Re: [H] Anyone see the CERT today about AUTORUN?
Chris,
ROTFLMAO!
Well, I do not believe I am quite that rural, yet! And the "gerbils" are
APC ups's.
But, I do see your point.
I'll test this on one machine and see what happens; about the
"mountpoints/2" business.
The machine can be rebuilt easy enough! I now have a pre-fix image of it
ATM. I now have a current "test" XPpro machine! Just for stuff like this.
Thanks,
Duncan
At 12:40 01/21/2009 -0500, you wrote:
On Wed, 21 Jan 2009, DHSinclair wrote:
Chris,
Thanks for this answer to Wayne's alternative. I have read thru the doc
several times now.
I'd really like to install this business, BUT I do have some concern
about the delete of the "moutpoints2" key. I do not have a key, I have a
Folder/Key. And, it has very much inside it.
I see keys for each of my installed I/O on the machine. This I get. But,
I also see many {big hex #} keys also which I really do not wish to
research prior to deletion of the parent key.
I do NOT yet use mountpoints for remote drives on my LAN yet. If I read
Wayne's concern correctly, once I install this "fix" I will NOT be able
to use remote drive mounts..Is this correct?
Ideas/suggestions? Oh, this is a machine that was upgraded from W2K to WXP!
Thanks,
Duncan
I'd have to say from the standpoint of security, since you live 100 miles
from anyone else and have Gerbils for power generation the chance someone
will be putting a bad USB stick into your system is low. =)
I'm not 100% sure what information is stored in that mountpoints
key/folder in the registry. If I've read correctly (And I've messed up my
reading in the past) it's just a cache of previous autoruns. You can
always export that registry key, delete it, then restart the computer and
see if it has any problems. Worst case you'd have to go into the recovery
console and re-import the keys.
Christopher Fisk
--
Stewie Griffin: Am I to spend the entire day wallowing around in my own
feces? A little service here.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Re: [H] Anyone see the CERT today about AUTORUN?
you can always use ; in front of the key to disable it without deleting it for
testing
fp
At 10:21 AM 1/21/2009, DHSinclair Poked the stick with:
>Chris,
>Thanks for this answer to Wayne's alternative. I have read thru the doc
>several times now.
>I'd really like to install this business, BUT I do have some concern about the
>delete of the "moutpoints2" key. I do not have a key, I have a Folder/Key.
>And, it has very much inside it.
>I see keys for each of my installed I/O on the machine. This I get. But, I
>also see many {big hex #} keys also which I really do not wish to research
>prior to deletion of the parent key.
>
>I do NOT yet use mountpoints for remote drives on my LAN yet. If I read
>Wayne's concern correctly, once I install this "fix" I will NOT be able to use
>remote drive mounts..Is this correct?
>Ideas/suggestions? Oh, this is a machine that was upgraded from W2K to WXP!
>Thanks,
>Duncan
>
>At 11:46 01/21/2009 -0500, you wrote:
>>On Wed, 21 Jan 2009, Wayne Johnson wrote:
>>
>>>
>>>
>>>I don't think I completely agree with this solution especially if you have a
>>>lan.
>>>
>>>
Alternatively, the following registry key may be deleted:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
>>>
>>>If one deletes this then won't they'll lose their mappoints for all the
>>>other drives on the lan?
>>
>>It just deletes the autorun cache, not the mountpoints themselves. Good if
>>you're looking to get rid of any memorized autoruns.
>>
>>>
>>>I do have a reg file that I run that disabled autorun
>>>
>>>REGEDIT4
>>>
>>>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\Files]
>>>"*setup*.exe"=""
>>>"*instal*.exe"=""
>>>"*setup*.bat"=""
>>>"*instal*.bat"=""
>>>"*setup*.cmd"=""
>>>"*instal*.cmd"=""
>>>"*setup*.com"=""
>>>"*instal*.com"=""
>>>"Y?kle*"=""
>>>"Felrak.exe"=""
>>>"Imposta.exe"=""
>>>"KUR.exe"=""
>>>"Ayarla.exe"=""
>>>"sfc2.ico"=""
>>>"evanims"=""
>>>"0001.tmp"=""
>>>"updmoney.exe"=""
>>>"hs\\media\\y\\11399\\11399_cd_fp.jpg"=""
>>>"hs\\media\\y\\9953\\9953_cd_fp.jpg"=""
>>>"hs\\media\\y\\9951\\9951_cd_fp.jpg"=""
>>>"hs\\media\\y\\9964\\9964_cd_fp.jpg"=""
>>>"hs\\media\\y\\9968\\9968_cd_fp.jpg"=""
>>>"inf"=""
>>
>>That only stops what you can proactively stop. If someone were to name their
>>malicious autorun blahblahblah.exe then you're not stopping it.
