http://bleuken.i.ph/blogs/bleuken/2007/06/29/viruses-that-uses-autoruninf/Disable AUTORUN from Registry Now you can disable the AUTORUN for all drives by configuring the registry.
Open the registry by typing regedit.exe to the command prompt
(if your still at the command prompt) or execute it in Run.
Look for the HKEY_CURRENT_USER\Software\ Microsoft\Windows\CurrentVersion\Policies\Explorer as shown below:
Double-click the NoDriveAutorun DWORD entry and type the value HEX: FF (255 in Decimal).
(If the NoDriveAutorun does not exists,
you can creat it by right-clicking the right side area of the regedit window,
then click New->DWord Value -> type NoDriveAutorun)
Close the registry and restart the computer.
This procedure will disable all the autorun for all drives of your computer and
at least will prevent the autorun function of infected USB drives or CDs and
avoid the infection of viruses like the Bacalid and RavMon.exe.
======================================
http://www.bloggingindia.net/2007/09/29/enabling-regedit-registry-editor-and-task-manager-taskmgrexe-when-banned-by-administrator/Enabling regedit and task manager...Hi all,
How would a person feel when there’s a virus on a system, when he cant access Task manager to end the virus process or access regedit to zoom it to hell? Well, thats exactly what happened to me. All my college computers were inflicted with so many viruses, that even a trio of Norton, Avast and NOD32 couldn’t come to the rescue. And Task Manager was blocked. So was regedit. Apparently, “Task Manager has been disabled by your Administrator” and “Registry editing has been blocked by your Administrator“. My first reaction was to call up the admin and use a few well chosen swear words.
But thankfully, it didn’t come to that, since Windows was Windows, and everything had a back door or two :P . So what do you do to re enable task manager and/or regedit when your admin has blocked them? Follow the few simple steps below -
* Hit Windows+R to bring up Run (Start>Run)
* Type in gpedit.msc and click OK
* For regedit : In the Group Policy window, browse to User Configuration>System and voila, you should have a small entry named “Prevent access to registry editing tools“. Double click that entry. Check the Disabled option, and click OK. Your regedit.exe has just been enabled :) .
* For Task Manager : In the Group Policy window, browse to User Configuration>System>Ctrl+Alt+Del Options and you’ll have an entry titled “Remove Task Manager“. Double click that entry. Check the Disabled option, and click OK. Your Task Manager has just been enabled :) . Go ahead, hit Ctrl+Alt+Del and rejoice :) .
Thats it guys, I hope this has been useful. Oh by the way, this post was intended for purely educational uses. Any damage you create by fiddling with these options are your own fault! Toodles!
UPDATE
gpedit.msc (Group Policy Editor) is not available on Windows XP Home. But it can be installed, by copying the files from a Windows XP Professional system. I’ve included a file which contains the 2 files required to install gpedit.msc on a Windows XP Home PC. Download the file, unzip it, and read the howto.txt file, which contains the instructions. Click here to download the file. Big thanks to Atar for this!
=============================
http://edzzy.i.ph/blogs/edzzy/2008/01/30/how-to-remove-autoruninf-virus/Autorun.inf virus removal Autorun.INF is usually used by CD Installers to
autoplay their installations but Hard disks by default should not have AUTORUN.INF
in the drive.
Now, it is possible that your computer is infected by those viruses
if you try to display the content of the your computer through command prompt,
using the dir /ah command.
The said virus hides itself inside a folder named Recycled.
The folder has a hidden/system/read-only attribute,
that’s why you can’t see it if you will use the Search window.
When your system is infected by the said virus,
it infects every drive connected to your PC by dropping VCAB.DLL to the internet
temporary folder and creating the CTFMON.EXE to folder Recyled & AUTORUN.INF
to the root directory of every drive. That’s why when you connect your USB sticks
to the infected PC it will be infected immediately, the USB disks will be the new
carrier for the virus. The program runs every time you start your computer because
it copy itself in the Startup folder of the Start Menu. It also run every time your
insert the infected USB disk and it triggers every time you Double-Click the infected
drive (bcoz of the AUTORUN.INF). The virus infects .EXEs and .DLLs.
