Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

USB Autorun Disabler?


  • Please log in to reply
14 replies to this topic

#1 bsgranpa

bsgranpa

  • Members
  • 181 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 02 November 2009 - 06:53 PM

A few days ago, I was reading through the posts to see if someone else was having the same kind of problem I was experiencing on my wife's computer. One of the experts utilized a utility which disabled the autorun on thumb drives, external Hard Drives, etc. and installed a mini-program which prevented any future auto-runs. I use a lot of external storage between computers. I would like to protect my machines from bad things transferred this way. Does any one know of this utility? Is it appropriate for my planned usage. Thanks in advance for any help.

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:11:03 PM

Posted 02 November 2009 - 07:17 PM

http://support.microsoft.com/kb/967715
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 RedDawn

RedDawn

  • Members
  • 454 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:03 AM

Posted 03 November 2009 - 01:19 AM

Maybe Panda USB Vaccine?

See HERE & HERE.


:thumbsup:

#4 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:09:03 PM

Posted 03 November 2009 - 01:32 AM

Are you referring to Flash_Disinfector? (direct download link)

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.

* Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.

* The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.

* Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.

* Wait until it has finished scanning and then exit the program.

* Reboot your computer when done.

Note:
As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that
was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file
from being installed on the root drive and running other malicious files.

Running the tool disables autorun.
It also creates a dummy autorun .inf file, to make it more difficult to become infected
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#5 gully786

gully786

  • Members
  • 186 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:03 PM

Posted 03 November 2009 - 06:29 AM

Panda USB seems to affect floppy drives in a funny way

every time you connect a usb it makes the usual sound when you start a scan with malarebytes it sounds like it will explode

id advise turning it off using the registry like garmanmas' link describes

#6 bsgranpa

bsgranpa
  • Topic Starter

  • Members
  • 181 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 03 November 2009 - 05:22 PM

"Flash Disinfector" is the one I was reading about. Thanks for the move to the correct area and thanks for the help. Is this utility a good idea for someone who transfers files and documents from a variety of computers?

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:03 PM

Posted 03 November 2009 - 10:04 PM

Yes and it should be run on the Device and the PC's it contacts.
Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:03 PM

Posted 05 November 2009 - 02:11 PM

Hi bsgranpa,

Flash Disinfector (referred to hereafter as FD) is a great little program that does offer protection against autorun malware but it does have some drawbacks, as does most software. There is also other info you should be aware of as well as alternatives to FD.

First you should acquire some knowledge, if you don't have it already, of how autorun infections work so that you have a better idea of how to deal with them. A Flash Drive that has been inserted into an infected computer will have two elements; one, the malicious payload in the form of executable files--basically the infection itself, and two, an autorun.inf file, which is known as a loading point. No matter how vicious, malware files (the payload) can't affect you unless they are started/run/opened/loaded into memory. That's where the loading point (autorun.inf) comes in. Without a loading point it is like having bullets with no gun.

Especially for Windows XP, autorun is enabled by default so that, when you insert a flash drive into a computer, the autorun.inf file is automatically executed, which in turn tells Windows to execute the payload--the malicious executable files or infection. One element of the infection is that this autorun.inf loading point file, along with the payload files, is copied to the root of other flash drives that are inserted into the computer--and perhaps your hard drive partitions as well--so that the malware continues to spread. If autorun is disabled and/or if autorun.inf does not exist, then the payload files will sit harmlessly on the Flash Drive. Most of those payload files will be cleaned up by your antivirus software, just like any other known malicious file.

When FD first came out it was designed primarily to clean up both the malicious files and to prevent further spreading by "innoculating" every partition with a dummy autorun.inf file and disabling autorun. It uses some other methods that I won't go into as it makes defeating FD too easy for malware authors and script kiddies. Back then, antivirus would not check autorun.inf files because the file itself is legitimate--what is harmful is how it is written. USB flash drives can have legitimate programs launched via autorun.inf. For example, Portableapps.com will write to the autorun.inf file so that it's launcher--a sort of Start menu for the flash drive--will run whenever your Flash drive is inserted into another computer. The contents of that autorun.inf file will look something like this:
[Autorun]
Open=StartPortableApps.exe
Action=Start PortableApps.com
Icon=StartPortableApps.exe
Label=PortableApps.com

Malicious autorun.inf files will use the name of their payload executable file in place of StartPortableApps.exe. Antivirus programs are not designed to deal with this, altho some may be changing now. But the point is that in the early days, not many infections used this method, so the author of FD would keep the tool updated so that it both cleaned up malicious payload files and inoculated to prevent further spread by dealing with the autorun.inf file. Now this infection method is so widespread--especially since Conflicker came out--that the author no longer has time to keep it updated. He is an active malware fighter and much of his time is spent on keeping another of his excellent removal tools current and effective. So he's left removal of newer payload files to antivirus/antimalware programs. However, running it to prevent the autorun.inf file from executing and thus preventing the spread of infections is still quite effective and useful.

