BleepingComputer.com: Noauto.reg

Some time back I received some very good advice per Topic:

http://www.bleepingcomputer.com/forums/ind...amp;hl=bsgranpa

I went through a "Reformat and Fresh Install" and have updated Windows and am current with all service packs and critical updates (java and others as well). I have AVG updated and running. Now, prior to going to my Lacie USB 2.0 hard drive, I followed the instructions for Noauto.reg. However, when I plugged in the external drive two screens appeared. Uploaded images. EDIT: I can't figure out how to upload or insert the screen shots. However, the first shows a small window which says, "Auto-Play" with a flashing of the files and folders on the external hard drive. The second screen shot shows the normal Windows query, "What do you want windows to do?" (play music, show video, etc.)

When it started, I ran a full AV scan which showed no infections. However, I'm not sure why the external HD started as it did after having installed the Noauto.reg. Quick question, did I do something wrong?

This post has been edited by bsgranpa: 24 January 2010 - 11:55 AM

Not sure that you did anything wrong. Let's see if we can figure out what has happened.

If you installed Windows to your C drive, download this batch file and save it to your desktop-->  IniReg.bat (117bytes)
Number of downloads: 23

Double-click IniReg.bat to run it. You may get a security warning--allow it as I've tested it and know it's safe. A black command window may flash across the screen--this is normal and expected.

Now go to My Computer and open your C drive (right click/Explore). Look for the file named IniReg.txt. If it exists, open it and copy and paste it's entire contents in your next reply. If you can't find the IniReg.txt file in the root folder of your C drive, then the Noauto.reg registry script didn't "take". If you have installed some type of registry monitor like Spybot Search & Destroy's TeaTimer, disable that. Either way, try running Noauto.reg again, reboot, then run my batch file again. BTW, in my opinion, TeaTimer is more trouble than it is worth for most people so I would uninstall it--let me know if it was even on your system tho and how everything else turns out.

Also, remind me of what operating system you are running--XP?

Greetings my friend. I'm happy to see that you are around and about to help an old geezer like me. I did indeed have Spybot SD installed. I have just now uninstalled it. I am running XP Professional.

Here is "IniReg.txt"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

I still haven't figured out how to insert the screen shots. So if you need them, please give me some idea how to provide such. Thanks again.

EDIT #1: After a while, since I had uninstalled SpyBot, I deleted the IniReg.txt on C; Reran Noauto.reg; restarted; then reran IniReg.txt. It is identical to above. So, that is not working for some reason. I scanned the external hard-drive for viruses and it came back clean. I have two external HD's and several thumb drives of various sizes. Therefore, after just going through a reformat and reinstall (sounds simple and is if you don't count all of the updates, etc.) I hesitate to start plugging in to my external devices until I have protection.

EDIT #2: Just curious, what does the "paperclip" symbol mean next to the topic title?

This post has been edited by bsgranpa: 24 January 2010 - 08:27 PM

Hi bsgranpa. Glad to be of assistance, or at least hope I can be--us old farts have to stick together.

Not sure what is going on--it sounds like you are getting the standard AutoPlay Window, which would mean Autrorun is not disabled, altho the Noauto.reg file has successfully been written to your registry--my batch file and your feedback confirms this. So my question at this point is, after carrying out my instructions, have you tried plugging in your external drive again? If not try it and see if you still get the AutoPlay Window. Hold off on plugging in any of the other drives.

Even tho I know what the standard AutoPlay window looks like, I think it would be better to confirm so I would like to see the screenshots. Not sure how you've tried going about it, but suspect you have tried to attach the image files to this thread, which won't work. You have to go to an image hosting site like Photobucket, ImageShack, etc.

Read over the following tutorials and let me know where you need help--if you still do:

How to make a screen shot in Windows

How To Capture And Edit A Screen Shot

How old is your Lacie drive? Give me the model number if there is one or at least the capacity--than I can go to their website and see if it is supposed to use AutoPlay--or link me to the webpage that describes it if you know where it is.

I picked this one out as an example:
http://www.lacie.com/products/product.htm?pid=11378

Looking at its user's manual, this one should not use autoplay--you have to go to My Computer to access the drive. That may only be true of new/ish drives.

The paperclip means there is a file attached to the thread--the batch file I had you run.

I've got one question.

When the utility *.txt comes back and says: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"...... Does the "DoesNotExist" mean that the registry item is there?

This is the link to the first of the screen shots which scrolls by quite rapidly when first plugged in

http://s791.photobucket.com/albums/yy200/b...ser_media_share

This is the second window which appeared:

http://s791.photobucket.com/albums/yy200/b...ser_media_share

The only information from the documents and packaging for the HD is: 250G LaCie HD USB 2.0 USA (Design by F.A.Porsche) Product Code 300728U

Well, I just plugged in the LaCie and once again it Autoplayed and finished with the Option window as before. Thanks again for your help. Honestly, I don't know if there is any problem with any of my external storage devices. It's just that I would rather have the opportunity to run some scans before I start restoring my data, music, pictures etc.

