Comments on: Foil Conficker Get Rid of AutoRun http://www.eset.com/blog/2009/03/25/foil-conficker-get-rid-of-autorun Fri, 12 Mar 2010 16:00:59 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Scorellis http://www.eset.com/blog/2009/03/25/foil-conficker-get-rid-of-autorun/comment-page-1#comment-65533 Scorellis Tue, 06 Oct 2009 12:36:38 +0000 http://www.eset.com/threat-center/blog/?p=828#comment-65533 SOrry, meant to say "I just plugged a USB drive in." Not just "it." I'm only halfway into my second cup of coffee... SOrry, meant to say “I just plugged a USB drive in.” Not just “it.” I’m only halfway into my second cup of coffee…

]]> By: Scorellis http://www.eset.com/blog/2009/03/25/foil-conficker-get-rid-of-autorun/comment-page-1#comment-65532 Scorellis Tue, 06 Oct 2009 12:35:09 +0000 http://www.eset.com/threat-center/blog/?p=828#comment-65532 I'm a little confused. I run ESet on this machine and I just plugged it in. ESet started popping an alert window telling me I had an autorun virus. This autorun file, according to ESet, tried to access the explorer.exe and one other file...I want to say it was SVCHost but don't quote me on that. Anyway, i tried to open the file in notepad and then in a hex editor (that's right, I read hex) and couldn't. My asusmption is that I had a virus but am also thinking that ESet is actively trying to overprotect me. I am not sure which. Please let me know which it is or direct me to the forum where I can find out? And also, how may I check and see what other sorts of things ESet has in store for my future? Perhaps they'd like to let me know how many kids I'm going to have, or where I will be working next year, or what kind of car I should buy? Or where I should shop? I’m a little confused. I run ESet on this machine and I just plugged it in. ESet started popping an alert window telling me I had an autorun virus. This autorun file, according to ESet, tried to access the explorer.exe and one other file…I want to say it was SVCHost but don’t quote me on that. Anyway, i tried to open the file in notepad and then in a hex editor (that’s right, I read hex) and couldn’t. My asusmption is that I had a virus but am also thinking that ESet is actively trying to overprotect me. I am not sure which. Please let me know which it is or direct me to the forum where I can find out? And also, how may I check and see what other sorts of things ESet has in store for my future? Perhaps they’d like to let me know how many kids I’m going to have, or where I will be working next year, or what kind of car I should buy? Or where I should shop?

]]> By: Randy Abrams http://www.eset.com/blog/2009/03/25/foil-conficker-get-rid-of-autorun/comment-page-1#comment-62066 Randy Abrams Fri, 28 Aug 2009 21:00:46 +0000 http://www.eset.com/threat-center/blog/?p=828#comment-62066 A similar comment was posted quite a while back. This is a long running scam. The bad guys are always changing the malware associated with it though. The email did not come from DHL. A similar comment was posted quite a while back. This is a long running scam. The bad guys are always changing the malware associated with it though. The email did not come from DHL.

]]> By: Jewelry Making Supplies http://www.eset.com/blog/2009/03/25/foil-conficker-get-rid-of-autorun/comment-page-1#comment-61985 Jewelry Making Supplies Thu, 27 Aug 2009 23:59:47 +0000 http://www.eset.com/threat-center/blog/?p=828#comment-61985 In response to the post: We just got something from “DHL” and it contained a file called DHL_HELP, that appparently DHL says has a virus, I looked on the server that was hosting the customer and it had a file called DHL_HELP.exe file running, I couldnt find any info on this which makes me think its brand new, have you guys heard of this? I was thinking it might be related to Conficker.... Have you seen this issue come up since, or was it only a one-time email from "DHL". I just ask, because we recently got something very similar. In response to the post:

We just got something from “DHL” and it contained a file called DHL_HELP, that appparently DHL says has a virus, I looked on the server that was hosting the customer and it had a file called DHL_HELP.exe file running, I couldnt find any info on this which makes me think its brand new, have you guys heard of this? I was thinking it might be related to Conficker….

Have you seen this issue come up since, or was it only a one-time email from “DHL”. I just ask, because we recently got something very similar.

]]> By: David Harley http://www.eset.com/blog/2009/03/25/foil-conficker-get-rid-of-autorun/comment-page-1#comment-42925 David Harley Mon, 06 Apr 2009 11:42:46 +0000 http://www.eset.com/threat-center/blog/?p=828#comment-42925 Panda's vaccine sounds like a good idea for some people, and if you're going to automate autorun disabling, it's safer to go with a utility from a reputable antimalware company than with the first link you pick up off a google search, which may or may not be innocent/genuine/useful. I'm not going to link to this tool, because I haven't tested it or looked at it in detail (when I upgrade to a 28 hour day, I may have time to do that...), and there are actually quite a few utilities that claim to do this. There also seems to be some confusion as to how permanent the process is in some scenarios, and sometimes you -may- need to turn Autorun back on temporarily. Panda’s vaccine sounds like a good idea for some people, and if you’re going to automate autorun disabling, it’s safer to go with a utility from a reputable antimalware company than with the first link you pick up off a google search, which may or may not be innocent/genuine/useful.

