Disabled AutoPlay, it just revived (XP Home)

  • Thread starter Thread starter Robert Carnegie: Fnord: cc talk-origins@moderators
  • Start date Start date
R

Robert Carnegie: Fnord: cc talk-origins@moderators

On a Gigabyte M912 net-book computer running Windows XP Home, I
disabled the AutoPlay function. Now it's started running. The
registry configuration that disabled it appears to be intact, but I
haven't checked every applicable setting, just "Honor disabled
AutoPlay" (machine, I think) and "Disable AutoPlay on these drive
types: all, 0xFF" (per user). To disable it again, and otherwise
protect myself, what should I look at?

Things I have only done on the computer recently include:

- Connect a real USB hard disk.

- Use Linux (SystemRescueCD 1.3.1 and 1.3.3) to shrink partition C,
create and format a new FAT32 partition H, then remove existing
partition D and (in Windows) rename H to D.

- Install CoolInfo free (sponsored) speech recognition software
including Microsoft Speech API.

- Use SystemRescueCD 1.3.3 to scan for virus (ClamScan). It thinks
that two data files for Windows F-Secure anti-virus contain viruses.

- Use just-out SystemRescueCD 1.3.4 to see how current ClamScan is.
(Not absolutely: updated December 15th. But you can download new
virus id files separately. I haven't done that yet.)

- Use F-Secure virus scanner to read the machine. It thinks I am
clean except for a "tracking cookie".

- Input and use the settings for a British dial-up Internet service
that does not run and only crashes or freezes the computer. Called
something like Zaggle.

- Accept recommendation by F-Secure to suppress registry access (!) by
a program named, I think, KBM.exe. This appears to be original
software on the computer - but may be corrupted - and F-Secure only
got upset about it after an update to F-Secure and then the attempt to
use Zaggle.

Things I have not done recently:

- Install any very latest Windows Updates after December 13th.

- Update F-Secure since December 1st, according to notes.

- Knowingly use wireless networking. I think it is switched off, and
Bluetooth undiscoverable.

- Update from Internet Explorer 6.
 
Oh, another "did recently": I just disabled "System Restore" on some
of the hard disk partitions - keept it on the system partition.
 
Robert said:
On a Gigabyte M912 net-book computer running Windows XP Home, I
disabled the AutoPlay function. Now it's started running. The
registry configuration that disabled it appears to be intact, but I
haven't checked every applicable setting, just "Honor disabled
AutoPlay" (machine, I think) and "Disable AutoPlay on these drive
types: all, 0xFF" (per user). To disable it again, and otherwise
protect myself, what should I look at?

Things I have only done on the computer recently include:

- Connect a real USB hard disk.

- Use Linux (SystemRescueCD 1.3.1 and 1.3.3) to shrink partition C,
create and format a new FAT32 partition H, then remove existing
partition D and (in Windows) rename H to D.

- Install CoolInfo free (sponsored) speech recognition software
including Microsoft Speech API.

- Use SystemRescueCD 1.3.3 to scan for virus (ClamScan). It thinks
that two data files for Windows F-Secure anti-virus contain viruses.

- Use just-out SystemRescueCD 1.3.4 to see how current ClamScan is.
(Not absolutely: updated December 15th. But you can download new
virus id files separately. I haven't done that yet.)

- Use F-Secure virus scanner to read the machine. It thinks I am
clean except for a "tracking cookie".

- Input and use the settings for a British dial-up Internet service
that does not run and only crashes or freezes the computer. Called
something like Zaggle.

- Accept recommendation by F-Secure to suppress registry access (!) by
a program named, I think, KBM.exe. This appears to be original
software on the computer - but may be corrupted - and F-Secure only
got upset about it after an update to F-Secure and then the attempt to
use Zaggle.

Things I have not done recently:

- Install any very latest Windows Updates after December 13th.

- Update F-Secure since December 1st, according to notes.

- Knowingly use wireless networking. I think it is switched off, and
Bluetooth undiscoverable.

