
"NodeSlot"=dword:00001047
"3"=hex:6c,00,32,00,e9,05,00,00,50,36,d6,7d,20,00,4d,41,54,52,41,44,7e,31,2e,
   4d,48,54,00,00,50,00,03,00,04,00,ef,be,50,36,0f,9e,53,36,f2,6d,14,00,00,00,\
"4"=hex:90,00,32,00,b5,5c,04,00,56,36,f1,73,20,00,44,49,41,4c,45,52,7e,31,2e,
   4d,48,54,00,00,74,00,03,00,04,00,ef,be,56,36,e9,73,56,36,90,9d,14,00,00,00,\
"5"=hex:20,01,32,00,2b,37,0e,00,56,36,6b,73,20,00,57,33,32,5f,53,50,7e,31,2e,
   4d,48,54,00,00,04,01,03,00,04,00,ef,be,56,36,66,73,56,36,91,9d,14,00,00,00,\
"6"=hex:70,00,32,00,1a,5a,05,00,56,36,41,6f,20,00,50,52,49,4a,5a,45,7e,31,2e,
   4d,48,54,00,00,54,00,03,00,04,00,ef,be,56,36,38,6f,56,36,c7,b4,14,00,00,00,\
"7"=hex:1a,01,32,00,4c,95,01,00,56,36,0b,71,20,00,50,43,41,4c,4d,45,7e,31,2e,
   4d,48,54,00,00,fe,00,03,00,04,00,ef,be,56,36,09,71,56,36,c7,b4,14,00,00,00,\
"8"=hex:4a,00,32,00,4c,95,01,00,56,36,0b,71,20,00,57,50,41,44,42,4c,7e,31,2e,
   4d,48,54,00,00,2e,00,03,00,04,00,ef,be,56,36,09,71,56,36,5c,b6,14,00,00,00,\
"9"=hex:b2,00,32,00,33,13,03,00,50,36,a8,78,20,00,4d,45,47,41,4c,41,7e,32,2e,
   4d,48,54,00,00,96,00,03,00,04,00,ef,be,50,36,0f,9e,56,36,c7,b4,14,00,00,00,\
"10"=hex:bc,00,32,00,8c,69,01,00,56,36,8e,71,20,00,4c,41,54,52,49,4e,7e,31,2e,
   4d,48,54,00,00,a0,00,03,00,04,00,ef,be,56,36,8b,71,56,36,c7,b4,14,00,00,00,\
"11"=hex:b6,00,32,00,3b,45,04,00,56,36,8d,81,20,00,4d,45,47,41,4c,41,7e,33,2e,
   4d,48,54,00,00,9a,00,03,00,04,00,ef,be,56,36,86,81,56,36,c7,b4,14,00,00,00,\
"12"=hex:4e,00,32,00,4c,d6,03,00,50,36,d9,78,20,00,52,55,53,54,4f,43,7e,31,2e,
   4d,48,54,00,00,32,00,03,00,04,00,ef,be,50,36,0f,9e,56,36,0f,ba,14,00,00,00,\
"13"=hex:72,00,32,00,2b,85,01,00,56,36,6e,71,20,00,4d,41,47,47,49,4f,7e,31,2e,
   4d,48,54,00,00,56,00,03,00,04,00,ef,be,56,36,6d,71,56,36,c7,b4,14,00,00,00,\
"14"=hex:8c,00,32,00,a6,cc,0a,00,50,36,b7,78,20,00,41,53,53,49,53,54,7e,31,2e,
   4d,48,54,00,00,70,00,03,00,04,00,ef,be,50,36,0e,9e,56,36,c6,b4,14,00,00,00,\
"15"=hex:a0,00,32,00,c6,f9,02,00,56,36,37,81,20,00,45,58,54,45,4e,5a,7e,31,2e,
   4d,48,54,00,00,84,00,03,00,04,00,ef,be,56,36,34,81,56,36,c7,b4,14,00,00,00,\
"16"=hex:b8,00,31,00,00,00,00,00,50,36,08,9e,10,00,50,49,4e,4e,41,43,7e,34,00,
   00,a0,00,03,00,04,00,ef,be,50,36,08,9e,58,36,7c,6f,14,00,00,00,50,00,69,00,\
"17"=hex:44,00,31,00,00,00,00,00,53,36,a8,71,10,00,32,30,30,37,2d,30,7e,31,00,
   00,2c,00,03,00,04,00,ef,be,50,36,08,9e,58,36,7c,6f,14,00,00,00,32,00,30,00,\
"18"=hex:70,00,32,00,f3,12,02,00,56,36,d5,7d,20,00,4c,49,4e,4b,50,52,7e,31,2e,
   4d,48,54,00,00,54,00,03,00,04,00,ef,be,56,36,d2,7d,58,36,06,7f,14,00,00,00,\
"19"=hex:88,00,32,00,c3,1f,01,00,56,36,ae,7d,20,00,46,41,53,54,45,52,7e,31,2e,
   4d,48,54,00,00,6c,00,03,00,04,00,ef,be,56,36,ac,7d,58,36,26,7f,14,00,00,00,\

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\64]
@DACL=(02 0000)
"NodeSlot"=dword:00000a79
"MRUListEx"=hex:00,00,00,00,03,00,00,00,01,00,00,00,02,00,00,00,ff,ff,ff,ff
"0"=hex:4c,00,31,00,00,00,00,00,4f,36,45,93,10,00,47,55,49,44,45,5f,7e,31,00,
   00,34,00,03,00,04,00,ef,be,4f,36,16,93,51,36,97,69,14,00,00,00,47,00,75,00,\
"1"=hex:4a,00,31,00,00,00,00,00,4f,36,b2,92,10,00,41,52,43,48,49,56,7e,31,00,
   00,32,00,03,00,04,00,ef,be,4f,36,90,92,53,36,6c,56,14,00,00,00,41,00,72,00,\
"2"=hex:4a,00,31,00,00,00,00,00,4f,36,b6,92,10,00,41,52,43,48,49,56,7e,32,00,
   00,32,00,03,00,04,00,ef,be,4f,36,b2,92,53,36,6c,56,14,00,00,00,41,00,72,00,\
"3"=hex:3c,00,31,00,00,00,00,00,4f,36,2c,94,10,00,57,69,6e,64,6f,77,73,00,26,
   00,03,00,04,00,ef,be,4f,36,17,94,53,36,6c,56,14,00,00,00,57,00,69,00,6e,00,\

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\65]
@DACL=(02 0000)
"NodeSlot"=dword:00000d23
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\66]
@DACL=(02 0000)
"0"=hex:48,00,32,00,43,9b,02,00,d5,36,85,9c,20,00,47,69,6e,73,65,6e,67,2e,6d,
   68,74,00,2e,00,03,00,04,00,ef,be,d5,36,85,9c,e4,36,2d,a1,14,00,00,00,47,00,\
"MRUListEx"=hex:02,00,00,00,01,00,00,00,00,00,00,00,ff,ff,ff,ff
"1"=hex:72,00,32,00,6a,28,03,00,d2,36,d7,a0,20,00,50,41,4c,4c,49,4e,7e,32,2e,
   4d,48,54,00,00,56,00,03,00,04,00,ef,be,d2,36,d7,a0,e4,36,2d,a1,14,00,00,00,\
"2"=hex:6e,00,32,00,70,32,03,00,d2,36,ba,a0,20,00,50,41,4c,4c,49,4e,7e,31,2e,
   4d,48,54,00,00,52,00,03,00,04,00,ef,be,d2,36,ba,a0,e4,36,2d,a1,14,00,00,00,\

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\67]
@DACL=(02 0000)
"0"=hex:76,00,31,00,00,00,00,00,fa,36,42,a0,10,00,53,4f,4e,59,5f,56,7e,33,00,
   00,5e,00,03,00,04,00,ef,be,fa,36,42,a0,fa,36,42,a0,14,00,00,00,53,00,6f,00,\
"MRUListEx"=hex:01,00,00,00,04,00,00,00,03,00,00,00,02,00,00,00,00,00,00,00,ff,
   ff,ff,ff
"1"=hex:42,00,31,00,00,00,00,00,fc,36,51,75,10,00,4c,45,54,54,4f,52,7e,34,00,
   00,2a,00,03,00,04,00,ef,be,fc,36,1d,71,fc,36,51,75,14,00,00,00,4c,00,45,00,\
"NodeSlot"=dword:00000026
"2"=hex:46,00,31,00,00,00,00,00,fc,36,6a,71,10,00,4c,45,54,54,4f,52,7e,33,00,
   00,2e,00,03,00,04,00,ef,be,fc,36,4d,71,fd,36,26,4e,14,00,00,00,4c,00,45,00,\
"3"=hex:4a,00,31,00,00,00,00,00,03,37,f4,99,10,00,4c,45,54,54,4f,52,7e,31,00,
   00,32,00,03,00,04,00,ef,be,fc,36,e6,71,03,37,f4,99,14,00,00,00,4c,00,45,00,\
"4"=hex:4a,00,31,00,00,00,00,00,06,37,e9,83,10,00,4c,45,54,54,4f,52,7e,32,00,
   00,32,00,03,00,04,00,ef,be,fc,36,f6,71,06,37,e9,83,14,00,00,00,4c,00,45,00,\





