Comments on: Foil Conficker Get Rid of AutoRun News, Views, and Insight from the ESET Security Community Mon, 03 Feb 2014 08:49:00 +0000 hourly 1 By: AK_David Sun, 23 May 2010 13:32:23 +0000 Thanks for the response.  I think I must of been unclear though, I did not mean for the option to just open regedit for the user.  I meant for it to present a check box in advanced settings area that stated something like:
"Check here to Disable Autorun" – Autorun.ini files can expose your system to unnecessary risks.  Most users do not need or use the functions provided with autorun so will have no harmful effects from disabling it.  Un-check the box to activate autorun again if you end up needing it. 
Its some what of a wordy example but I'm sure the professionals there could shorten it up a bit should the idea be implemented.  It could include a link to this blog or an official Eset info page about autorun for a further more detailed explanation of the threat and effects disabling autorun can have.  If a user checked the box Eset could simply make sure the registry value was changed to disable autorun.  I've heard of other security and anti-virus applications having a setting to disable autorun (how they go about registry key or otherwise that I do not know).  I just know the average user wont ever read up on or understand the risk autorun poses to them let alone be able to safely head into the registry to do anything about it.  I do not even know to what level eset monitors and protects against autorun style attacks but I am hoping it is very thorough in how it handles it already.  By Eset reminding the customer in preferences of the risks and making it easy to fix with a simple checking of a box it would both improve the customers security as well as help stop the spread of malicious code out there.
Thanks again for taking the time to respond, I look forward to reading your Windows 7 / autorun blog when you post it.  =)

By: Randy Abrams Thu, 20 May 2010 17:41:05 +0000 I don't set the specs for ESET products, but I doubt we will add a feature to open regedit. If it is a problem to manually open it, then the user probably shouldn't be using it as they can break their computer if they get things wrong. ESET products do not disable autorun as autorun is a choice that users need to make for themselves. If a person wants autorun then it is not our place to say no to that.
I will address Windows 7 and autorun in a separate blog.

By: AK_David Mon, 17 May 2010 12:52:49 +0000 First, I have a suggestion if possible, could this fix be put in eset's products as a check box (having the program go edit the registry)?  That would help many people that other wise wouldn't see this article realize there is a easy way to make your computer much more secure.  I searched around and didn't seem to find any mention of Eset products already being able to disable autorun. 
Second, has anyone tried this on Window 7 yet?   I'm new to window 7 and while I've heard they have improved the situation with autorun problems in it I still don't feel safe and looking in the autoplay control panel don't even see a way to disable autorun.inf files on removable drives like USB drives etc.  Is Windows 7 setting for disabling autorun in another location?  I noticed that windows 7 help at least has a clearer definition of the difference in autorun and autoplay than they use to have but they still don't appear to admit to or point out the need to disable autorun.
Thanks for this article, even though I also read Michael Horowitz's article and the Nick Brown blog it mentions where he describes this solution of Emin Atac.  I also found it at the US-CERT gov site, I feel better using this procedure now having someone from ESET verify it.
Thanks for your time and efforts

By: Randy Abrams Wed, 12 May 2010 14:44:01 +0000 I recommend you contact Alwil who make Avast. We do not offer product support through the blog, and if we did, it would not be for another vendor's product :)

By: CaesarRupus Tue, 04 May 2010 01:45:15 +0000 Hey,
I use a wireless net card for internet connection. After I inserted a pen drive with autorun.inf, the network gets disconnected after sometime and never connects back even if I click connect button. It has something to do with svchost.exe and I have to restart my comp every 15 minutes to connect to internet.. My antivirus Avast keeps detecting iu82.exe every now and then. Is this related? How do I solve this?