- Update from Internet Explorer 6.
Click to expand...

Robert Carnegie wrote
Oh, another "did recently": I just disabled "System Restore" on some
of the hard disk partitions - keept it on the system partition.
Click to expand...

You did a system restore...? That could easily undo patches.

Why did you perform a system restore?

How to disable the Autorun functionality in Windows
http://support.microsoft.com/kb/967715

In your case - I would probably do the following if I had the computer:

You can obtain and supply the edition and version information:

Start button --> RUN
(no "RUN"? Press the "Windows Key" + R on your keyboard)
--> type in:
winver
--> Click OK.

The picture at the top of the window that opens will give you the general
(Operating System name and edition) while the line starting with the word
"version" will give you the rest of the story. Post _both_ in response
to this message verbatim. No paraphrasing - instead - ensure
character-for-character copying.

What version of Internet Explorer are you currently using? Easy to find
out. Open Internet Explorer and while that is in-focus, press and hold
the "ALT" key on your keyboard. With the "ALT" key still pressed, press
(just once, no holding) the "H" key. Now, with the "ALT" key still
pressed, press (just once, no holding) the "A" key. That will bring up
the "About Internet Explorer" window. It will give you the exact version
you are using - repeat what you see there in response to this message.

Download/install the "Windows Installer CleanUp Utility":
http://support.microsoft.com/kb/290301

After installing, do the following:

Start button --> RUN
(no "RUN"? Press the "Windows Key" + R on your keyboard)
--> type in:
"%ProgramFiles%\Windows Installer Clean Up\msizap.exe" g!
--> Click OK.
(The quotation marks and percentage signs and spacing should be exact.)

Download, install, run, update and perform a full scan with the following
(freeware version):

SuperAntiSpyware
http://www.superantispyware.com/

Reboot and logon as administrative user.

Download, install, run, update and perform a full scan with the following
(freeware version):

MalwareBytes
http://www.malwarebytes.com/

Reboot and logon as administrative user.

Download and run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

You may find nothing, you may find only cookies, you may think it is a
waste of time...

Reboot and logon as administrative user.

Download/Install the latest Windows Installer (for your OS):
( Windows XP 32-bit : WindowsXP-KB942288-v3-x86.exe )
http://www.microsoft.com/downloadS/...6F-60B6-4412-95B9-54D056D6F9F4&displaylang=en

Reboot and logon as administrative user.

Download the latest version of the Windows Update agent from here (x86):
http://go.microsoft.com/fwlink/?LinkID=91237
.... and save it to the root of your C:\ drive. After saving it to the
root of the C:\ drive, do the following:

Close all Internet Explorer windows and other applications.

Start button --> RUN and type in:
%SystemDrive%\windowsupdateagent30-x86.exe /WUFORCE
--> Click OK.

(If asked, select "Run.) --> Click on NEXT --> Select "I agree" and click on
NEXT --> When it finishes installing, click on "Finish"...

Reboot and logon as administrative user.

Visit this web page:

How do I reset Windows Update components?
http://support.microsoft.com/kb/971058

.... and click on the "Microsoft Fix it" icon. When asked, select "RUN",
both times. Check the "I agree" box and click on "Next". Check the box
for "Run aggressive options (not recommended)" and click "Next". Let
it finish up and follow the prompts until it is done. Close/exit and
reboot when it is.

Log on as an user with administrative rights and open Internet Explorer
and visit http://windowsupdate.microsoft.com/ and select to do a
CUSTOM scan...

Every time you are about to click on something while at these web pages -
first press and hold down the CTRL key while you click on it. You can
release the CTRL key after clicking each time.

Once the scan is done, select just _ONE_ of the high priority updates
(deselect any others) and install it.

Reboot again.

If it did work - try the web page again - selecting no more than 3-5 at a
time. Rebooting as needed.