Un grosso grazie
mony_05
Utente Junior
 
Post: 15
Iscritto il: 13/04/09 18:34
Top

Re: virus su pen drive chi mi aiuta

Postdi mony_05 » 19/04/09 11:05

ecco la seconda parte del log di combofix

Codice: Seleziona tutto








[



[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\68]
@DACL=(02 0000)
"NodeSlot"=dword:00000cfe
"MRUListEx"=hex:17,00,00,00,16,00,00,00,15,00,00,00,14,00,00,00,13,00,00,00,12,
   00,00,00,11,00,00,00,01,00,00,00,10,00,00,00,0f,00,00,00,0e,00,00,00,0d,00,\
"0"=hex:56,00,32,00,43,a0,01,00,28,37,8b,7c,20,00,41,4c,54,41,4f,50,7e,31,2e,
   4d,48,54,00,00,3a,00,03,00,04,00,ef,be,28,37,8b,7c,29,37,05,54,14,00,00,00,\
"1"=hex:6a,00,32,00,cc,dc,03,00,28,37,47,80,20,00,46,4f,52,45,53,54,7e,31,2e,
   4d,48,54,00,00,4e,00,03,00,04,00,ef,be,28,37,47,80,29,37,30,5e,14,00,00,00,\
"2"=hex:56,00,32,00,1a,06,03,00,28,37,24,7a,20,00,41,44,56,45,52,43,7e,31,2e,
   4d,48,54,00,00,3a,00,03,00,04,00,ef,be,28,37,23,7a,29,37,31,66,14,00,00,00,\
"3"=hex:50,00,32,00,d1,b5,03,00,28,37,80,7b,20,00,41,47,4c,4f,43,4f,7e,31,2e,
   4d,48,54,00,00,34,00,03,00,04,00,ef,be,28,37,80,7b,29,37,31,66,14,00,00,00,\
"4"=hex:5a,00,32,00,01,a3,03,00,28,37,4d,7f,20,00,45,55,52,4f,4b,49,7e,31,2e,
   4d,48,54,00,00,3e,00,03,00,04,00,ef,be,28,37,4c,7f,29,37,ac,66,14,00,00,00,\
"5"=hex:58,00,32,00,47,fa,00,00,29,37,3b,57,20,00,41,4c,54,41,4f,50,7e,34,2e,
   4d,48,54,00,00,3c,00,03,00,04,00,ef,be,29,37,3a,57,2b,37,09,6b,14,00,00,00,\
"6"=hex:58,00,32,00,47,fa,00,00,29,37,8d,58,20,00,41,4c,39,46,34,46,7e,31,2e,
   4d,48,54,00,00,3c,00,03,00,04,00,ef,be,29,37,8d,58,2b,37,09,6b,14,00,00,00,\
"7"=hex:62,00,32,00,cc,f7,00,00,29,37,17,57,20,00,41,4c,54,41,4f,50,7e,33,2e,
   4d,48,54,00,00,46,00,03,00,04,00,ef,be,29,37,17,57,2b,37,09,6b,14,00,00,00,\
"8"=hex:5e,00,32,00,99,ca,02,00,28,37,a9,7b,20,00,41,4c,54,41,4f,50,7e,32,2e,
   4d,48,54,00,00,42,00,03,00,04,00,ef,be,28,37,a8,7b,2b,37,09,6b,14,00,00,00,\
"9"=hex:76,00,32,00,7a,e5,02,00,28,37,b8,7c,20,00,41,4d,45,52,49,43,7e,31,2e,
   4d,48,54,00,00,5a,00,03,00,04,00,ef,be,28,37,b8,7c,2b,37,09,6b,14,00,00,00,\
"10"=hex:5c,00,32,00,bf,e0,04,00,28,37,fc,7c,20,00,41,4d,45,52,49,43,7e,32,2e,
   4d,48,54,00,00,40,00,03,00,04,00,ef,be,28,37,fc,7c,2b,37,09,6b,14,00,00,00,\
"11"=hex:62,00,32,00,d9,61,02,00,28,37,37,7d,20,00,41,55,54,4f,54,52,7e,32,2e,
   4d,48,54,00,00,46,00,03,00,04,00,ef,be,28,37,36,7d,2b,37,09,6b,14,00,00,00,\
"12"=hex:5a,00,32,00,95,1d,03,00,28,37,88,7e,20,00,43,4f,4e,50,45,52,7e,31,2e,
   4d,48,54,00,00,3e,00,03,00,04,00,ef,be,28,37,88,7e,2b,37,09,6b,14,00,00,00,\
"13"=hex:5c,00,32,00,13,b2,03,00,28,37,ef,7e,20,00,45,43,41,53,48,54,7e,31,2e,
   4d,48,54,00,00,40,00,03,00,04,00,ef,be,28,37,ee,7e,2b,37,09,6b,14,00,00,00,\
"14"=hex:60,00,32,00,fa,48,03,00,28,37,6f,7d,20,00,43,4c,49,43,4b,45,7e,31,2e,
   4d,48,54,00,00,44,00,03,00,04,00,ef,be,28,37,6f,7d,2b,37,09,6b,14,00,00,00,\
"15"=hex:54,00,32,00,df,a6,02,00,28,37,a9,80,20,00,47,4f,4c,44,43,41,7e,31,2e,
   4d,48,54,00,00,38,00,03,00,04,00,ef,be,28,37,a9,80,2b,37,09,6b,14,00,00,00,\
"16"=hex:5a,00,32,00,b1,01,03,00,28,37,d0,80,20,00,48,49,4d,4f,4e,45,7e,31,2e,
   4d,48,54,00,00,3e,00,03,00,04,00,ef,be,28,37,d0,80,2b,37,30,74,14,00,00,00,\
"17"=hex:60,00,32,00,12,15,03,00,28,37,d8,80,20,00,49,50,53,4f,53,53,7e,31,2e,
   4d,48,54,00,00,44,00,03,00,04,00,ef,be,28,37,d8,80,2b,37,a5,74,14,00,00,00,\
"18"=hex:5c,00,32,00,0a,51,03,00,28,37,e1,80,20,00,4b,45,59,50,4f,49,7e,31,2e,
   4d,48,54,00,00,40,00,03,00,04,00,ef,be,28,37,e1,80,2b,37,a4,74,14,00,00,00,\
"19"=hex:58,00,32,00,da,2b,03,00,29,37,36,5e,20,00,4d,4f,4e,45,59,43,7e,31,2e,
   4d,48,54,00,00,3c,00,03,00,04,00,ef,be,29,37,35,5e,2b,37,54,6d,14,00,00,00,\
"20"=hex:7c,00,32,00,c4,c8,02,00,29,37,58,59,20,00,4f,47,52,4f,4e,4c,7e,31,2e,
   4d,48,54,00,00,60,00,03,00,04,00,ef,be,29,37,57,59,2b,37,9a,70,14,00,00,00,\
"21"=hex:50,00,32,00,9c,76,01,00,29,37,72,55,20,00,50,41,59,50,45,52,7e,32,2e,
   4d,48,54,00,00,34,00,03,00,04,00,ef,be,29,37,72,55,2b,37,a4,74,14,00,00,00,\
"22"=hex:4e,00,32,00,9d,e6,02,00,29,37,47,55,20,00,50,41,59,50,45,52,7e,31,2e,
   4d,48,54,00,00,32,00,03,00,04,00,ef,be,29,37,47,55,2b,37,a4,74,14,00,00,00,\
"23"=hex:5c,00,32,00,08,81,03,00,29,37,48,54,20,00,56,49,4e,43,49,2d,7e,31,2e,
   4d,48,54,00,00,40,00,03,00,04,00,ef,be,29,37,47,54,2b,37,a4,74,14,00,00,00,\

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\69]
@DACL=(02 0000)
"0"=hex:06,01,32,00,1c,37,07,00,35,37,49,62,20,00,5f,52,49,4e,4f,41,7e,32,2e,
   4d,48,54,00,00,ea,00,03,00,04,00,ef,be,35,37,44,62,36,37,b1,69,14,00,00,00,\
"MRUListEx"=hex:01,00,00,00,04,00,00,00,03,00,00,00,02,00,00,00,00,00,00,00,ff,
   ff,ff,ff
"1"=hex:e4,00,32,00,fe,f7,08,00,35,37,a2,62,20,00,5f,52,49,4e,4f,41,7e,31,2e,
   4d,48,54,00,00,c8,00,03,00,04,00,ef,be,35,37,9d,62,36,37,42,6a,14,00,00,00,\
"2"=hex:00,01,32,00,a7,6b,40,00,35,37,74,68,20,00,54,48,45,53,54,4d,7e,31,2e,
   4d,48,54,00,00,e4,00,03,00,04,00,ef,be,35,37,62,68,36,37,b2,69,14,00,00,00,\
"3"=hex:5e,00,32,00,8f,16,16,00,35,37,bb,68,20,00,46,46,41,41,4c,4d,7e,31,2e,
   4d,48,54,00,00,42,00,03,00,04,00,ef,be,35,37,b1,68,36,37,b2,69,14,00,00,00,\
"4"=hex:04,01,32,00,b4,66,02,00,35,37,23,6d,20,00,46,49,4e,41,4c,46,7e,31,2e,
   4d,48,54,00,00,e8,00,03,00,04,00,ef,be,35,37,20,6d,36,37,b2,69,14,00,00,00,\

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\7]
@DACL=(02 0000)
"NodeSlot"=dword:0000122a
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\70]
@DACL=(02 0000)
"0"=hex:e4,00,32,00,fe,f7,08,00,35,37,a2,62,20,00,5f,52,49,4e,4f,41,7e,31,2e,
   4d,48,54,00,00,c8,00,03,00,04,00,ef,be,35,37,9d,62,36,37,a8,6b,14,00,00,00,\
"MRUListEx"=hex:06,00,00,00,13,00,00,00,0c,00,00,00,0d,00,00,00,12,00,00,00,0b,
   00,00,00,0e,00,00,00,11,00,00,00,07,00,00,00,09,00,00,00,10,00,00,00,0f,00,\
"1"=hex:04,01,32,00,b4,66,02,00,35,37,23,6d,20,00,46,49,4e,41,4c,46,7e,31,2e,
   4d,48,54,00,00,e8,00,03,00,04,00,ef,be,35,37,20,6d,36,37,a8,6b,14,00,00,00,\
"2"=hex:72,00,32,00,b4,66,02,00,35,37,23,6d,20,00,46,49,4e,41,4c,46,7e,31,2e,
   4d,48,54,00,00,56,00,03,00,04,00,ef,be,35,37,20,6d,36,37,84,6d,14,00,00,00,\
"3"=hex:5e,00,32,00,8f,16,16,00,35,37,bb,68,20,00,46,46,41,41,4c,4d,7e,31,2e,
   4d,48,54,00,00,42,00,03,00,04,00,ef,be,35,37,b1,68,36,37,a8,6b,14,00,00,00,\
"4"=hex:8e,00,32,00,b4,66,02,00,35,37,23,6d,20,00,46,49,4e,41,4c,46,7e,31,2e,
   4d,48,54,00,00,72,00,03,00,04,00,ef,be,35,37,20,6d,36,37,91,6d,14,00,00,00,\
"5"=hex:9a,00,32,00,1c,37,07,00,35,37,49,62,20,00,5f,52,49,4e,4f,41,7e,32,2e,
   4d,48,54,00,00,7e,00,03,00,04,00,ef,be,35,37,44,62,36,37,a8,6b,14,00,00,00,\
"6"=hex:68,00,32,00,8f,16,16,00,35,37,bb,68,20,00,46,49,4e,41,4c,46,7e,33,2e,
   4d,48,54,00,00,4c,00,03,00,04,00,ef,be,35,37,b1,68,36,37,c0,6e,14,00,00,00,\
"NodeSlot"=dword:000000ae
"7"=hex:7e,00,32,00,fe,f7,08,00,35,37,a2,62,20,00,46,49,4e,41,4c,46,7e,32,2e,
   4d,48,54,00,00,62,00,03,00,04,00,ef,be,35,37,9d,62,37,37,07,5a,14,00,00,00,\
"8"=hex:8c,00,32,00,b4,66,02,00,35,37,23,6d,20,00,46,49,4e,41,4c,46,7e,31,2e,
   4d,48,54,00,00,70,00,03,00,04,00,ef,be,35,37,20,6d,37,37,07,5a,14,00,00,00,\
"9"=hex:b6,00,32,00,51,60,01,00,39,37,c5,94,20,00,41,50,50,55,4e,54,7e,31,2e,
   4d,48,54,00,00,9a,00,03,00,04,00,ef,be,39,37,c5,94,3a,37,a5,9e,14,00,00,00,\
"10"=hex:60,00,31,00,00,00,00,00,7c,35,d5,98,10,00,44,4f,43,55,4d,45,7e,31,00,
   00,48,00,03,00,04,00,ef,be,4e,35,d6,74,3a,37,f6,ab,14,00,00,00,64,00,6f,00,\
"11"=hex:64,00,32,00,19,b5,00,00,31,37,af,88,20,00,4d,49,56,41,52,32,7e,31,2e,
   4d,48,54,00,00,48,00,03,00,04,00,ef,be,31,37,af,88,3b,37,31,86,14,00,00,00,\
"12"=hex:64,00,32,00,39,b4,00,00,31,37,aa,88,20,00,4d,49,56,41,52,32,7e,32,2e,
   4d,48,54,00,00,48,00,03,00,04,00,ef,be,31,37,a9,88,3b,37,31,86,14,00,00,00,\
"13"=hex:62,00,32,00,4b,d5,00,00,31,37,b3,88,20,00,4d,49,56,41,52,32,7e,33,2e,
   4d,48,54,00,00,46,00,03,00,04,00,ef,be,31,37,b2,88,3b,37,31,86,14,00,00,00,\
"14"=hex:6c,00,32,00,0d,42,02,00,2a,37,a1,5d,20,00,4c,45,41,47,45,4e,7e,31,2e,
   4d,48,54,00,00,50,00,03,00,04,00,ef,be,2a,37,a1,5d,3b,37,48,8e,14,00,00,00,\
"15"=hex:be,00,32,00,27,6a,02,00,39,37,54,98,20,00,49,4c,53,41,4c,56,7e,31,2e,
   4d,48,54,00,00,a2,00,03,00,04,00,ef,be,39,37,53,98,3b,37,92,8e,14,00,00,00,\
"16"=hex:9c,00,32,00,81,d9,03,00,25,37,30,73,20,00,4c,41,56,4f,52,41,7e,31,2e,
   4d,48,54,00,00,80,00,03,00,04,00,ef,be,32,37,55,83,3b,37,e6,8e,14,00,00,00,\
"17"=hex:74,00,32,00,35,e7,06,00,32,37,cd,71,20,00,47,41,4d,45,44,4f,7e,31,2e,
   4d,48,54,00,00,58,00,03,00,04,00,ef,be,32,37,c3,99,3c,37,50,80,14,00,00,00,\
"18"=hex:00,01,32,00,a7,6b,40,00,35,37,74,68,20,00,54,48,45,53,54,4d,7e,31,2e,
   4d,48,54,00,00,e4,00,03,00,04,00,ef,be,35,37,62,68,3c,37,51,80,14,00,00,00,\
"19"=hex:78,00,32,00,09,c1,03,00,32,37,a8,79,20,00,43,4f,4e,44,49,5a,7e,31,2e,
   4d,48,54,00,00,5c,00,03,00,04,00,ef,be,32,37,c3,99,52,37,fa,4e,14,00,00,00,\

