I've got one question.
When the utility *.txt comes back and says: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"...... Does the "DoesNotExist" mean that the registry item is there?
Not exactly--that is Windows registry programming code that Nick Brown came up with to trick Windows into trying to do something it can't do--it is not a straight-forward disabling of AutoRun but has the same effect in a round about way. You can get more information about it here: http://nick.brown.free.fr/blog/2007/10/memory-stick-worms
His explanaition of what the registry script, which is also known as a hack, does:
This hack tells Windows to treat AUTORUN.INF as if it were a configuration file from a pre-Windows 95 application. IniFileMapping is a key which tells Windows how to handle the .INI files which those applications typically used to store their configuration data (before the registry existed). In this case it says "whenever you have to handle a file called AUTORUN.INF, don't use the values from the file. You'll find alternative values at HKEY_LOCAL_MACHINE\SOFTWARE\DoesNotExist." And since that key, er, does not exist, it's as if AUTORUN.INF is completely empty, and so nothing autoruns, and nothing is added to the Explorer double-click action. Result: worms cannot get in - unless you start double-clicking executables to see what they do, in which case, you deserve to have your PC infected.
For some reason this trick isn't working for you and that is what I am trying to figure out.
Just to keep the terminology and what we are doing straight--we have dealt with more than *.txt files but none of them rise to the level of a utility.
: is a registry file (reg file for short) that is a script which allows us to make changes to the registry without actually opening the registry editor (regedit). In this case, the script added/imported a key (which looks like a folder in regedit) and the following value/data: @="@SYS:DoesNotExist"
The entire script is text based so that we humans can understand it, but the Does not exist in this case is just a line of text, not evidence that the reg key does not exist.
: Is a batch file that tells windows to use the command line to export the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf
reg key and create the IniReg.txt
file to list the details of that key if it exists. If that particular reg key does not exist, then IniReg.txt
would not get created.
is proof that the key we were looking for does exist and that the script was written correctly.
OK, so I can see the screenshots after your edit--it does look like the standard autoplay--I don't see any difference between the two so not sure how that is significant. BTW, for future reference, if you hold down the Alt key while pressing the Print Screen key, just the image of the last open window--in this case the autoplay window--will be copied instead of both the autoplay window and
your desktop background. Also, if you want to insert the image so that it shows up in this thread, use the IMG Code. To do that, go to your Photobucket album, click on the image you want to share and then click in the box next to IMG code--BB coded text similar to the following will be copied to your clipboard that you can past into your reply--note that it begins with IMG in square brackets:
When I post that code into this thread you see the photo of me and my family:
Also it is better not to edit your posts if at all possible when you change the information as this can cause some confusion. I know it's hard when you think of things that might be important later, so it's not a real big deal, but I almost responded to what you did before the edit, which could have been confusing. This can all be prevented if, before you click the Add Reply
button to post, you use the Preview button next to it. This way you can get all your information straight before you post it and you could have tested that the links to your screenshots worked or not.
The only information from the documents and packaging for the HD is: 250G LaCie HD USB 2.0 USA (Design by F.A.Porsche) Product Code 300728U
Well, I just plugged in the LaCie and once again it Autoplayed and finished with the Option window as before. Thanks again for your help. Honestly, I don't know if there is any problem with any of my external storage devices. It's just that I would rather have the opportunity to run some scans before I start restoring my data, music, pictures etc.
OK, I'll see what I can find out about your LaCie drive--it may be a dead end tho. In the meantime, I suggest you install Autorun Eater
, which will both protect your system from infection and give me an idea if there is an actual autorun.inf file on the LaCie drive, or if AutoPlay is being invoked in another way that I am not aware of.
So please do the following:
1. Download and install Autorun Eater (AE)
from here: http://oldmcdonald.wordpress.com/
2. Right click the AE
icon in the System Tray to access most of the program's controls. Hover your mouse over Removal Method
then click Ask for Confirmation
3. Plug in your LaCie drive. If there is any autorun.inf file present on that drive, a window from AE similar to the one below will pop up saying there is a suspicious autorun.inf detected.
If this happens, copy the contents of the autorun.inf file listed under Suspicious autorun.inf content
, then paste it into your next reply to this thread--or to a Notepad/word processor file so you can post it later. Then click the Remove autorun.inf
button--we can restore it later if it's legit. If the autoplay window has popped up again when the drive is inserted, go to the AE menu in the System Tray and enable Close Autoplay
before clicking the Remove autorun.inf
If you don't get the window from AE indicating autorun.inf is present, let me know.
I suggest you leave AE installed and running in the background. This way you can plug your other drives in and check for the presence of any autorun.inf files. The files are blocked from running while you are deciding what to do with them, so your system won't get infected. Hold off on inserting your other drives til we see what is going on with the disabling of autorun, but even with autorun disabled, I would recommend leaving AE installed as a redundant protection with the added advantage of knowing which drives are actually infected and spreading infection to other drives. This will help prevent further spreading if you ever plug your drives into another computer that doesn't have autorun disabled or other protection. So I recommend another couple of steps be done.
4. In the System Tray menu, click on Add Billy to System Startup
. This will allow AE to run in the background so that any time you plug in a drive you are protected. If you turn it off, you have to remember to open AE before plugging in a new drive. It takes up few system resources so I leave it running.
5. To turn off the irritating startup sound, go to the Startup/Exit sound in the Systray menu and turn it off.
I still hven't been able to test the other programs that I mentioned in that other thread but I have had some more experience with AE that makes me believe it protects itself pretty well, so am no longer concerned about that. Depending on your results, we may need to run one of those other programs as I would rather have autorun disabled and
AE running for more optimised protection.