The Optional Software updates are generally safe - although I recommend
against the "Windows Search" one and any of the "Office Live" ones or
"Windows Live" ones for now. I would completely avoid the
Optional Hardware updates. Also - I do not see any urgent need to
install Internet Explorer 8 at this time.
 
I have:
Microsoft Windows XP Home Edition
Version 5.1 (Build 2600.xpsp_sp3_gdr.090804-1435 : Service Pack 3)
Microsoft Internet Explorer
6.0.2600.5512.xpsp_sp3_gdr.090804-1435

I didn't use System Restore - unless I pressed the wrong button - I
ran it to adjust its settings and exclude hard disk partitions other
than the system volume from its supervision, mainly to satisfy myself
that a partition really was empty before deleting it.

I'm grateful for the advice given, but I'm not sure about a few
things. Really I'd like to know what has gone wrong, and I suppose
that "Super Antispyware" perhaps could tell me - if it is that sort of
problem, which I'm hoping it isn't - but I'm concerned that Google
doesn't show that as a product that people are talking about much -
except for offering hacked versions of the paid-for product, which
very much misses the point, of course.

If I may have infected my computer by using a recent release of
"SystemRescueCD" and "ClamAV" - which I assumed genuine and
trustworthy and widely used - then I'm hesitating to use more tools
whose origin I don't fully understand.

Why would malicious software re-enable AutoPlay? Perhaps to be able
to infect writeable media somehow? But would it have to expose itself
to do that?

Next, I think I'll double check /all/ the registry entries I can find
out about that bear on AutoPlay. I would prefer that my shuffling of
partitions and labels had caused the problem, not an external security
issue. But am I the only user playing this game?
 
Robert said:
I have:
Microsoft Windows XP Home Edition
Version 5.1 (Build 2600.xpsp_sp3_gdr.090804-1435 : Service Pack 3)
Microsoft Internet Explorer
6.0.2600.5512.xpsp_sp3_gdr.090804-1435
Click to expand...

Good on SP3. Likely should upgrade to IE7 - IMO.
I didn't use System Restore - unless I pressed the wrong button - I
ran it to adjust its settings and exclude hard disk partitions other
than the system volume from its supervision, mainly to satisfy
myself that a partition really was empty before deleting it.
Click to expand...

Okay - you did not say that.
I'm grateful for the advice given, but I'm not sure about a few
things. Really I'd like to know what has gone wrong, and I suppose
that "Super Antispyware" perhaps could tell me - if it is that sort
of problem, which I'm hoping it isn't - but I'm concerned that
Google doesn't show that as a product that people are talking about
much - except for offering hacked versions of the paid-for product,
which very much misses the point, of course.
Click to expand...

There is no space in "SuperAntiSpyware".
I and others have been recommending it for some time.

http://www.google.com/search?q=superantispyware+reviews
If I may have infected my computer by using a recent release of
"SystemRescueCD" and "ClamAV" - which I assumed genuine and
trustworthy and widely used - then I'm hesitating to use more tools
whose origin I don't fully understand.
Click to expand...

If you don't trust the advice here - take the computer to someone who you do
trust. I can understand that. (DOn't be surprised if they use some of the
products mentioned here, though. *grin*)
Why would malicious software re-enable AutoPlay? Perhaps to be able
to infect writeable media somehow? But would it have to expose
itself to do that?
Click to expand...

It could have - or perhaps something else happened.
Next, I think I'll double check /all/ the registry entries I can
find out about that bear on AutoPlay. I would prefer that my
shuffling of partitions and labels had caused the problem, not an
external security issue. But am I the only user playing this game?
Click to expand...

Probably not - but likely one of the few. Most never have a reason to do
so.
 
Check the following :

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers]
"DisableAutoplay"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveAutoRun"=hex:ff,ff,ff,ff


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveAutoRun"=hex:ff,ff,ff,ff

==

Cheers, Tim Meddick, Peckham, London. :-)




"Robert Carnegie: Fnord: cc (e-mail address removed)­g"
 
Back
Top