A few days ago, I was reading through the posts to see if someone else was having the same kind of problem I was experiencing on my wife's computer.

First of all, did you get this resolved? This may or may not be something that can be fixed with FD. Infections still spread in the older, conventional ways, such as email attachments, so Flash Drives may not be involved at all. If you need more help with that let us know.

One of the experts utilized a utility which disabled the autorun on thumb drives, external Hard Drives, etc. and installed a mini-program which prevented any future auto-runs.

As explained above, it is not really a mini-program that FD uses. Alternatives to FD are, which I will get into in just a bit. But this is where FD has drawbacks.

1. FD makes some changes to your system that aren't easily reversible. For example, the warning you've gotten from previous posters to not delete the dummy autorun.inf file is a little outdated. Malware writers saw that and soon figured out that a dummy file set to read only is easily defeated, so the dummy was changed in such a way that the autorun.inf folder is very difficult to delete--again, I won't say how so that we don't make it too easy for the malware writers. Personally, I like to be able to reverse anything done with some ease. A good argument can be made that the spread of autorun malware is so pervasive that reversing the changes is not necessary and therefore not as important as the security of everyone with a USB port/card reader, so it is all for the common good. However, I would still like to know what is changed even is I can't reverse it. Not knowing can cause unnecessary worry and confusion. It's very common for people to have heard that autorun.inf is bad, and then when they see the dummy by that name put there by FD, to come to believe they are infected.

With knowledge of how autorun.inf infections work, the dummy is redundant as a prevention method. If a person disables autorun and never, never ever re-enables it, then you won't have to worry about the autorun.inf loading point being executed--you are taking the gun away so that the bullets are useless. My problem with the MS article's instructions (that garmanma linked to) for disabling autorun is that they are too complex for the average person and many are gunshy of editing the registry. A great alternative is to run a batch file that will do this very easily. Go to the following Conflicker removal guide, scroll down to the last few paragraphs and follow the instructions for the file linked to as Noauto.reg download link.
http://www.bleepingcomputer.com/virus-remo...nadup-conficker

2. FD is not your typical program. It doesn't have a home page where you can get additional information and support. As a rule of thumb, I don't like to have programs on my computer that have no support or any way of contacting the author. As mentioned earlier, it's not really a program as much as a quick cleanup tool combined with one time changes to your computer's settings--it doesn't run in the background. But it is still easy for the common user to be confused about this.

Is this utility a good idea for someone who transfers files and documents from a variety of computers?

Bottom line is that running FD will protect your system from future autorun infections. Depending on your situation, you might need its redundancies, otherwise disabling autorun will protect you just as well. Then there are some alternatives that are less invasive and a bit more transparent--programmers are starting to catch up to this relatively new threat. I have been intending to write a guide and test these programs but have not had the time to finish that yet. But here is a bit of what I know at this point.

1. Autorun Eater:
http://oldmcdonald.wordpress.com/
This is more along the lines of "utility" program that stands guard much the way you've envisioned it. It's for people who don't want to disable autorun, but that makes it necessary for it to always run in the background, which is a drawback if you have limited computing resources.

It works by blocking any autorun.inf from executing, shows you the contents of the file, and gives you the option of removing it or to ignore it. If you remove, a backup is made so that it can be restored later. As an extra feature, it can restore Task Manager, Regedit and Folder Options, which many autorun infections disable.

Many malware removal specialists believe there are no legitimate autorun.inf files out there so no need for an ignore function, not to mention leaving autorun enabled. But as you can see, Portableapps.com is legit and most USB Flash drive vendors include similar launchers, such as U3, that may or may not make use of the autorun.inf file and there are other third party launchers out there. However, the point remains that these launchers starting up when inserted are a convenience and shouldn't be preferred over good security practices. You can still start these launchers manually.

