I am working on identifying an infection vector. Unfortunately, I was brought in a little after the fact. Some cleanup had already taken place and evidence has been trampled.
I have located a last write time on key "useAuTopLAY" with the value set at "1". Would the write time of this key represent the time of infection?
I have checked all of the typical USB areas, using Harlan's book, and have found very little.
Any input on the "useAuTopLAY" key would be appreciated. Thanks.
I can't offer help on this post, but 3 years a member and 1 post?
Just curious why you haven't posted up until now.
I can't offer help on this post, but 3 years a member and 1 post?
Just curious why you haven't posted up until now.
forensicakb, what's the point of your post? Maybe this is a member who subscribed to the newsletter some time ago and only now has felt the need to post to the forums. In any event, what possible business is it of yours???
Jamie
Jamie is a member for 6 years and only 1016 posts???
Jamie is a member for 6 years and only 1016 posts???
I'm a slow typer wink
xD
Back to the point, from
UseAutoPlay=1
Windows XP or later; drives of type DRIVE_CDROM
Use AutoPlay rather than AutoRun with CD-ROMs. The action taken on CD-ROM insertion will depend on the version of Windows being used.
On versions of Windows earlier than XP, this key has no effect and actions specified by open or shellexecute are performed.
On Windows XP and later, the user will be presented with the AutoPlay dialog and any actions specified by open or shellexecute are ignored.
You can also check more info on Conficker