Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Autoplay


  • Please log in to reply
8 replies to this topic

#1 Tzivitzonis

Tzivitzonis

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece
  • Local time:08:46 AM

Posted 18 January 2013 - 04:10 PM

Mod Edit: Split from http://www.bleepingcomputer.com/forums/topic427623.html - Hamluis.

Could I possibly have the same help as above to re-enable my "autorun" feature? Autorun, in my situation, turned off after having recovered from this trojan attack. According to nasdaq (my BC forum helper) I am clean as far as he can see at the moment. I would like to turn my autorun feature back on when I insert a CD, USB stick, etc.

The logs, like the ones requested above, are:
reg1.txt
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveAutoRun"=dword:03ffffff
"NoDriveTypeAutoRun"=dword:00000143
"NoDrives"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run]

reg2.txt
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000143
"NoDriveAutoRun"=dword:03ffffff
"NoDrives"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]


Thanx a lot in advance! :)

Edited by hamluis, 18 January 2013 - 04:34 PM.
PM sent new OP - Hamluis.

Posted Image

BC AdBot (Login to Remove)

 


#2 caperjac

caperjac

  • Members
  • 1,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NS. CAN
  • Local time:03:46 AM

Posted 18 January 2013 - 06:32 PM

hi i use the microsoft auto play/run fix found in this microsoft link ,good luck .

http://www.microsoft.com/en-us/download/details.aspx?id=2648

My answers are my opinion only,usually


#3 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:04:46 PM

Posted 19 January 2013 - 01:45 AM

Autorun, in my situation, turned off after having recovered from this trojan attack.

In this case, I would like to check for an entry in the Windows registry which I anticipate being present and relevant.

:step1: Please export to text file the content of a registry key:
  • Click Start > Run
  • Copy and paste the following line of code in the open Run box
regedit /e C:\reg3.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf"
  • Now click OK

:step2: Please post the content of the exported registry key for me to review:
  • Double-click/Open My Computer and then navigate to C:\ drive
  • In there, you will find a text file named reg3.txt (or perhaps simply reg3).
  • Double-click the file to open it with Notepad.
  • Copy and paste the entire contents of that file in your next reply.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#4 Tzivitzonis

Tzivitzonis
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece
  • Local time:08:46 AM

Posted 19 January 2013 - 06:40 AM

In this case, I would like to check for an entry in the Windows registry which I anticipate being present and relevant.

Here you are:

reg3.txt
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:Software\\Swearware\\dump"


caperjac thanx! I will also keep that in mind!! :thumbup2:
Posted Image

#5 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:04:46 PM

Posted 19 January 2013 - 08:36 AM

Thank you. :thumbup2:

:step1: Re: reg1.txt and reg2.txt
  • It is not necessary to have the "NoDriveAutoRun" entry in the registry at all, so I suggest that we delete it.
  • I also suggest that we change the "NoDriveTypeAutoRun" value to the default value of 91 (currently 143).

:step2: Re: reg3.txt
  • All autorun.inf function on the system has been disabled as a preventative security measure. The following key was added to the registry to prevent the system taking any action on whatever was contained in an autorun.inf file:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf <<< key
  • I suggest that we delete the Autorun.inf key.
Please be aware that if you choose to enable the activation of autorun.inf files that the system will be at increased risk of infection from disks or devices that you now connect to it. You should exercise appropriate caution to avoid malware infection! I will provide instruction for you to enable autorun, but suggest that you do not use it unless you are absolutely sure that you are prepared to accept the possible consequences of doing so: That decision is yours to make.

Note: The registry keys that you have already exported and posted in this thread serve as a backup if you decide to proceed with the suggested changes.
  • To reverse any change you may make using the below instructions, simply import the key(s) again.

:step3: Please open Notepad and paste the entire contents of the code box below into the open window of a new text file.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveAutoRun"=-
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveAutoRun"=-
"NoDriveTypeAutoRun"=dword:00000091

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]


  • Ensure there are NO blank lines before "Windows Registry Editor Version 5.00"
  • Ensure there IS one blank line at the end of the file, below the last line of text.
In the main menu of Notepad go to File > Save
  • In the "Save as type" box, choose "All files"
  • Enter the file name as autorun.reg
  • Choose your Desktop as the "Save in" location
  • Click on "Save".
Close the Notepad window.