The two big drawbacks to this program, besides it running in the background, is, one, it may be that it can be easily defeated and two, the author thinks it's cute to have a goat bleat at you whenever you log in--which is very irritating after the first or second time it happens. However, the bleating is easily disabled. A third drawback is that you must have some knowledge of what files are not malicious.

I have this running on my system but haven't thoroughly tested it yet. I wouldn't recommend it to everybody depending on circumstances.

2. Panda USB and AutoRun Vaccine:
http://research.pandasecurity.com/archive/...un-Vaccine.aspx
As also linked to by RedDawn. I haven't tried this one out yet but from the description it sounds as if it is much like FD without the cleanup of malicious payload files. It also doesn't run in the background, altho there are plans to make that an option.

One drawback is that it is also not easily reversible. To delete the inoculation, one must reformat the flash drive. It shouldn't be that big a deal as you can easily copy the entire contents of Flash drives to your hard drive--unless it is almost full.

3. Autorun Protector:
http://raylin.wordpress.com/2009/03/11/autorun-protector-10/
I've only had time to read over the description of this one, but it sounds pretty good. However, I am not sure what methods are used for protection, so I can't recommend it at this time.

I hope this helps some. Another factor to consider is the state of the computers that you use your Flash drives on. If you use them only on computers that you have some control over and thus have instituted a practical security policy so that they stay free of infections for the most part, then infections spreading via USB drives won't be much of a problem. It's when you use those drives on less secure systems--when FD was first developed, students were getting infected every time they inserted a Flash drive connected to the college's system--that was infected.

The thing about people

is they change

when they walk away.--Mipso


#9 broady59

broady59

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 05 November 2009 - 07:29 PM

Best USB stick I ever purchased is a 16 gig stick with a read/write switch on the end. No write - no infections. Hard to find but Newegg had one. Load one up with all your tools and plug it into an infected machine without worry of infecting yourself.

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:03 PM

Posted 06 November 2009 - 08:23 AM

Nice write-up Papakid. I've bookmarked it for future referral. :thumbsup:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 bsgranpa

bsgranpa
  • Topic Starter

  • Members
  • 181 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 07 November 2009 - 10:22 AM

Nice write-up Papakid. I've bookmarked it for future referral. :thumbsup:


I agree entirely. Papakid, you are very kind to share in such detail and to take the time to help educate. I fear that I'm really playing "catch up" in the technology arena. We weren't quite using an abacaus when I was a youngster but I did lay out $110 for a slide rule in college. That was a fortune then. I have a great deal of gratitude for this community of kind folks who donate selflessly their time and expertise to help out old geezers in a jam. Thanks to all.

#12 stillwaters

stillwaters

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:03 AM

Posted 07 November 2009 - 03:11 PM

Nice write-up Papakid. I've bookmarked it for future referral. :flowers:



This was a big help to me also! I really appreciate that you took the time to explain pros and cons, and didn't just say "use this program" without us really understanding the implications. After reading you're lecture, I think the best option for me is to follow the advice in the Microsoft article.

(Look out for my post in the Windows XP forum "Need help recovering system after attempting registry changes. :thumbsup: ")

#13 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:03 PM

Posted 08 November 2009 - 02:13 AM

Thank you all for the complimentary comments. Personally, I think what I've written so far falls short of what I would really like to do, which is write a more comprehensive guide and tutorial. There are several aspects of this that I haven't addressed but I need to do more research to make sure my information is accurate. In some ways I may have oversimplified this issue--be advised that malware writers are very clever and that security is a matter of risk reduction, not risk elimination, so no protection methods are foolproof.

To stillwaters, I hope you don't have to come to us with registry problems. I realize your comment is tongue in cheek, but I'm just saying--those MS articles are very confusing--which operating system is affected and how severely and which one needs a patch so you can disable autorun completely--and then there is a whole other patch that will, in theory at least, disable autorun on its own. All those programs I mentioned, with the exception of AutorunEater, disable Autorun, so that would be much easier for you.

I ran across a post on this subject with some additional information at spywareinfo forums written by TheJoker--also be sure to read snemelk's page linked to at the end of it.
http://www.spywareinfoforum.com/index.php?showtopic=125953

Some other considerations:

1. There is a difference between Autorun and Autoplay and i haven't seen an explanation that is very clear. I'll try to come up with one if I can figure out how to make it clearer unless someone beats me to it.