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\71]
@DACL=(02 0000)
"NodeSlot"=dword:00001135
"MRUListEx"=hex:0c,00,00,00,0a,00,00,00,0d,00,00,00,0b,00,00,00,09,00,00,00,08,
   00,00,00,07,00,00,00,06,00,00,00,05,00,00,00,04,00,00,00,03,00,00,00,02,00,\
"0"=hex:4e,00,31,00,00,00,00,00,4c,37,67,48,10,00,5f,41,52,41,44,55,7e,31,00,
   00,36,00,03,00,04,00,ef,be,4c,37,67,48,4c,37,67,48,14,00,00,00,5f,00,61,00,\
"1"=hex:60,00,31,00,00,00,00,00,4c,37,d1,48,10,00,5f,41,52,41,44,55,7e,31,00,
   00,48,00,03,00,04,00,ef,be,4c,37,67,48,4c,37,ef,48,14,00,00,00,5f,00,61,00,\
"2"=hex:2e,00,31,00,00,00,00,00,4c,37,f9,48,10,00,5f,62,00,00,1c,00,03,00,04,
   00,ef,be,4c,37,f9,48,4c,37,f9,48,14,00,00,00,5f,00,62,00,00,00,12,00,00,00
"3"=hex:60,00,31,00,00,00,00,00,4c,37,8e,49,10,00,41,5f,52,41,44,55,7e,31,00,
   00,48,00,03,00,04,00,ef,be,4c,37,67,48,4c,37,a1,49,14,00,00,00,61,00,5f,00,\
"4"=hex:46,00,31,00,00,00,00,00,4c,37,8e,49,10,00,42,5f,32,39,2d,30,7e,31,00,
   00,2e,00,03,00,04,00,ef,be,4c,37,f9,48,4c,37,c4,49,14,00,00,00,62,00,5f,00,\
"5"=hex:5c,00,31,00,00,00,00,00,4c,37,16,4a,10,00,42,5f,54,52,45,42,7e,31,00,
   00,44,00,03,00,04,00,ef,be,4c,37,f9,48,4c,37,22,4a,14,00,00,00,62,00,5f,00,\
"6"=hex:2e,00,31,00,00,00,00,00,4c,37,0a,4a,10,00,63,5f,00,00,1c,00,03,00,04,
   00,ef,be,4c,37,e3,49,4c,37,0a,4a,14,00,00,00,63,00,5f,00,00,00,12,00,00,00
"7"=hex:50,00,31,00,00,00,00,00,4c,37,16,4a,10,00,43,5f,43,45,4e,41,7e,31,00,
   00,38,00,03,00,04,00,ef,be,4c,37,e3,49,4c,37,58,4a,14,00,00,00,63,00,5f,00,\
"8"=hex:48,00,31,00,00,00,00,00,4c,37,69,4a,10,00,44,5f,46,52,4f,53,7e,31,00,
   00,30,00,03,00,04,00,ef,be,4c,37,60,4a,4c,37,69,4a,14,00,00,00,64,00,5f,00,\
"9"=hex:5a,00,31,00,00,00,00,00,4c,37,69,4a,10,00,44,5f,46,52,4f,53,7e,31,00,
   00,42,00,03,00,04,00,ef,be,4c,37,60,4a,4c,37,73,4a,14,00,00,00,64,00,5f,00,\
"10"=hex:34,00,31,00,00,00,00,00,4c,37,db,4d,10,00,43,44,31,7e,31,00,20,00,03,
   00,04,00,ef,be,4c,37,db,4d,4c,37,db,4d,14,00,00,00,63,00,64,00,20,00,31,00,\
"11"=hex:36,00,31,00,00,00,00,00,4c,37,e4,4d,10,00,44,32,30,31,34,36,7e,31,00,
   00,1e,00,03,00,04,00,ef,be,4c,37,e4,4d,4c,37,e4,4d,14,00,00,00,64,00,20,00,\
"12"=hex:34,00,31,00,00,00,00,00,4c,37,24,51,10,00,43,44,32,7e,31,00,20,00,03,
   00,04,00,ef,be,4c,37,e4,4d,4c,37,5a,52,14,00,00,00,63,00,64,00,20,00,32,00,\
"13"=hex:34,00,31,00,00,00,00,00,4c,37,58,52,10,00,43,44,33,7e,31,00,20,00,03,
   00,04,00,ef,be,4c,37,58,52,4c,37,58,52,14,00,00,00,63,00,64,00,20,00,33,00,\

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\72]
@DACL=(02 0000)
"NodeSlot"=dword:000012d3
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\8]
@DACL=(02 0000)
"NodeSlot"=dword:0000091d
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\1\9]
@DACL=(02 0000)
"NodeSlot"=dword:00000270
"MRUListEx"=hex:02,00,00,00,0b,00,00,00,07,00,00,00,0a,00,00,00,09,00,00,00,06,
   00,00,00,01,00,00,00,03,00,00,00,00,00,00,00,08,00,00,00,05,00,00,00,04,00,\
"0"=hex:34,00,31,00,00,00,00,00,9d,31,3a,6d,10,00,46,4f,54,4f,00,00,20,00,03,
   00,04,00,ef,be,9d,31,e0,6c,a8,32,d8,aa,14,00,00,00,46,00,4f,00,54,00,4f,00,\
"1"=hex:60,00,31,00,00,00,00,00,35,33,90,4b,10,00,5f,44,41,53,54,41,7e,31,00,
   00,48,00,03,00,04,00,ef,be,9d,31,93,66,35,33,90,4b,14,00,00,00,5f,00,64,00,\
"2"=hex:5c,00,31,00,00,00,00,00,7b,33,71,65,10,00,45,4e,43,49,43,4c,7e,31,00,
   00,44,00,03,00,04,00,ef,be,9d,31,47,6c,7b,33,71,65,14,00,00,00,65,00,6e,00,\
"3"=hex:40,00,31,00,00,00,00,00,70,33,62,67,10,00,42,6c,6f,6f,70,65,72,73,00,
   00,28,00,03,00,04,00,ef,be,9d,31,7b,69,7c,33,3d,59,14,00,00,00,42,00,6c,00,\
"4"=hex:78,00,31,00,00,00,00,00,9d,31,f1,68,10,00,5f,47,49,53,54,41,7e,31,00,
   00,60,00,03,00,04,00,ef,be,9d,31,f1,68,7c,33,3d,59,14,00,00,00,5f,00,67,00,\
"5"=hex:3c,00,31,00,00,00,00,00,7b,33,76,5a,10,00,45,70,69,73,6f,64,69,00,26,
   00,03,00,04,00,ef,be,9d,31,81,6a,7c,33,3d,59,14,00,00,00,45,00,70,00,69,00,\
"6"=hex:46,00,31,00,00,00,00,00,99,31,4e,bb,10,00,46,41,4e,46,49,43,7e,31,00,
   00,2e,00,03,00,04,00,ef,be,99,31,4e,bb,7c,33,3d,59,14,00,00,00,66,00,61,00,\
"7"=hex:44,00,31,00,00,00,00,00,9d,31,94,6b,10,00,50,45,52,53,4f,4e,7e,31,00,
   00,2c,00,03,00,04,00,ef,be,9d,31,94,6b,7c,33,3d,59,14,00,00,00,50,00,65,00,\
"8"=hex:36,00,31,00,00,00,00,00,9d,31,10,6c,10,00,76,69,64,65,6f,00,22,00,03,
   00,04,00,ef,be,9d,31,e2,6b,7c,33,3d,59,14,00,00,00,76,00,69,00,64,00,65,00,\
"9"=hex:44,00,31,00,00,00,00,00,9d,31,58,6b,10,00,4d,4f,44,45,4c,4c,7e,31,00,
   00,2c,00,03,00,04,00,ef,be,9d,31,10,6b,67,34,4f,b2,14,00,00,00,4d,00,6f,00,\
"10"=hex:3a,00,31,00,00,00,00,00,00,00,00,00,10,00,4d,75,73,69,63,61,00,00,24,
   00,03,00,04,00,ef,be,00,00,00,00,00,00,00,00,14,00,00,00,4d,00,75,00,73,00,\
"11"=hex:3a,00,31,00,00,00,00,00,9d,31,52,6b,10,00,73,63,72,69,70,74,00,00,24,
   00,03,00,04,00,ef,be,9d,31,52,6b,67,34,4f,b2,14,00,00,00,73,00,63,00,72,00,\