I’m not going to link to this tool, because I haven’t tested it or looked at it in detail (when I upgrade to a 28 hour day, I may have time to do that…), and there are actually quite a few utilities that claim to do this. There also seems to be some confusion as to how permanent the process is in some scenarios, and sometimes you -may- need to turn Autorun back on temporarily.

]]> By: Art Lewis http://www.eset.com/blog/2009/03/25/foil-conficker-get-rid-of-autorun/comment-page-1#comment-42902 Art Lewis Sun, 05 Apr 2009 09:48:55 +0000 http://www.eset.com/threat-center/blog/?p=828#comment-42902 Rather than asking people to make complicated registry changes themselves, why not just use Panda Security's "vaccination" program that supposedly disables autorun? [Edited] DOES THIS WORK? AND DOESN'T IT DO THE SAME THING AS YOUR ADVICE, EXCEPT A LOT EASIER? Rather than asking people to make complicated registry changes themselves, why not just use Panda Security’s “vaccination” program that supposedly disables autorun? [Edited]

DOES THIS WORK? AND DOESN’T IT DO THE SAME THING AS YOUR ADVICE, EXCEPT A LOT EASIER?

]]> By: DC http://www.eset.com/blog/2009/03/25/foil-conficker-get-rid-of-autorun/comment-page-1#comment-42801 DC Thu, 02 Apr 2009 13:44:21 +0000 http://www.eset.com/threat-center/blog/?p=828#comment-42801 "When you create and then run the registry file it create a key called Autorun.inf in HKLM/Software/Microsoft/Windows Nt/Currentversion/IniFileMapping . The value of the key is @=@SYS:DoesNotExist. " Actually, the value of the key is @SYS:DoesNotExist, isnt it? “When you create and then run the registry file it create a key called Autorun.inf in HKLM/Software/Microsoft/Windows Nt/Currentversion/IniFileMapping . The value of the key is @=@SYS:DoesNotExist. ”

Actually, the value of the key is @SYS:DoesNotExist, isnt it?

]]> By: Peter http://www.eset.com/blog/2009/03/25/foil-conficker-get-rid-of-autorun/comment-page-1#comment-42394 Peter Thu, 26 Mar 2009 10:55:54 +0000 http://www.eset.com/threat-center/blog/?p=828#comment-42394 Dear Mr. Abrams, I found the answer from the site you mentioned: (http://blogs.computerworld.com/the_best_way_to_disable_autorun_to_be_protected_from_infected_usb_flash_drives) "Note that there are three lines in the file, the middle line may wrap when displayed by a web browser, but it needs to be a single line in the .reg file." Thank you. Dear Mr. Abrams,

I found the answer from the site you mentioned:
(http://blogs.computerworld.com/the_best_way_to_disable_autorun_to_be_protected_from_infected_usb_flash_drives)

“Note that there are three lines in the file, the middle line may wrap when displayed by a web browser, but it needs to be a single line in the .reg file.”

Thank you.

]]> By: Peter http://www.eset.com/blog/2009/03/25/foil-conficker-get-rid-of-autorun/comment-page-1#comment-42393 Peter Thu, 26 Mar 2009 10:11:04 +0000 http://www.eset.com/threat-center/blog/?p=828#comment-42393 Dear Mr. Abrams, "[Please note, the second line wraps, but it is really a single line. —————————————————————————————— REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf] @="@SYS:DoesNotExist" ——————————————————————————————]" Do you mean that @="@SYS:DoesNotExist" must be typed right after 'Autorun.inf]' without a space. Please kindly instruct. Thanks. Dear Mr. Abrams,

“[Please note, the second line wraps, but it is really a single line.

——————————————————————————————
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@=”@SYS:DoesNotExist”
——————————————————————————————]”

Do you mean that @=”@SYS:DoesNotExist” must be typed right after ‘Autorun.inf]’ without a space.
Please kindly instruct. Thanks.

]]> By: David Harley http://www.eset.com/blog/2009/03/25/foil-conficker-get-rid-of-autorun/comment-page-1#comment-42356 David Harley Wed, 25 Mar 2009 23:51:15 +0000 http://www.eset.com/threat-center/blog/?p=828#comment-42356 Thank you, Mr. Mouse. :) Fixed. Thank you, Mr. Mouse. :) Fixed.

]]>