On your Desktop, locate the file that you just created, autorun.reg.
  • Double-click on the file.
  • When prompted "Are you sure ... ", click "Yes".
Restart the computer normally to ensure that the changes are made. <<< Important
  • When you now insert a CD, DVD, flashdrive or any other external drive with autorun capability, it will run.
*** Please be aware that having autorun enabled is now considered a security risk, and is discouraged.
If in any doubt about a disk that you are inserting, you can disable autorun by holding down the <SHIFT> key while inserting the disk, and continuing to hold it down until the optical drive has stopped attempting to read the disk. This method should not be relied upon!

Note: You may now delete the file (autorun.reg) that you created and saved on the Desktop.

Edited by AustrAlien, 19 January 2013 - 05:02 PM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#6 Tzivitzonis

Tzivitzonis
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece
  • Local time:08:46 AM

Posted 21 January 2013 - 11:48 AM

Dear AustrAlien thanx for the tips! :thumbsup:
By doing step 3, do I have to do steps 1 and 2 separately, or they are incorporated in step 3 altogether? Posted Image

p.s. sorry for the delayed reply, I was not near the pc...
Posted Image

#7 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:04:46 PM

Posted 21 January 2013 - 04:05 PM

Sorry about any confusion that I may have caused.

Steps 1 and 2 are both taken care of in Step 3. All you need to do is Step 3: That should take care of everything.

Let me know how it goes.

Edited to add ...

On reflection, it would be wise to take the additional precautionary measure of backing up the entire Windows registry before making any changes at all. Please backup your Windows registry using ERUNT before proceeding to make the changes suggested in Step 3 of my earlier post.

Backup the Windows system registry with ERUNT
  • If you are using ERUNT on a Vista or Windows 7 system:
  • And ... if UAC (User Account Control) is enabled on the Windows system (as it is by default):
  • When installing ERUNT, ensure that the AutoBackup option is UN-checked!
  • Run ERUNT (or ERDNT.exe) using right-click > Run as Administrator
    Note: Backups will not be automatically created daily. Instead you will need to create them manually by running ERUNT.
[/list]Download ERUNT (The Emergency Recovery Utility NT) to the computer.
  • There are two versions to choose from:
    • Installer file Download Now
    • Run (double-click) the installer file to install ERUNT on the system.
    • Run ERUNT using the shortcut that will have been created on the Desktop.
    • Follow the prompts, leaving all settings in their default configuration.
  • Zipped file Download .ZIP
    • Unzip/Extract the .zip file to a folder in the location of your choice.
      Read the README.TXT file for full instructions and more information.
    • Run (double-click) the contained ERUNT.EXE file to backup the registry.
    • Follow the prompts, leaving all settings in their default configuration.
------------------------------
Note: To restore the Windows registry using ERUNT backups:
  • Navigate to the EFDNT folder created to house the registry backups:
    C:\Windows\ERDNT <<< folder
  • Inside the ERDNT folder you may find other folders labelled by date (manual backups if any).
  • The AutoBackup folder contains dated folders with registry backups created automatically by ERUNT each day the computer is started.
  • The location might look something like this:
  • C:\WINDOWS\ERDNT\AutoBackup\25-07-2012 <<< folder
[*]Locate the backup (by date) that you wish to use and then run (double-click) ERDNT.exe within that same backup folder, and follow the prompts.
[/list]

Edited by AustrAlien, 21 January 2013 - 04:48 PM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#8 Tzivitzonis

Tzivitzonis
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece
  • Local time:08:46 AM

Posted 23 January 2013 - 01:11 PM

Sorry about any confusion that I may have caused.

No worries! These may happen since we speak different mother languages! :wink:


Let me know how it goes.

Feedback time!
I took the reg backup using the ERUNT tool and incorporated the autorun.reg as instructed. It worked perfectly! :thumbup2:


I think the instructions given by AustrAlien on how to re-enable the autorun feature are short and consistent, therefore the topic deserves to be pinned, as a guide for others to follow! Thank you all for the contribution! :thumbsup:
Posted Image

#9 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:04:46 PM

Posted 23 January 2013 - 03:12 PM

Thanks for the feedback. I'm pleased to see that all worked as expected.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users