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\10]
@DACL=(02 0000)
"NodeSlot"=dword:0000042c
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\11]
@DACL=(02 0000)
"NodeSlot"=dword:0000087e
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\12]
@DACL=(02 0000)
"NodeSlot"=dword:00000b07
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\13]
@DACL=(02 0000)
"NodeSlot"=dword:0000098a
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\14]
@DACL=(02 0000)
"NodeSlot"=dword:00000c2d
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\15]
@DACL=(02 0000)
"NodeSlot"=dword:00000a0b
"MRUListEx"=hex:00,00,00,00,04,00,00,00,05,00,00,00,03,00,00,00,01,00,00,00,02,
   00,00,00,ff,ff,ff,ff
"1"=hex:46,00,31,00,00,00,00,00,7e,37,01,b2,10,00,5f,44,41,4c,45,47,7e,31,00,
   00,2e,00,03,00,04,00,ef,be,ab,36,fc,76,0a,39,06,54,14,00,00,00,5f,00,64,00,\
"2"=hex:40,00,31,00,00,00,00,00,a3,38,95,a5,10,00,43,52,45,53,43,49,54,41,00,
   00,28,00,03,00,04,00,ef,be,98,31,b1,a4,16,39,96,89,14,00,00,00,43,00,52,00,\
"3"=hex:58,00,31,00,00,00,00,00,18,39,08,59,10,00,5f,4d,4f,4e,49,43,7e,31,00,
   00,40,00,03,00,04,00,ef,be,16,39,79,97,18,39,08,59,14,00,00,00,5f,00,4d,00,\
"4"=hex:42,00,31,00,00,00,00,00,dd,38,c5,45,10,00,4c,49,42,52,49,2d,7e,31,00,
   00,2a,00,03,00,04,00,ef,be,98,31,b1,a4,70,39,24,6f,14,00,00,00,4c,00,69,00,\
"5"=hex:34,00,31,00,00,00,00,00,7a,39,40,a4,10,00,31,77,6d,61,00,00,20,00,03,
   00,04,00,ef,be,7a,39,06,a4,7a,39,40,a4,14,00,00,00,31,00,77,00,6d,00,61,00,\
"0"=hex:30,00,31,00,00,00,00,00,4c,3a,12,74,10,00,31,30,43,00,1e,00,03,00,04,
   00,ef,be,4c,3a,12,74,4c,3a,12,74,14,00,00,00,31,00,30,00,43,00,00,00,12,00,\

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\16]
@DACL=(02 0000)
"NodeSlot"=dword:00000bfa
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\17]
@DACL=(02 0000)
"NodeSlot"=dword:00001106
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\18]
@DACL=(02 0000)
"NodeSlot"=dword:00001276
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\19]
@DACL=(02 0000)
"NodeSlot"=dword:00000c77
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\2]
@DACL=(02 0000)
"NodeSlot"=dword:000008cc
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\20]
@DACL=(02 0000)
"NodeSlot"=dword:000002ab
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\21]
@DACL=(02 0000)
"NodeSlot"=dword:00000144
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\22]
@DACL=(02 0000)
"NodeSlot"=dword:00000afe
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\23]
@DACL=(02 0000)
"NodeSlot"=dword:00000a76
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\24]
@DACL=(02 0000)
"NodeSlot"=dword:0000025b
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\25]
@DACL=(02 0000)
"NodeSlot"=dword:000012e7
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\26]
@DACL=(02 0000)
"NodeSlot"=dword:00000d55
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\27]
@DACL=(02 0000)
"NodeSlot"=dword:00000064
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\28]
@DACL=(02 0000)
"NodeSlot"=dword:00001338
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\29]
@DACL=(02 0000)
"NodeSlot"=dword:000006f3
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\3]
@DACL=(02 0000)
"NodeSlot"=dword:00000972
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\30]
@DACL=(02 0000)
"NodeSlot"=dword:0000090b
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\31]
@DACL=(02 0000)
"NodeSlot"=dword:000003ab
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\32]
@DACL=(02 0000)
"NodeSlot"=dword:000001be
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\33]
@DACL=(02 0000)
"NodeSlot"=dword:00001361
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\34]
@DACL=(02 0000)
"NodeSlot"=dword:00000dbe
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\35]
@DACL=(02 0000)
"NodeSlot"=dword:00000f7e
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\36]
@DACL=(02 0000)
"NodeSlot"=dword:000009e2
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\37]
@DACL=(02 0000)
"NodeSlot"=dword:00000c45
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\38]
@DACL=(02 0000)
"NodeSlot"=dword:00000c46
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\39]
@DACL=(02 0000)
"NodeSlot"=dword:00000c3d
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\4]
@DACL=(02 0000)
"NodeSlot"=dword:00000873
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\40]
@DACL=(02 0000)
"NodeSlot"=dword:00000e87
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\41]
@DACL=(02 0000)
"NodeSlot"=dword:00000990
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\42]
@DACL=(02 0000)
"NodeSlot"=dword:000012fa
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\43]
@DACL=(02 0000)
"NodeSlot"=dword:00000502
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\44]
@DACL=(02 0000)
"NodeSlot"=dword:00000e23
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\45]
@DACL=(02 0000)
"NodeSlot"=dword:00000b66
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\46]
@DACL=(02 0000)
"NodeSlot"=dword:00000b7e
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\47]
@DACL=(02 0000)
"NodeSlot"=dword:000012ec
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\48]
@DACL=(02 0000)
"NodeSlot"=dword:000012a0
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\49]
@DACL=(02 0000)
"NodeSlot"=dword:000011b1
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\5]
@DACL=(02 0000)
"MRUListEx"=hex:03,00,00,00,00,00,00,00,02,00,00,00,01,00,00,00,ff,ff,ff,ff
"NodeSlot"=dword:00001387
"0"=hex:58,00,31,00,00,00,00,00,52,39,bb,9b,11,00,49,6d,6d,61,67,69,6e,69,00,
   00,28,00,03,00,04,00,ef,be,97,31,b9,4c,99,39,60,7e,14,00,00,00,49,00,6d,00,\
"1"=hex:40,00,31,00,00,00,00,00,98,31,f9,4b,13,00,4d,53,4f,43,61,63,68,65,00,
   00,28,00,03,00,04,00,ef,be,98,31,f9,4b,4f,3a,23,a3,14,00,00,00,4d,00,53,00,\
"2"=hex:3a,00,31,00,00,00,00,00,41,37,b7,6b,10,00,47,69,6f,63,68,69,00,00,24,
   00,03,00,04,00,ef,be,b7,34,62,61,51,3a,d0,5a,14,00,00,00,47,00,69,00,6f,00,\
"3"=hex:40,00,31,00,00,00,00,00,9b,36,6c,b9,10,00,53,79,6d,61,6e,74,65,63,00,
   00,28,00,03,00,04,00,ef,be,2b,35,d3,80,8a,3a,0f,96,14,00,00,00,53,00,79,00,\

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\50]
@DACL=(02 0000)
"NodeSlot"=dword:00000341
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\51]
@DACL=(02 0000)
"NodeSlot"=dword:00000e0e
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\52]
@DACL=(02 0000)
"NodeSlot"=dword:00000f5f
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\53]
@DACL=(02 0000)
"NodeSlot"=dword:00000138
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\54]
@DACL=(02 0000)
"NodeSlot"=dword:00000aea
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\55]
@DACL=(02 0000)
"NodeSlot"=dword:00000e44
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\56]
@DACL=(02 0000)
"NodeSlot"=dword:000010ca
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\57]
@DACL=(02 0000)
"NodeSlot"=dword:00000425
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\58]
@DACL=(02 0000)
"NodeSlot"=dword:0000096e
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\6]
@DACL=(02 0000)
"NodeSlot"=dword:00000fd0
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
"0"=hex:3a,00,31,00,00,00,00,00,31,3a,a5,b4,10,00,4d,75,73,69,63,61,00,00,24,
   00,03,00,04,00,ef,be,31,3a,a5,b4,31,3a,a5,b4,14,00,00,00,4d,00,75,00,73,00,\

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\7]
@DACL=(02 0000)
"NodeSlot"=dword:00000b6a
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\8]
@DACL=(02 0000)
"NodeSlot"=dword:00000833
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\[u]0[/u]\9]
@DACL=(02 0000)
"NodeSlot"=dword:0000082e
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1]
@DACL=(02 0000)
"NodeSlot"=dword:00000d00
"MRUListEx"=hex:00,00,00,00,01,00,00,00,04,00,00,00,02,00,00,00,05,00,00,00,03,
   00,00,00,ff,ff,ff,ff
"0"=hex:3a,00,31,00,00,00,00,00,9f,37,e1,5e,10,00,45,75,64,6f,72,61,00,00,24,
   00,03,00,04,00,ef,be,31,32,c1,94,9f,37,e2,5e,14,00,00,00,45,00,75,00,64,00,\
"4"=hex:5c,00,31,00,00,00,00,00,ce,38,ad,3d,10,00,44,4f,43,55,4d,45,7e,31,00,
   00,44,00,03,00,04,00,ef,be,31,32,3a,99,e1,38,d7,89,14,00,00,00,44,00,6f,00,\
"1"=hex:42,00,31,00,00,00,00,00,26,3a,16,90,11,00,50,52,4f,47,52,41,7e,31,00,
   00,2a,00,03,00,04,00,ef,be,31,32,5c,99,41,3a,9d,85,14,00,00,00,50,00,72,00,\
"2"=hex:3c,00,31,00,00,00,00,00,4e,3a,cf,68,10,00,57,49,4e,44,4f,57,53,00,26,
   00,03,00,04,00,ef,be,31,32,8b,98,4f,3a,cc,5b,14,00,00,00,57,00,49,00,4e,00,\
"3"=hex:36,00,31,00,00,00,00,00,34,32,6f,78,10,00,4b,50,43,4d,53,00,22,00,03,
   00,04,00,ef,be,34,32,6f,78,8a,3a,a4,5c,14,00,00,00,4b,00,50,00,43,00,4d,00,\
"5"=hex:40,00,31,00,00,00,00,00,79,38,95,b4,16,00,52,45,43,59,43,4c,45,52,00,
   00,28,00,03,00,04,00,ef,be,31,32,fc,94,8d,3a,0b,66,14,00,00,00,52,00,45,00,\