2. Optical drives (CD/DVD, etc.) are not affected in the same way. In theory, a malicious autorun.inf file could still be executed from a CD, but this won't happen much because it isn't as easy to write to a CD--because the malware would have to use burning software--and so it doesn't spread as easily as compared to writable media like USB drives. AutorunEater doesn't scan opical drives unless you ask it to and Windows 7 has autorun disabled for all drives except opitcal media.

3. The U3 platform may present itself as an optical drive. I need to research this more before commenting further but this may be a loophole in protection methods. However, I am fairly sure that U3 may be nice to have but is unnecessary and so can be deleted from USB drives so that it can be used just like any other drive.

4. The Panda program originally worked only on FAT and FAT32 file systems altho I believe it's been updated to work with NTSF now. For the USB dirves that I use, FAT/32 is recommended by the manufacturer because it is supposed to be faster for Flash memory so I believe most drives don't use NTSF. It may be that the Autorun Protector only works on NTSF formatted drives.

5. Another infection vector is the MountPoints2 registry key. Flash Disinfector and Autorun Protector clear these keys so that any cached autorun.infs aren't executed.

I've also run across some small programs that do nothing but disable autorun, but i won't post about them until I can verify that they can be trusted. Spreading malware through tools that are supposed to get rid of it is too common now--be careful what you download.

bsgranpa, I'm old enough to remember slide rules as well--but don't remember them being that expensive. As a matter of fact we had an abacus at school. I remember when pocket calculators by Texas Instruments first came out--some schools banned them, afraid no one would actually learn math--now you have to have a computer to go to college.

More to come I hope. I almost forgot that there is an issue with some drive opening when autorun.inf is deleted. I'll be back when I have more and better information. Kind of hard to do during football season tho. :thumbsup:

The thing about people

is they change

when they walk away.--Mipso


#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:03 PM

Posted 08 November 2009 - 09:03 AM

There is a difference between Autorun and Autoplay and i haven't seen an explanation that is very clear. I'll try to come up with one if I can figure out how to make it clearer unless someone beats me to it.

These are some notes and links I saved in regards to the difference.

Autorun is the feature (functionality) built into Windows that enables a CD-ROM drive or a fixed drive to specify a program to be started immediately upon the connection of the drive. Autorun will automatically run a program specified by the file "autorun.inf" whenever a CD-ROM or DVD is plugged into a Windows-based computer. Autorun is intended as a convenience to automatically start an installer when removable media is inserted into the computer.

For flash drives and other USB storage, autorun.ini uses the Windows Explorer's right-click context menu so that the standard "Open" or "Explore" command starts the file. Some types of malware can modify the context menu (adds a new default command) and redirect to executing the malicious file if the "Open" command is used or double-clicking on the drive icon.

AutoPlay is the feature (functionality) built into Windows that detects and examines the content (Pictures, Music, Video files) on the CD-ROM, or other removable media and then launches an appropriate application to play or display the content. Each media type can have a set of handlers registered with AutoPlay which can deal with playing or displaying that type of media. AutoPlay can also give the user options based on the media type of files found. As a part of its functionality, Autoplay makes use of AutoRun but instead of automatically looking for autorun.inf, it considers the event in conjunction with the various programs registered on the computer. When you try to play a CD or another media type that uses autorun, AutoPlay asks you to choose to play the autorun content or to skip it.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 stillwaters

stillwaters

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:03 AM

Posted 08 November 2009 - 05:17 PM

To stillwaters, I hope you don't have to come to us with registry problems. I realize your comment is tongue in cheek, but I'm just saying--those MS articles are very confusing--which operating system is affected and how severely and which one needs a patch so you can disable autorun completely--and then there is a whole other patch that will, in theory at least, disable autorun on its own. All those programs I mentioned, with the exception of AutorunEater, disable Autorun, so that would be much easier for you.


Thanks for your concern, I actually tried to follow the instructions in the Microsoft article, but when I tried modifying the value to 0xFF it wouldn't let me type the x - probably because it's not hexadecimal. I'm sure there's something obvious I'm doing wrong, but I'm prudent enough not to experiment without knowing exactly what I'm doing. I have edited the registry safely in the past. In the end I applied the update linked to in the Spywareinfoforums article that should do the same thing. Besides, after trying for around a month to apply multiple times a day to the malware removal training program here at BC, I applied to the MRU, and I'm currently on the waiting list, so I'm going to have to learn to work with the registry sooner or later.

BTW I have a Sandisk USB flash drive with U3, so if there's any research I can help you with for your tutorial/guide let me know! I'm a n00b but I love playing around. Thank you again for your help!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users