Let me know if the link to the screen shots worked.

This post has been edited by bsgranpa: 25 January 2010 - 09:35 AM

bsgranpa, on Jan 25 2010, 08:26 AM, said:

Not exactly--that is Windows registry programming code that Nick Brown came up with to trick Windows into trying to do something it can't do--it is not a straight-forward disabling of AutoRun but has the same effect in a round about way. You can get more information about it here: http://nick.brown.free.fr/blog/2007/10/memory-stick-worms
His explanaition of what the registry script, which is also known as a hack, does:

Quote

For some reason this trick isn't working for you and that is what I am trying to figure out.

Just to keep the terminology and what we are doing straight--we have dealt with more than *.txt files but none of them rise to the level of a utility.

1. Noauto.reg: is a registry file (reg file for short) that is a script which allows us to make changes to the registry without actually opening the registry editor (regedit). In this case, the script added/imported a key (which looks like a folder in regedit) and the following value/data: @="@SYS:DoesNotExist"
The entire script is text based so that we humans can understand it, but the Does not exist in this case is just a line of text, not evidence that the reg key does not exist.

2. IniReg.bat: Is a batch file that tells windows to use the command line to export the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf reg key and create the IniReg.txt file to list the details of that key if it exists. If that particular reg key does not exist, then IniReg.txt would not get created.

3. IniReg.txt is proof that the key we were looking for does exist and that the script was written correctly.

OK, so I can see the screenshots after your edit--it does look like the standard autoplay--I don't see any difference between the two so not sure how that is significant. BTW, for future reference, if you hold down the Alt key while pressing the Print Screen key, just the image of the last open window--in this case the autoplay window--will be copied instead of both the autoplay window and your desktop background. Also, if you want to insert the image so that it shows up in this thread, use the IMG Code. To do that, go to your Photobucket album, click on the image you want to share and then click in the box next to IMG code--BB coded text similar to the following will be copied to your clipboard that you can past into your reply--note that it begins with IMG in square brackets:

[IMG]http://img.photobucket.com/albums/v159/Papakid/padaria_girassol2big.jpg[/IMG]

When I post that code into this thread you see the photo of me and my family:


Also it is better not to edit your posts if at all possible when you change the information as this can cause some confusion. I know it's hard when you think of things that might be important later, so it's not a real big deal, but I almost responded to what you did before the edit, which could have been confusing. This can all be prevented if, before you click the Add Reply button to post, you use the Preview button next to it. This way you can get all your information straight before you post it and you could have tested that the links to your screenshots worked or not.

bsgranpa, on Jan 25 2010, 08:26 AM, said:

OK, I'll see what I can find out about your LaCie drive--it may be a dead end tho. In the meantime, I suggest you install Autorun Eater, which will both protect your system from infection and give me an idea if there is an actual autorun.inf file on the LaCie drive, or if AutoPlay is being invoked in another way that I am not aware of.

So please do the following:

1. Download and install Autorun Eater (AE) from here: http://oldmcdonald.wordpress.com/
2. Right click the AE icon in the System Tray to access most of the program's controls. Hover your mouse over Removal Method then click Ask for Confirmation.
3. Plug in your LaCie drive. If there is any autorun.inf file present on that drive, a window from AE similar to the one below will pop up saying there is a suspicious autorun.inf detected.

If this happens, copy the contents of the autorun.inf file listed under Suspicious autorun.inf content, then paste it into your next reply to this thread--or to a Notepad/word processor file so you can post it later. Then click the Remove autorun.inf button--we can restore it later if it's legit. If the autoplay window has popped up again when the drive is inserted, go to the AE menu in the System Tray and enable Close Autoplay before clicking the Remove autorun.inf button.

If you don't get the window from AE indicating autorun.inf is present, let me know.

I suggest you leave AE installed and running in the background. This way you can plug your other drives in and check for the presence of any autorun.inf files. The files are blocked from running while you are deciding what to do with them, so your system won't get infected. Hold off on inserting your other drives til we see what is going on with the disabling of autorun, but even with autorun disabled, I would recommend leaving AE installed as a redundant protection with the added advantage of knowing which drives are actually infected and spreading infection to other drives. This will help prevent further spreading if you ever plug your drives into another computer that doesn't have autorun disabled or other protection. So I recommend another couple of steps be done.

4. In the System Tray menu, click on Add Billy to System Startup. This will allow AE to run in the background so that any time you plug in a drive you are protected. If you turn it off, you have to remember to open AE before plugging in a new drive. It takes up few system resources so I leave it running.

5. To turn off the irritating startup sound, go to the Startup/Exit sound in the Systray menu and turn it off.

I still hven't been able to test the other programs that I mentioned in that other thread but I have had some more experience with AE that makes me believe it protects itself pretty well, so am no longer concerned about that. Depending on your results, we may need to run one of those other programs as I would rather have autorun disabled and AE running for more optimised protection.