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\10]
@DACL=(02 0000)
"0"=hex:42,00,31,00,00,00,00,00,8a,3a,19,96,10,00,5f,41,4d,4f,4e,49,7e,31,00,
   00,2a,00,03,00,04,00,ef,be,98,31,ce,a4,8e,3a,74,36,14,00,00,00,5f,00,61,00,\
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2]
@DACL=(02 0000)
"NodeSlot"=dword:00000027
"MRUListEx"=hex:0a,00,00,00,09,00,00,00,03,00,00,00,ff,ff,ff,ff
"3"=hex:36,00,31,00,00,00,00,00,41,3a,15,8b,10,00,73,75,6e,74,6f,00,22,00,03,
   00,04,00,ef,be,41,3a,fc,83,41,3a,15,8b,14,00,00,00,73,00,75,00,6e,00,74,00,\
"9"=hex:54,00,31,00,00,00,00,00,00,00,00,00,10,00,64,61,20,76,65,64,65,72,65,
   2d,73,75,6e,74,6f,00,36,00,03,00,04,00,ef,be,00,00,00,00,00,00,00,00,14,00,\
"10"=hex:40,00,31,00,00,00,00,00,8a,3a,81,7b,17,00,52,45,43,59,43,4c,45,52,00,
   00,28,00,03,00,04,00,ef,be,8a,3a,81,7b,89,3a,00,b0,14,00,00,00,52,00,45,00,\