By: Scorellis Tue, 06 Oct 2009 12:36:38 +0000 SOrry, meant to say “I just plugged a USB drive in.” Not just “it.” I’m only halfway into my second cup of coffee…

By: Scorellis Tue, 06 Oct 2009 12:35:09 +0000 I’m a little confused. I run ESet on this machine and I just plugged it in. ESet started popping an alert window telling me I had an autorun virus. This autorun file, according to ESet, tried to access the explorer.exe and one other file…I want to say it was SVCHost but don’t quote me on that. Anyway, i tried to open the file in notepad and then in a hex editor (that’s right, I read hex) and couldn’t. My asusmption is that I had a virus but am also thinking that ESet is actively trying to overprotect me. I am not sure which. Please let me know which it is or direct me to the forum where I can find out? And also, how may I check and see what other sorts of things ESet has in store for my future? Perhaps they’d like to let me know how many kids I’m going to have, or where I will be working next year, or what kind of car I should buy? Or where I should shop?

By: Randy Abrams Fri, 28 Aug 2009 21:00:46 +0000 A similar comment was posted quite a while back. This is a long running scam. The bad guys are always changing the malware associated with it though. The email did not come from DHL.

By: Jewelry Making Supplies Thu, 27 Aug 2009 23:59:47 +0000 In response to the post:

We just got something from “DHL” and it contained a file called DHL_HELP, that appparently DHL says has a virus, I looked on the server that was hosting the customer and it had a file called DHL_HELP.exe file running, I couldnt find any info on this which makes me think its brand new, have you guys heard of this? I was thinking it might be related to Conficker….

Have you seen this issue come up since, or was it only a one-time email from “DHL”. I just ask, because we recently got something very similar.

By: David Harley Mon, 06 Apr 2009 11:42:46 +0000 Panda’s vaccine sounds like a good idea for some people, and if you’re going to automate autorun disabling, it’s safer to go with a utility from a reputable antimalware company than with the first link you pick up off a google search, which may or may not be innocent/genuine/useful.

I’m not going to link to this tool, because I haven’t tested it or looked at it in detail (when I upgrade to a 28 hour day, I may have time to do that…), and there are actually quite a few utilities that claim to do this. There also seems to be some confusion as to how permanent the process is in some scenarios, and sometimes you -may- need to turn Autorun back on temporarily.

By: Art Lewis Sun, 05 Apr 2009 09:48:55 +0000 Rather than asking people to make complicated registry changes themselves, why not just use Panda Security’s “vaccination” program that supposedly disables autorun? [Edited]


By: DC Thu, 02 Apr 2009 13:44:21 +0000 “When you create and then run the registry file it create a key called Autorun.inf in HKLM/Software/Microsoft/Windows Nt/Currentversion/IniFileMapping . The value of the key is @=@SYS:DoesNotExist. ”

Actually, the value of the key is @SYS:DoesNotExist, isnt it?

By: Peter Thu, 26 Mar 2009 10:55:54 +0000 Dear Mr. Abrams,

I found the answer from the site you mentioned:

“Note that there are three lines in the file, the middle line may wrap when displayed by a web browser, but it needs to be a single line in the .reg file.”

Thank you.

By: Peter Thu, 26 Mar 2009 10:11:04 +0000 Dear Mr. Abrams,

“[Please note, the second line wraps, but it is really a single line.

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIniFileMappingAutorun.inf]

Do you mean that @=”@SYS:DoesNotExist” must be typed right after ‘Autorun.inf]’ without a space.
Please kindly instruct. Thanks.

By: David Harley Wed, 25 Mar 2009 23:51:15 +0000 Thank you, Mr. Mouse. :) Fixed.

By: David Harley Wed, 25 Mar 2009 23:41:20 +0000 It’s not actually Conficker, but it’s a known Trojan Downloader. Thanks for letting us know.

By: Richard Wed, 25 Mar 2009 23:15:07 +0000 We just got something from “DHL” and it contained a file called DHL_HELP, that appparently DHL says has a virus, I looked on the server that was hosting the customer and it had a file called DHL_HELP.exe file running, I couldnt find any info on this which makes me think its brand new, have you guys heard of this? I was thinking it might be related to Conficker

By: Incredible Mouse Wed, 25 Mar 2009 23:03:25 +0000 Small typo in the first line..

“[ does block one IF the attack vectors and prevents many..]”

Should read: one OF the
I’m being picky. Ignore me.