Papakid, I will be home this evening and will fire up the laptop and get started. Please, what's a "System Tray"? And, where's the Systray Menu? All of a sudden, I have a feeling that you are crediting me with somewhat more savvy than is appropriate. Don't forget the official "old fart" status I hold.

Well, my friend... I did everything you said. When I plugged in the LaCie, the auto-play appeared just as before and then the "Options" window appeared. I am currently plugged into the HD and AE is just sitting there doing nothing. I'm pretty sure that I did it right. Ideas? Should I try my other external storage devices and see what happens?

The LaCie is three or four years old and may have something that is enough different from what is common these days that the AE does not account for it. I'll stand by for your quidance. I'm just fine for now without my music and pictures, etc.

Well, friend, I think you are pretty much safe. There must be a way for the AutoPlay options window to run when no autorun.inf file exists. I am not a technician, so it will take old slow me a few days to research how that could happen. The most important thing to determine is if there is any autorun.inf file present on your LaCie drive--or any drive you insert. From what you've told me AE doesn't see any autorun.inf file. To double-check, you can just look in the root of your LaCie drive (right click the My Computer icon of whatever drive letter it is and click explore). You may need to unhide files, instructions on how to do this can be found here:

For XP:
How to see hidden files in Windows

You may want to re-hide files when done by reversing the steps, but I recommend you leave file extensions showing.

Do you see an autorun.inf file on your LaCie drive?

Let me know. I will be looking into more protection that you may need in the meantime, but as long as there are no autorun.inf files causing other malware files to run you're not running a very high risk of re-infection. Scan the LaCie with your anti-virus to remove any possibly dormant malicious files and you should be in pretty good shape. If they are mostly text based files, photos, and music, your AV probably won't find anything anyway.

For your other drives, you can follow the steps in my previous post--insert the drive and let AE remove any autorun.inf file it finds after you have copied the contents of the file to notepad to post it here to review if it is OK or not. Then scan the drive with your antivirus--you can also right click the drive and scan with MBAM if that is installed.

The System Tray is also known, since XP, as the Notification area. It is the area down next to your clock where you see some icons. SysTray is just an abbreviation of System Tray. I believe you've figured out the menu I was referring to--it is the controls you get when you right click the AE icon in the System Tray.

This post has been edited by Papakid: 25 January 2010 - 11:11 PM

I did do a file check for all *.exe, *ini and scanned with AV. I guess I'm just looking for a extra measure of safety. Thank you for your time and heart to share your knowledge. I will do as you say and test all devices prior to any restorations. Take care my friend. If anything does arise, I know who to call on.

Papakid, I had one other idea. Is there any conflict between AutoRun Eater and the registry modification we made. In other words, if the registry dictates that the *ini command "Does Not Exist", would AE still find and report?

No, there is no chance of a "conflict". I understand that it is confusing, but you are not understanding what the reg file/modification does. It has nothing to do with whether autorun.inf files exist or not; in simplest terms, it is telling Windows to ignore any autorun.inf file and so is a backhanded way of disabling the autorun feature of Windows. AE will find, and optionally remove autorun.inf files if they exist and regardless of if the autorun feature of windows is enabled or not. If the autorun feature of Windows is enabled, AE will block any found autorun.inf file from running til you decide what to do with it.

So you have two methods that prevent the design of autorun/Flashdrive malware from working correctly. To extend the analogy from my earlier thread, the removal of autorun.inf is like taking away a gun so that the bullets are useless. Disabling the autorun feature of windows, however it is accomplished, is like removing the gunpowder from the bullets--even if you have a gun, bullets with no gunpowder won't work. So if you have both protection measures at the same time (AE blocking and removing autorun.inf files and the autorun feature of windows disabled) then you have bullets that won't work because they have no gunpowder and you have no gun to fire them with.

I think you understand this, it's the how of the reg file/modification that has you confused. Just remember that the file is code and is not meant to make sense in standard English. The code is a language of its own and you have to understand that language to understand the code.

Do stay tuned to this thread, I suggest you subscribe to it if you haven't already, as I plan on coming back to it as I don't think it is all resolved. It just may take a while as I have some other ongoing projects that are somewhat time-consuming. However, there are a couple of other things I am going to look into and get back with you shortly.

This post has been edited by Papakid: 26 January 2010 - 10:16 AM

Thanks again my friend. I guess that......

"I Called the Doctor, woke him up"

This post has been edited by bsgranpa: 26 January 2010 - 01:39 PM

You're such a silly woman

Call me in the mornin'

OK, Papakid. I tried another external HD. This time it is a Western Digital 60G, Model #WD600U017-000

Follows a link to the screen shot. Nothing at all from AE. Maybe they're using bows and arrows.

<a href="http://s791.photobucket.com/albums/yy200/bsgranpa/?action=view&current=screenshot3.jpg" target="_blank"><img src="http://i791.photobucket.com/albums/yy200/bsgranpa/screenshot3.jpg"</a>

I know that you said that you were working on some other projects. Please do not divert your attention to this until it is appropriate. Thanks again

This post has been edited by bsgranpa: 26 January 2010 - 07:20 PM