To check if your system is infected by the said virus without using an antivirus, do the following steps:
1. Go to command prompt.
2. Type CD\ in drive C to go the root directory
3. Type DIR /AH and press ENTER key. This will display all hidden files in your drive C
4. If you see a file AUTORUN.INF and a folder Recycled, then your system is infected.
5. Try doing this to your USB drive and check if your USB stick contains the same folder and AUTORUN.INF, if it does then your system is really infected..
To remove it download and install a trial version of Trendmicro and scan your system.
To manually remove it (but i’m not recommending it especially if the
infections of Bacalid is very high try using an anti-virus such as McAfee or
TrendMicro’s PCCillin) follow the following steps (This is the step I take when
i repair my computer without an internet connection. Note you should understand
what you’re about to do, you try it at your own risk!)
Boot your system in Safemode
1. Go to command prompt, in Drive C do the following commands.
2. Type -> ATTRIB -H -R -S AUTORUN.INF then press enter
3. Type -> DEL AUTORUN.INF then press enter
4. Type -> ATTRIB -H -R -S Recycled then press enter
5. In Windows Explorer in Safemode, remove the folder Recycled in drive C use Shift-Delete to delete the folder.
6. Repeat Step 3 to 6 for all drives of your system including the USB drive.
7. Search for CTFMON.EXE in your system using the Search of Windows found in Start Menu. If you find a file that is not located in C:\WINDOWS\SYSTEM32, delete it immediately. Dont forget to empty the recycle bin afterwards (Usually the virus will copy itself in the Startup folder of the Startmenu. Check if the file is present there and delete it then.)
To disable autorun of drives (i.e. everytime you double-click a drive or cd or usb, it is auto open) follow the following step:
Click Start->Run->type REGEDIT.EXE
1. Go to this key from the register HKEY_CURRENT_USER\Software\ Microsoft\Windows\CurrentVersion\Policies\Explorer
2. Look for the entry NoDriveTypeAutoRun, double click the entry
3. Type a new value : 0FF (Hex) for the NoDriveTypeAutoRun, this will turn off the AutoRun for all drives, and press ENTER
4. Reboot the system.
Viruses that uses Autorun.INF There are several viruses that uses the autorun.inf to spread itself such as
the Bacalid (hides itself in ctfmon.exe) and the RavMon.EXE.
These viruses set its file attributes to System+Hidden+Read-Only attributes
so some anti-viruses will have a hard time detecting or finding them.
These viruses save itself in the root directory of every available drives
of the current infected computer and runs itself every time you Double-Click the drive.
In USB Sticks and CDs that are infected by the virus runs automatically especially if drive
autorun is enabled for the current drives (which is usually by default, autorun for drives are enabled).
Disable AUTORUN from Registry Now you can disable the AUTORUN for all drives by configuring the registry.
Open the registry by typing regedit.exe to the command prompt
(if your still at the command prompt) or execute it in Run.
Look for the HKEY_CURRENT_USER\Software\ Microsoft\Windows\CurrentVersion\Policies\Explorer as shown below:
Double-click the NoDriveAutorun DWORD entry and type the value HEX: FF (255 in Decimal). (If the NoDriveAutorun does not exists, you can creat it by right-clicking the right side area of the regedit window, then click New->DWord Value -> type NoDriveAutorun) Close the registry and restart the computer. This procedure will disable all the autorun for all drives of your computer and at least will prevent the autorun function of infected USB drives or CDs and avoid the infection of viruses like the Bacalid and RavMon.exe
If you want to prevent viruses that uses autorun.inf to infect your USB flash drive, try to do this:
1. Open your flash drive via Command Prompt (do this via Start->Run->cmd.exe)
2. Change your logged drive to your USB flash drive (e.g. if your drive is at drive E: then type E: on the command prompt then press enter)
3. Create a folder named: AUTORUN.INF on the root directory of your flash drive. (to do this type the command: MD\AUTORUN.INF). If an error: a subdirectory already exists… shows, try to follow the instruction above to remove existing autorun.inf before doing this instruction.
The reason why this will avoid future infection is that autorun.inf viruses
usually generates a file autorun.inf. Having an AUTORUN.INF folder on the root
directory of your drives will make virus programs unable to create their own autorun.inf
file, virus can’t even overwrite it because it’s a folder and not a file…