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\3]
@DACL=(02 0000)
"NodeSlot"=dword:0000006d
"MRUListEx"=hex:04,00,00,00,1a,00,00,00,1b,00,00,00,71,00,00,00,6c,00,00,00,07,
   00,00,00,05,00,00,00,5d,00,00,00,59,00,00,00,70,00,00,00,6f,00,00,00,6e,00,\
"4"=hex:42,00,31,00,00,00,00,00,6f,39,1c,59,10,00,44,4f,43,55,4d,45,7e,32,00,
   00,2a,00,03,00,04,00,ef,be,6f,39,1c,59,6e,39,00,b8,14,00,00,00,44,00,6f,00,\
"19"=hex:34,00,31,00,00,00,00,00,9f,39,d7,55,10,00,58,45,4e,41,00,00,20,00,03,
   00,04,00,ef,be,9f,39,d7,55,9e,39,00,b8,14,00,00,00,58,00,65,00,6e,00,61,00,\
"20"=hex:4a,00,31,00,00,00,00,00,21,3a,57,5f,10,00,43,41,52,54,4f,4f,7e,31,00,
   00,32,00,03,00,04,00,ef,be,21,3a,57,5f,9f,39,00,b8,14,00,00,00,63,00,61,00,\
"0"=hex:5e,00,31,00,00,00,00,00,2b,3a,3b,9e,10,00,54,56,2d,43,49,4e,7e,31,00,
   00,46,00,03,00,04,00,ef,be,7e,39,45,73,38,3a,1a,5e,14,00,00,00,54,00,56,00,\
"1"=hex:4c,00,31,00,00,00,00,00,7e,39,26,89,10,00,5f,50,45,52,4d,41,7e,31,00,
   00,34,00,03,00,04,00,ef,be,7e,39,f3,86,38,3a,1a,5e,14,00,00,00,5f,00,70,00,\
"2"=hex:42,00,31,00,00,00,00,00,2b,3a,39,9e,10,00,5f,41,4d,4f,4e,49,7e,31,00,
   00,2a,00,03,00,04,00,ef,be,2b,3a,8a,91,38,3a,35,66,14,00,00,00,5f,00,61,00,\
"3"=hex:44,00,31,00,00,00,00,00,37,3a,6a,a2,10,00,49,4e,54,45,52,4e,7e,31,00,
   00,2c,00,03,00,04,00,ef,be,37,3a,6a,a2,38,3a,00,b8,14,00,00,00,49,00,6e,00,\
"5"=hex:46,00,31,00,00,00,00,00,00,00,00,00,10,00,5f,64,61,20,76,65,64,65,72,
   65,00,00,2c,00,03,00,04,00,ef,be,00,00,00,00,00,00,00,00,14,00,00,00,5f,00,\
"6"=hex:4a,00,31,00,00,00,00,00,38,3a,77,7d,10,00,5f,4c,49,4e,4b,49,7e,31,00,
   00,32,00,03,00,04,00,ef,be,38,3a,77,7d,38,3a,00,b8,14,00,00,00,5f,00,6c,00,\
"7"=hex:40,00,31,00,00,00,00,00,37,3a,6a,a2,10,00,49,4e,54,45,52,4e,45,54,00,
   00,28,00,03,00,04,00,ef,be,37,3a,6a,a2,3f,3a,00,b8,14,00,00,00,49,00,6e,00,\
"8"=hex:2e,00,31,00,00,00,00,00,41,3a,42,9c,10,00,32,34,00,00,1c,00,03,00,04,
   00,ef,be,41,3a,42,9c,3f,3a,00,b8,14,00,00,00,32,00,34,00,00,00,12,00,00,00
"9"=hex:7a,00,31,00,00,00,00,00,47,3a,43,94,10,00,5f,4e,49,43,49,53,7e,31,00,
   00,62,00,03,00,04,00,ef,be,47,3a,43,94,46,3a,00,b8,14,00,00,00,5f,00,6e,00,\
"10"=hex:74,00,31,00,00,00,00,00,47,3a,b3,96,10,00,5f,4e,43,49,53,58,7e,31,00,
   00,5c,00,03,00,04,00,ef,be,47,3a,b3,96,46,3a,00,b8,14,00,00,00,5f,00,6e,00,\
"11"=hex:78,00,31,00,00,00,00,00,47,3a,20,97,10,00,5f,4e,43,49,53,58,7e,32,00,
   00,60,00,03,00,04,00,ef,be,47,3a,20,97,46,3a,00,b8,14,00,00,00,5f,00,6e,00,\
"12"=hex:8c,00,31,00,00,00,00,00,47,3a,79,a1,10,00,5f,58,44,56,44,45,7e,31,00,
   00,74,00,03,00,04,00,ef,be,47,3a,79,a1,46,3a,00,b8,14,00,00,00,5f,00,78,00,\
"13"=hex:ba,00,31,00,00,00,00,00,47,3a,72,a6,10,00,5f,58,44,56,44,34,7e,31,00,
   00,a2,00,03,00,04,00,ef,be,47,3a,72,a6,46,3a,00,b8,14,00,00,00,5f,00,78,00,\
"14"=hex:6e,00,31,00,00,00,00,00,47,3a,69,a7,10,00,5f,4e,43,49,53,58,7e,32,00,
   00,56,00,03,00,04,00,ef,be,47,3a,69,a7,46,3a,00,b8,14,00,00,00,5f,00,6e,00,\
"15"=hex:84,00,31,00,00,00,00,00,47,3a,72,a6,10,00,5f,58,44,56,44,34,7e,31,00,
   00,6c,00,03,00,04,00,ef,be,47,3a,72,a6,46,3a,00,b8,14,00,00,00,5f,00,78,00,\
"16"=hex:94,00,31,00,00,00,00,00,47,3a,72,a6,10,00,5f,58,44,56,44,34,7e,32,00,
   00,7c,00,03,00,04,00,ef,be,47,3a,72,a6,46,3a,00,b8,14,00,00,00,5f,00,78,00,\
"17"=hex:30,00,31,00,00,00,00,00,4b,3a,a0,4d,10,00,50,44,46,00,1e,00,03,00,04,
   00,ef,be,4b,3a,a0,4d,4a,3a,00,b8,14,00,00,00,50,00,44,00,46,00,00,00,12,00,\
"18"=hex:44,00,31,00,00,00,00,00,51,3a,84,53,10,00,5f,53,49,53,54,45,7e,31,00,
   00,2c,00,03,00,04,00,ef,be,51,3a,84,53,50,3a,00,b8,14,00,00,00,5f,00,73,00,\
"21"=hex:40,00,31,00,00,00,00,00,51,3a,29,9a,10,00,53,4d,52,54,4e,54,4b,59,00,
   00,28,00,03,00,04,00,ef,be,51,3a,29,9a,50,3a,00,b8,14,00,00,00,53,00,4d,00,\
"22"=hex:3e,00,31,00,00,00,00,00,55,3a,96,8d,10,00,5f,4c,41,44,59,4f,7e,31,00,
   00,26,00,03,00,04,00,ef,be,55,3a,96,8d,54,3a,00,b8,14,00,00,00,5f,00,6c,00,\
"23"=hex:5a,00,b1,00,00,00,00,00,6f,39,bb,58,16,00,52,45,43,59,43,4c,45,44,00,
   00,28,00,03,00,04,00,ef,be,6f,39,bb,58,6e,39,00,b8,14,00,00,00,52,00,65,00,\
"24"=hex:40,00,31,00,00,00,00,00,56,3a,70,a0,10,00,5f,74,72,75,63,63,68,69,00,
   00,28,00,03,00,04,00,ef,be,56,3a,70,a0,55,3a,00,b8,14,00,00,00,5f,00,74,00,\
"25"=hex:3a,00,31,00,00,00,00,00,5c,3a,f6,5b,10,00,42,41,43,4b,55,50,00,00,24,
   00,03,00,04,00,ef,be,5c,3a,f6,5b,5b,3a,00,b8,14,00,00,00,42,00,61,00,63,00,\
"26"=hex:48,00,31,00,00,00,00,00,5c,3a,f6,5b,10,00,42,41,43,4b,55,50,7e,31,00,
   00,30,00,03,00,04,00,ef,be,5c,3a,f6,5b,5b,3a,00,b8,14,00,00,00,42,00,61,00,\
"27"=hex:42,00,31,00,00,00,00,00,5c,3a,4b,71,10,00,5f,53,54,41,4d,50,7e,31,00,
   00,2a,00,03,00,04,00,ef,be,5c,3a,4b,71,5b,3a,00,b8,14,00,00,00,5f,00,73,00,\
"28"=hex:50,00,31,00,00,00,00,00,72,3a,60,4b,10,00,50,4f,52,54,41,42,7e,31,00,
   00,38,00,03,00,04,00,ef,be,72,3a,60,4b,71,3a,00,b8,14,00,00,00,50,00,6f,00,\
"29"=hex:42,00,31,00,00,00,00,00,75,3a,19,54,10,00,50,2d,46,49,52,45,7e,31,00,
   00,2a,00,03,00,04,00,ef,be,75,3a,19,54,74,3a,00,b8,14,00,00,00,50,00,2d,00,\
"30"=hex:52,00,31,00,00,00,00,00,75,3a,22,54,10,00,50,4f,52,54,41,42,7e,32,00,
   00,3a,00,03,00,04,00,ef,be,75,3a,22,54,74,3a,00,b8,14,00,00,00,50,00,6f,00,\
"31"=hex:4e,00,32,00,aa,54,00,00,7c,3a,b4,a0,20,00,30,33,47,52,49,47,7e,31,2e,
   4d,48,54,00,00,32,00,03,00,04,00,ef,be,7c,3a,b4,a0,7b,3a,00,b8,14,00,00,00,\
"32"=hex:54,00,32,00,07,38,00,00,7c,3a,07,a1,20,00,30,33,42,4c,55,53,7e,31,2e,
   4d,48,54,00,00,38,00,03,00,04,00,ef,be,7c,3a,07,a1,7b,3a,00,b8,14,00,00,00,\
"33"=hex:3a,00,32,00,ca,36,00,00,7c,3a,7a,a0,20,00,30,33,2e,6d,68,74,00,00,24,
   00,03,00,04,00,ef,be,7c,3a,7a,a0,7b,3a,00,b8,14,00,00,00,30,00,33,00,2e,00,\
"34"=hex:88,00,31,00,00,00,00,00,7c,3a,da,a1,10,00,53,50,43,33,41,33,7e,31,00,
   00,70,00,03,00,04,00,ef,be,7c,3a,da,a1,7b,3a,00,b8,14,00,00,00,53,00,70,00,\
"35"=hex:3a,00,32,00,cc,a3,04,00,7c,3a,c6,9e,20,00,30,31,2e,6d,68,74,00,00,24,
   00,03,00,04,00,ef,be,7c,3a,e6,9d,7b,3a,00,b8,14,00,00,00,30,00,31,00,2e,00,\
"36"=hex:3a,00,32,00,2e,1e,00,00,7c,3a,6b,9f,20,00,30,32,2e,6d,68,74,00,00,24,
   00,03,00,04,00,ef,be,7c,3a,6b,9f,7b,3a,00,b8,14,00,00,00,30,00,32,00,2e,00,\
"37"=hex:54,00,32,00,24,38,00,00,7c,3a,1d,a1,20,00,30,33,42,4c,55,4e,7e,31,2e,
   4d,48,54,00,00,38,00,03,00,04,00,ef,be,7c,3a,1d,a1,7b,3a,00,b8,14,00,00,00,\
"38"=hex:54,00,32,00,4f,cb,05,00,7c,3a,64,a2,20,00,30,32,42,52,45,41,7e,31,2e,
   4d,48,54,00,00,38,00,03,00,04,00,ef,be,7c,3a,64,a2,7b,3a,00,b8,14,00,00,00,\
"39"=hex:7e,00,32,00,73,c6,05,00,7c,3a,91,a3,20,00,30,31,42,52,45,41,7e,31,2e,
   4d,48,54,00,00,62,00,03,00,04,00,ef,be,7c,3a,91,a3,7b,3a,00,b8,14,00,00,00,\
"40"=hex:5e,00,32,00,73,c6,05,00,7c,3a,dc,a3,20,00,30,32,42,52,45,41,7e,32,2e,
   4d,48,54,00,00,42,00,03,00,04,00,ef,be,7c,3a,dc,a3,7b,3a,00,b8,14,00,00,00,\
"41"=hex:54,00,32,00,1f,38,00,00,7c,3a,34,a1,20,00,30,33,47,52,49,47,7e,31,2e,
   4d,48,54,00,00,38,00,03,00,04,00,ef,be,7c,3a,34,a1,7b,3a,00,b8,14,00,00,00,\
"42"=hex:5a,00,32,00,57,f1,05,00,7c,3a,93,a4,20,00,30,33,42,52,45,41,7e,31,2e,
   4d,48,54,00,00,3e,00,03,00,04,00,ef,be,7c,3a,93,a4,7b,3a,00,b8,14,00,00,00,\
"43"=hex:3a,00,32,00,12,39,00,00,7c,3a,d9,a5,20,00,30,34,2e,6d,68,74,00,00,24,
   00,03,00,04,00,ef,be,7c,3a,f1,a4,7b,3a,00,b8,14,00,00,00,30,00,34,00,2e,00,\
"44"=hex:5a,00,32,00,b1,24,06,00,7c,3a,ed,a5,20,00,30,34,42,52,45,41,7e,31,2e,
   4d,48,54,00,00,3e,00,03,00,04,00,ef,be,7c,3a,ec,a5,7b,3a,00,b8,14,00,00,00,\
"45"=hex:3a,00,32,00,cf,82,00,00,7c,3a,b7,b1,20,00,30,35,2e,6d,68,74,00,00,24,
   00,03,00,04,00,ef,be,7c,3a,07,a6,7b,3a,00,b8,14,00,00,00,30,00,35,00,2e,00,\
"46"=hex:5a,00,32,00,ba,ee,05,00,7c,3a,d5,b1,20,00,30,35,42,52,45,41,7e,31,2e,
   4d,48,54,00,00,3e,00,03,00,04,00,ef,be,7c,3a,d4,b1,7b,3a,00,b8,14,00,00,00,\
"47"=hex:62,00,32,00,3f,43,06,00,7c,3a,15,b2,20,00,30,34,42,52,45,41,7e,32,2e,
   4d,48,54,00,00,46,00,03,00,04,00,ef,be,7c,3a,15,b2,7b,3a,00,b8,14,00,00,00,\
"48"=hex:62,00,32,00,76,2c,06,00,7c,3a,a4,b2,20,00,30,35,42,52,45,41,7e,32,2e,
   4d,48,54,00,00,46,00,03,00,04,00,ef,be,7c,3a,a4,b2,7b,3a,00,b8,14,00,00,00,\
"49"=hex:56,00,32,00,56,ce,05,00,7c,3a,21,b4,20,00,30,32,4d,41,54,54,7e,31,2e,
   4d,48,54,00,00,3a,00,03,00,04,00,ef,be,7c,3a,20,b4,7b,3a,00,b8,14,00,00,00,\
"50"=hex:72,00,32,00,7f,f1,05,00,7c,3a,48,b4,20,00,30,32,4d,41,54,54,7e,32,2e,
   4d,48,54,00,00,56,00,03,00,04,00,ef,be,7c,3a,48,b4,7b,3a,00,b8,14,00,00,00,\
"51"=hex:4e,00,32,00,be,38,00,00,7c,3a,91,b4,20,00,30,32,4d,41,54,54,7e,31,2e,
   4d,48,54,00,00,32,00,03,00,04,00,ef,be,7c,3a,91,b4,7b,3a,00,b8,14,00,00,00,\
"52"=hex:8c,00,32,00,bb,d4,05,00,7c,3a,b3,b4,20,00,30,32,4d,41,54,54,7e,33,2e,
   4d,48,54,00,00,70,00,03,00,04,00,ef,be,7c,3a,b3,b4,7b,3a,00,b8,14,00,00,00,\
"53"=hex:78,00,32,00,29,c7,06,00,7c,3a,3c,b6,20,00,30,33,4d,41,54,54,7e,31,2e,
   4d,48,54,00,00,5c,00,03,00,04,00,ef,be,7c,3a,3b,b6,7b,3a,00,b8,14,00,00,00,\
"54"=hex:68,00,32,00,77,46,01,00,7c,3a,5a,b8,20,00,41,43,45,52,41,53,7e,32,2e,
   4d,48,54,00,00,4c,00,03,00,04,00,ef,be,7c,3a,5a,b8,7c,3a,00,b8,14,00,00,00,\
"55"=hex:6e,00,32,00,64,69,00,00,7c,3a,91,b8,20,00,41,43,45,52,41,53,7e,33,2e,
   4d,48,54,00,00,52,00,03,00,04,00,ef,be,7c,3a,91,b8,7c,3a,00,b8,14,00,00,00,\
"56"=hex:8a,00,32,00,b9,6e,10,00,7c,3a,aa,b8,20,00,41,43,45,52,41,53,7e,34,2e,
   4d,48,54,00,00,6e,00,03,00,04,00,ef,be,7c,3a,aa,b8,7c,3a,00,b8,14,00,00,00,\
"57"=hex:50,00,32,00,ce,3b,00,00,7c,3a,db,b8,20,00,49,4e,54,45,52,46,7e,31,2e,
   4d,48,54,00,00,34,00,03,00,04,00,ef,be,7c,3a,db,b8,7c,3a,00,b8,14,00,00,00,\
"58"=hex:68,00,32,00,fa,69,08,00,7c,3a,e9,b8,20,00,41,43,45,52,41,53,7e,33,2e,
   4d,48,54,00,00,4c,00,03,00,04,00,ef,be,7c,3a,e9,b8,7c,3a,00,b8,14,00,00,00,\
"59"=hex:46,00,32,00,14,30,00,00,7c,3a,22,b9,20,00,44,45,53,49,47,4e,2e,4d,48,
   54,00,00,2c,00,03,00,04,00,ef,be,7c,3a,22,b9,7c,3a,00,b8,14,00,00,00,44,00,\
"60"=hex:68,00,32,00,d0,18,0f,00,7c,3a,2e,b9,20,00,41,43,45,52,41,53,7e,34,2e,
   4d,48,54,00,00,4c,00,03,00,04,00,ef,be,7c,3a,2e,b9,7c,3a,00,b8,14,00,00,00,\
"61"=hex:68,00,32,00,92,6f,00,00,7c,3a,66,b9,20,00,41,43,44,44,39,45,7e,31,2e,
   4d,48,54,00,00,4c,00,03,00,04,00,ef,be,7c,3a,65,b9,7c,3a,00,b8,14,00,00,00,\
"62"=hex:78,00,32,00,71,1c,00,00,7c,3a,b6,b9,20,00,4c,41,54,41,53,54,7e,31,2e,
   4d,48,54,00,00,5c,00,03,00,04,00,ef,be,7c,3a,b6,b9,7c,3a,00,b8,14,00,00,00,\
"63"=hex:8c,00,32,00,f8,21,00,00,7c,3a,e0,b9,20,00,4c,41,42,41,54,54,7e,31,2e,
   4d,48,54,00,00,70,00,03,00,04,00,ef,be,7c,3a,dd,b9,7c,3a,00,b8,14,00,00,00,\
"64"=hex:70,00,32,00,79,50,00,00,7c,3a,71,ba,20,00,41,53,55,53,45,45,7e,31,2e,
   4d,48,54,00,00,54,00,03,00,04,00,ef,be,7c,3a,71,ba,7c,3a,00,b8,14,00,00,00,\
"65"=hex:70,00,32,00,48,2a,0d,00,7c,3a,85,ba,20,00,41,53,55,53,45,45,7e,32,2e,
   4d,48,54,00,00,54,00,03,00,04,00,ef,be,7c,3a,85,ba,7c,3a,00,b8,14,00,00,00,\
"66"=hex:5a,00,32,00,5b,33,00,00,7c,3a,a6,ba,20,00,4c,4f,43,48,41,53,7e,31,2e,
   4d,48,54,00,00,3e,00,03,00,04,00,ef,be,7c,3a,a6,ba,7c,3a,00,b8,14,00,00,00,\
"67"=hex:70,00,32,00,d7,ac,16,00,7c,3a,b1,ba,20,00,41,53,55,53,45,45,7e,31,2e,
   4d,48,54,00,00,54,00,03,00,04,00,ef,be,7c,3a,b1,ba,7c,3a,00,b8,14,00,00,00,\
"68"=hex:6c,00,32,00,77,3f,00,00,7c,3a,c8,ba,20,00,50,52,4f,43,45,53,7e,31,2e,
   4d,48,54,00,00,50,00,03,00,04,00,ef,be,7c,3a,c8,ba,7c,3a,00,b8,14,00,00,00,\
"69"=hex:70,00,32,00,58,54,0f,00,7c,3a,3c,bb,20,00,41,53,55,53,45,45,7e,34,2e,
   4d,48,54,00,00,54,00,03,00,04,00,ef,be,7c,3a,3c,bb,7c,3a,00,b8,14,00,00,00,\
"70"=hex:70,00,32,00,b0,43,00,00,7c,3a,22,bb,20,00,41,53,55,53,45,45,7e,33,2e,
   4d,48,54,00,00,54,00,03,00,04,00,ef,be,7c,3a,22,bb,7c,3a,00,b8,14,00,00,00,\
"71"=hex:98,00,32,00,a7,38,00,00,7c,3a,89,bb,20,00,52,49,53,50,45,54,7e,31,2e,
   4d,48,54,00,00,7c,00,03,00,04,00,ef,be,7c,3a,89,bb,7c,3a,00,b8,14,00,00,00,\
"72"=hex:40,00,32,00,5b,31,00,00,7d,3a,93,6b,20,00,75,64,69,6f,2e,6d,68,74,00,
   00,28,00,03,00,04,00,ef,be,7d,3a,92,6b,7c,3a,00,b0,14,00,00,00,75,00,64,00,\
"73"=hex:70,00,32,00,d8,0c,08,00,7d,3a,ac,6b,20,00,41,53,36,35,38,46,7e,31,2e,
   4d,48,54,00,00,54,00,03,00,04,00,ef,be,7d,3a,ab,6b,7c,3a,00,b0,14,00,00,00,\
"74"=hex:64,00,32,00,68,46,00,00,7d,3a,d0,6b,20,00,44,49,53,50,4f,53,7e,31,2e,
   4d,48,54,00,00,48,00,03,00,04,00,ef,be,7d,3a,d0,6b,7c,3a,00,b0,14,00,00,00,\
"75"=hex:74,00,32,00,60,20,00,00,7d,3a,f4,6b,20,00,44,49,53,50,4f,53,7e,31,2e,
   4d,48,54,00,00,58,00,03,00,04,00,ef,be,7d,3a,f4,6b,7c,3a,00,b0,14,00,00,00,\
"76"=hex:70,00,32,00,60,20,00,00,7d,3a,f4,6b,20,00,41,53,37,35,38,37,7e,31,2e,
   4d,48,54,00,00,54,00,03,00,04,00,ef,be,7d,3a,f4,6b,7c,3a,00,b0,14,00,00,00,\
"77"=hex:72,00,32,00,69,2b,00,00,7d,3a,2a,6c,20,00,43,4f,4d,46,4f,52,7e,31,2e,
   4d,48,54,00,00,56,00,03,00,04,00,ef,be,7d,3a,2a,6c,7c,3a,00,b0,14,00,00,00,\
"78"=hex:52,00,32,00,c9,1d,00,00,7d,3a,52,6c,20,00,43,4f,4e,43,4c,55,7e,31,2e,
   4d,48,54,00,00,36,00,03,00,04,00,ef,be,7d,3a,52,6c,7c,3a,00,b0,14,00,00,00,\
"79"=hex:72,00,32,00,e3,65,07,00,7d,3a,62,6c,20,00,41,53,35,31,33,44,7e,31,2e,
   4d,48,54,00,00,56,00,03,00,04,00,ef,be,7d,3a,62,6c,7c,3a,00,b0,14,00,00,00,\
"80"=hex:54,00,32,00,73,37,00,00,7d,3a,1c,7b,20,00,41,4c,50,48,41,43,7e,31,2e,
   4d,48,54,00,00,38,00,03,00,04,00,ef,be,7d,3a,1c,7b,7c,3a,00,b0,14,00,00,00,\
"81"=hex:4a,00,32,00,7a,1a,06,00,7d,3a,2f,7b,20,00,30,31,41,4c,50,48,7e,31,2e,
   4d,48,54,00,00,2e,00,03,00,04,00,ef,be,7d,3a,2f,7b,7c,3a,00,b0,14,00,00,00,\
"82"=hex:78,00,32,00,a8,1f,06,00,7d,3a,c2,8c,20,00,30,33,41,4e,4f,54,7e,31,2e,
   4d,48,54,00,00,5c,00,03,00,04,00,ef,be,7d,3a,c2,8c,7c,3a,00,b0,14,00,00,00,\
"83"=hex:76,00,32,00,3f,6c,05,00,7d,3a,b0,8c,20,00,30,31,41,4e,4f,54,7e,31,2e,
   4d,48,54,00,00,5a,00,03,00,04,00,ef,be,7d,3a,af,8c,7c,3a,00,b0,14,00,00,00,\
"84"=hex:78,00,32,00,9b,ca,05,00,7d,3a,bb,8c,20,00,30,32,41,4e,4f,54,7e,31,2e,
   4d,48,54,00,00,5c,00,03,00,04,00,ef,be,7d,3a,bb,8c,7c,3a,00,b0,14,00,00,00,\
"85"=hex:5a,00,31,00,00,00,00,00,85,3a,ad,5b,10,00,43,52,59,53,54,41,7e,31,00,
   00,42,00,03,00,04,00,ef,be,85,3a,ad,5b,84,3a,00,b0,14,00,00,00,43,00,72,00,\
"86"=hex:66,00,31,00,00,00,00,00,85,3a,ad,5b,10,00,43,52,59,53,54,41,7e,31,00,
   00,4e,00,03,00,04,00,ef,be,85,3a,ad,5b,84,3a,00,b0,14,00,00,00,43,00,72,00,\
"87"=hex:bc,00,32,00,3a,bb,07,00,85,3a,a1,5c,20,00,50,43,4d,41,47,41,7e,31,2e,
   4d,48,54,00,00,a0,00,03,00,04,00,ef,be,85,3a,a1,5c,84,3a,00,b0,14,00,00,00,\
"88"=hex:36,00,31,00,00,00,00,00,85,3a,6d,5c,10,00,51,2d,44,49,52,00,22,00,03,
   00,04,00,ef,be,85,3a,6d,5c,84,3a,00,b0,14,00,00,00,51,00,2d,00,44,00,69,00,\
"89"=hex:42,00,31,00,00,00,00,00,85,3a,ba,5c,10,00,50,52,4f,47,52,41,7e,31,00,
   00,2a,00,03,00,04,00,ef,be,85,3a,ba,5c,84,3a,00,b0,14,00,00,00,70,00,72,00,\
"90"=hex:46,00,31,00,00,00,00,00,85,3a,fa,64,10,00,41,4d,2d,44,45,41,7e,31,00,
   00,2e,00,03,00,04,00,ef,be,85,3a,fa,64,84,3a,00,b0,14,00,00,00,41,00,4d,00,\
"91"=hex:3e,00,31,00,00,00,00,00,85,3a,ef,66,30,00,31,30,43,57,41,56,7e,31,00,
   00,26,00,03,00,04,00,ef,be,85,3a,ef,66,84,3a,00,b0,14,00,00,00,31,00,30,00,\
"92"=hex:44,00,31,00,00,00,00,00,85,3a,03,8f,10,00,4d,55,53,49,43,41,7e,31,00,
   00,2c,00,03,00,04,00,ef,be,85,3a,03,8f,84,3a,00,b0,14,00,00,00,6d,00,75,00,\
"93"=hex:3c,00,31,00,00,00,00,00,8a,3a,c3,60,10,00,66,69,6c,69,70,70,6f,00,26,
   00,03,00,04,00,ef,be,8a,3a,3c,5f,89,3a,00,b0,14,00,00,00,66,00,69,00,6c,00,\
"94"=hex:3c,00,31,00,00,00,00,00,75,2e,1c,50,33,00,41,55,54,4f,52,55,4e,00,26,
   00,03,00,04,00,ef,be,75,2e,1c,50,74,2e,00,b0,14,00,00,00,41,00,55,00,54,00,\
"95"=hex:62,00,31,00,00,00,00,00,34,39,79,53,16,00,53,59,53,54,45,4d,7e,31,00,
   00,4a,00,03,00,04,00,ef,be,34,39,79,53,33,39,00,b0,14,00,00,00,53,00,79,00,\
"96"=hex:40,00,31,00,00,00,00,00,8a,3a,d8,8c,17,00,52,45,43,59,43,4c,45,52,00,
   00,28,00,03,00,04,00,ef,be,8a,3a,d8,8c,89,3a,00,b0,14,00,00,00,52,00,45,00,\
"97"=hex:4a,00,31,00,00,00,00,00,8c,3a,d0,65,10,00,4d,55,53,49,43,41,7e,31,00,
   00,32,00,03,00,04,00,ef,be,8c,3a,d0,65,8b,3a,00,b0,14,00,00,00,4d,00,75,00,\
"98"=hex:52,00,32,00,ad,34,00,00,8d,3a,10,52,20,00,45,41,52,54,48,42,7e,32,2e,
   4d,48,54,00,00,36,00,03,00,04,00,ef,be,8d,3a,9d,51,8c,3a,00,b0,14,00,00,00,\
"99"=hex:54,00,32,00,91,39,00,00,8d,3a,9c,52,20,00,45,41,52,54,48,42,7e,33,2e,
   4d,48,54,00,00,38,00,03,00,04,00,ef,be,8d,3a,16,52,8c,3a,00,b0,14,00,00,00,\
"100"=hex:54,00,32,00,93,de,05,00,8d,3a,ca,52,20,00,45,41,52,54,48,42,7e,34,2e,
   4d,48,54,00,00,38,00,03,00,04,00,ef,be,8d,3a,ca,52,8c,3a,00,b0,14,00,00,00,\
"101"=hex:52,00,32,00,35,a1,06,00,8d,3a,fd,52,20,00,45,41,52,54,48,42,7e,31,2e,
   4d,48,54,00,00,36,00,03,00,04,00,ef,be,8d,3a,fd,52,8c,3a,00,b0,14,00,00,00,\
"102"=hex:5e,00,32,00,93,64,00,00,8d,3a,51,53,20,00,45,41,52,54,48,42,7e,33,2e,
   4d,48,54,00,00,42,00,03,00,04,00,ef,be,8d,3a,50,53,8c,3a,00,b0,14,00,00,00,\
"103"=hex:56,00,32,00,cc,64,00,00,8d,3a,60,57,20,00,45,41,52,54,48,42,7e,32,2e,
   4d,48,54,00,00,3a,00,03,00,04,00,ef,be,8d,3a,60,57,8c,3a,00,b0,14,00,00,00,\
"104"=hex:62,00,32,00,b2,a4,06,00,8d,3a,0b,58,20,00,45,41,52,54,48,42,7e,32,2e,
   4d,48,54,00,00,46,00,03,00,04,00,ef,be,8d,3a,0a,58,8c,3a,00,b0,14,00,00,00,\
"105"=hex:54,00,32,00,9e,7e,06,00,8d,3a,d2,52,20,00,45,41,32,31,34,37,7e,31,2e,
   4d,48,54,00,00,38,00,03,00,04,00,ef,be,8d,3a,d2,52,8c,3a,00,b0,14,00,00,00,\
"106"=hex:5a,00,32,00,f5,fe,05,00,8d,3a,3d,58,20,00,45,41,52,54,48,42,7e,31,2e,
   4d,48,54,00,00,3e,00,03,00,04,00,ef,be,8d,3a,3d,58,8c,3a,00,b0,14,00,00,00,\
"107"=hex:60,00,31,00,00,00,00,00,8d,3a,86,6d,10,00,53,49,53,54,45,4d,7e,31,00,
   00,48,00,03,00,04,00,ef,be,8d,3a,86,6d,8c,3a,00,b0,14,00,00,00,73,00,69,00,\
"108"=hex:62,00,31,00,00,00,00,00,8d,3a,86,6d,10,00,5f,53,49,53,54,45,7e,31,00,
   00,4a,00,03,00,04,00,ef,be,8d,3a,86,6d,8c,3a,00,b0,14,00,00,00,5f,00,73,00,\
"109"=hex:56,00,32,00,1f,3f,00,00,8d,3a,e2,71,20,00,46,4f,52,43,45,4f,7e,31,2e,
   4d,48,54,00,00,3a,00,03,00,04,00,ef,be,8d,3a,53,71,8c,3a,00,b0,14,00,00,00,\
"110"=hex:58,00,32,00,a1,44,00,00,8d,3a,0f,73,20,00,46,4f,52,43,45,4f,7e,32,2e,
   4d,48,54,00,00,3c,00,03,00,04,00,ef,be,8d,3a,e5,71,8c,3a,00,b0,14,00,00,00,\
"111"=hex:5a,00,32,00,bf,1c,06,00,8d,3a,2b,73,20,00,46,4f,52,43,45,4f,7e,33,2e,
   4d,48,54,00,00,3e,00,03,00,04,00,ef,be,8d,3a,2b,73,8c,3a,00,b0,14,00,00,00,\
"112"=hex:5a,00,32,00,f5,d3,06,00,8d,3a,3b,73,20,00,46,4f,52,43,45,4f,7e,34,2e,
   4d,48,54,00,00,3e,00,03,00,04,00,ef,be,8d,3a,3a,73,8c,3a,00,b0,14,00,00,00,\
"113"=hex:5c,00,31,00,00,00,00,00,8f,3a,3d,9e,10,00,5f,56,45,44,45,52,7e,31,00,
   00,44,00,03,00,04,00,ef,be,8f,3a,3d,9e,8e,3a,00,b0,14,00,00,00,5f,00,76,00,\

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\4]
@DACL=(02 0000)
"NodeSlot"=dword:0000028a
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
"0"=hex:04,05,00,00,fe,04,05,20,31,10,03,00,00,00,1e,00,20,00,00,00,e4,3a,00,
   00,00,00,00,00,00,00,00,00,00,00,a2,02,00,00,16,00,00,00,27,00,00,00,15,00,\

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\5]
@DACL=(02 0000)
"NodeSlot"=dword:000007b6
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\6]
@DACL=(02 0000)
"NodeSlot"=dword:00000149
"MRUListEx"=hex:00,00,00,00,01,00,00,00,ff,ff,ff,ff
"0"=hex:1e,00,71,80,00,00,00,00,00,00,00,00,00,00,c7,ac,07,70,02,32,d1,11,aa,
   d2,00,80,5f,c1,27,0e,00,00
"1"=hex:1e,00,71,80,00,00,00,00,00,00,00,00,00,00,b4,67,01,64,b0,59,a6,47,b3,
   35,a6,b3,c0,69,5a,ea,00,00

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\7]
@DACL=(02 0000)
"NodeSlot"=dword:000012d4
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\8]
@DACL=(02 0000)
"NodeSlot"=dword:00000098
"MRUListEx"=hex:ff,ff,ff,ff

[HKEY_USERS\S-1-5-21-776561741-630328440-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\9]
@DACL=(02 0000)
"NodeSlot"=dword:000004fe
"MRUListEx"=hex:ff,ff,ff,ff
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(412)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1196)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Ora fine scansione: 2009-04-19 11.06.05
ComboFix-quarantined-files.txt  2009-04-19 09:06
ComboFix2.txt  2009-04-19 08:58

Pre-Run: 89.812.127.744 byte disponibili
Post-Run: 89.801.207.808 byte disponibili

1422
mony_05
Utente Junior
 
Post: 15
Iscritto il: 13/04/09 18:34
Top

Re: virus su pen drive chi mi aiuta

Postdi shel » 19/04/09 11:22

ciao

dovresti rifare la scansione con combofix e postarmi il log completo, non spezzato come hai fatto
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56
Top

Re: virus su pen drive chi mi aiuta

Postdi mony_05 » 21/04/09 20:54

Ciao,

se ti metto il log intero poi mi esce fuori un'avviso che dice che il messaggio è troppo lungo e non mi fa inviare niente. Provo a metterlo come allegato. Spero vada bene lo stesso. Scusa se non ti rispondo subito. Mi collego alla sera quando non sono troppo stanca dal lavoro...

Un saluto
Allegati

[L’estensione txt è stata disattivata e non puó essere visualizzata.]

mony_05
Utente Junior
 
Post: 15
Iscritto il: 13/04/09 18:34
Top

Re: virus su pen drive chi mi aiuta

Postdi Luke57 » 21/04/09 23:15

Ciao, prendi il file che ti ho allegato e mettilo sul dektop. Poi con il puntatore del mouse trascinalo sull'icona di combofix. Il programma avvierà una nuova scansione; non fare altre manovre durante la scansione e al termina di essa riavvia il computer. Allega il nuovo report prodotto
Allegati

[L’estensione txt è stata disattivata e non puó essere visualizzata.]

Luke57
Moderatore
 
Post: 6413
Iscritto il: 11/08/05 19:10
Top

Re: virus su pen drive chi mi aiuta

Postdi shel » 21/04/09 23:45

c'e' da eliminare anche questo ===>> G:\6x8be16.cmd
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56
Top

Re: virus su pen drive chi mi aiuta

Postdi Luke57 » 22/04/09 07:25

shel ha scritto:c'e' da eliminare anche questo ===>> G:\6x8be16.cmd

Grazie per l'informazione, si vedrà dal prossimo report di combofix
Luke57
Moderatore
 
Post: 6413
Iscritto il: 11/08/05 19:10
Top

Re: virus su pen drive chi mi aiuta

Postdi mony_05 » 24/04/09 21:13

Salve a tutti.

Luke 57: ho scaricato il tuo file, ma la scansione la devo fare sempre con la pen drive inserita? Ne avevo più di una infetta, a dire il vero si erano infetatte tutte man mano che le collegavo al computer. Credo che anche quella di mio fratello si sia infettata una volta messa nel mio pc, lui però usa un Macintosh. Devo fare una scansione anche con la sua?

Shel: il file 6x8be16.cmd non ricordo su che penna stava. Ne ho 4... Come sopra devo fare una scansione per ogni pennetta?

Volevo anche chiedervi:
1. posso cancellare senza rischi i file che combofix ha trovato e messo in quarantena?
2. Invece di fare l'upgrade del mio ativirus (ho il norton 2006 più i vari aggiornamenti) ho comprato ex novo il norton 2009. Prima di installarlo, mi conviene disinstallare la versione precedente o posso sovrascriverlo?

Sempre grazie e buon weekend

Monica
mony_05
Utente Junior
 
Post: 15
Iscritto il: 13/04/09 18:34
Top

Re: virus su pen drive chi mi aiuta

Postdi shel » 24/04/09 21:20

il file 6x8be16.cmd non ricordo su che penna stava. Ne ho 4... Come sopra devo fare una scansione per ogni pennetta?


vedi se lo trovi nell'unita' G:\ =====> G:\6x8be16.cmd

per sicurezza analizzalo qui===> http://www.virustotal.com/it/
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56
Top

Re: virus su pen drive chi mi aiuta

Postdi Luke57 » 24/04/09 22:37

Ciao, per piacere, esegui l'operazione con il file CFScript.txt e poi allega il nuovo report prodotto.
Luke57
Moderatore
 
Post: 6413
Iscritto il: 11/08/05 19:10
Top

Re: virus su pen drive chi mi aiuta

Postdi mony_05 » 26/04/09 19:46

Buonasera,

vi posto l'ultimo log con lo script di Luke57. L'ho fatto con una pen drive inserita di quelle che erano infette. Ho dovuto riscaricare combofix perchè quando trascinavo lo script un'avviso diceva che il programma era scaduto e non avviava nessuna operazione. E' normale?

Shel: il file G:\6x8be16.cmd credo sia stato eliminato durante la primissima scansione con combofix. Ho fatto altre due scansioni con le altre pen drive e nei log non vi è traccia (ma ho usato solo combofix senza lo script. Forse dovevo metterlo lo stesso?) Se volete vi posto anche gli altri allegati.

Saluti a tutti

Monica
Allegati

[L’estensione txt è stata disattivata e non puó essere visualizzata.]

mony_05
Utente Junior
 
Post: 15
Iscritto il: 13/04/09 18:34
Top

Re: virus su pen drive chi mi aiuta

Postdi shel » 28/04/09 19:00

ciao e scusa il ritardo


Scarica Avenger

http://swandog46.geekstogo.com/avenger.zip

Estrailo in una cartella a tua scelta
Esegui il file avenger.exe
Ora incolla queste righe nella box bianca che si è aperta:

files to delete:
c:\windows\system32\60D.tmp

registry keys to delete:
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]




Togli il segno di spunta dalla voce Scan for Rootkits
Premi il pulsante Execute
Rispondi di Si alle due richieste di Avenger
Adesso il tuo computer dovrebbe riavviarsi, nel caso non succedesse, riavvialo tu manualmente
Al riavvio del computer, copia e incolla qui il contenuto del blocco note che apparirà.



Analizza qui ====> http://www.virustotal.com/it/ la parte evidenziata in rosso

c:\windows\system32\߯
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56
Top
Prossimo
Rispondi al post

Torna a Sicurezza e Privacy


Topic correlati a "virus su pen drive chi mi aiuta":

virus spagnolo nel router??
Autore: anm2004 		Forum: Sicurezza e Privacy
Risposte: 1
gestione di google drive
Autore: themisterx 		Forum: Software Windows
Risposte: 6
problema virus allo smart phone
Autore: terrybella 		Forum: Sicurezza e Privacy
Risposte: 8
Google Drive: Drive condivisi e Condivisi con me
Autore: franco11 		Forum: Software Windows
Risposte: 2
Problema con cartella Immagini stranamente in One Drive
Autore: Gilindone 		Forum: Software Windows
Risposte: 1

Chi c’è in linea

Visitano il forum: Nessuno e 78 ospiti