>>
>>
>>Christopher Fisk
>>--
>>[during a company sexual harassment training video]
>>Narrator: Remember, nothing says "good job" like a firm, open-palm slap on
>>the behind.
>>
>>--
>>This message has been scanned for viruses and
>>dangerous content by MailScanner, and is
>>believed to be clean.
--
Tallyho ! ]:8)
Taglines below !
--
The bird of war is not the eagle but the stork.
Re: [H] Anyone see the CERT today about AUTORUN?
On Wed, 21 Jan 2009, DHSinclair wrote:
Chris,
Thanks for this answer to Wayne's alternative. I have read thru the doc
several times now.
I'd really like to install this business, BUT I do have some concern about the
delete of the "moutpoints2" key. I do not have a key, I have a Folder/Key.
And, it has very much inside it.
I see keys for each of my installed I/O on the machine. This I get. But, I
also see many {big hex #} keys also which I really do not wish to research
prior to deletion of the parent key.
I do NOT yet use mountpoints for remote drives on my LAN yet. If I read
Wayne's concern correctly, once I install this "fix" I will NOT be able to use
remote drive mounts..Is this correct?
Ideas/suggestions? Oh, this is a machine that was upgraded from W2K to WXP!
Thanks,
Duncan
I'd have to say from the standpoint of security, since you live 100 miles
from anyone else and have Gerbils for power generation the chance someone
will be putting a bad USB stick into your system is low. =)
I'm not 100% sure what information is stored in that mountpoints
key/folder in the registry. If I've read correctly (And I've messed up my
reading in the past) it's just a cache of previous autoruns. You can
always export that registry key, delete it, then restart the computer and
see if it has any problems. Worst case you'd have to go into the recovery
console and re-import the keys.
Christopher Fisk
--
Stewie Griffin: Am I to spend the entire day wallowing around in my own
feces? A little service here.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Re: [H] Anyone see the CERT today about AUTORUN?
Chris,
Thanks for this answer to Wayne's alternative. I have read thru the doc
several times now.
I'd really like to install this business, BUT I do have some concern about
the delete of the "moutpoints2" key. I do not have a key, I have a
Folder/Key. And, it has very much inside it.
I see keys for each of my installed I/O on the machine. This I get. But, I
also see many {big hex #} keys also which I really do not wish to research
prior to deletion of the parent key.
I do NOT yet use mountpoints for remote drives on my LAN yet. If I read
Wayne's concern correctly, once I install this "fix" I will NOT be able to
use remote drive mounts..Is this correct?
Ideas/suggestions? Oh, this is a machine that was upgraded from W2K to WXP!
Thanks,
Duncan
At 11:46 01/21/2009 -0500, you wrote:
On Wed, 21 Jan 2009, Wayne Johnson wrote:
I don't think I completely agree with this solution especially if you
have a lan.
Alternatively, the following registry key may be deleted:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
If one deletes this then won't they'll lose their mappoints for all the
other drives on the lan?
It just deletes the autorun cache, not the mountpoints themselves. Good
if you're looking to get rid of any memorized autoruns.
I do have a reg file that I run that disabled autorun
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\Files]
"*setup*.exe"=""
"*instal*.exe"=""
"*setup*.bat"=""
"*instal*.bat"=""
"*setup*.cmd"=""
"*instal*.cmd"=""
"*setup*.com"=""
"*instal*.com"=""
"Y?kle*"=""
"Felrak.exe"=""
"Imposta.exe"=""
"KUR.exe"=""
"Ayarla.exe"=""
"sfc2.ico"=""
"evanims"=""
"0001.tmp"=""
"updmoney.exe"=""
"hs\\media\\y\\11399\\11399_cd_fp.jpg"=""
"hs\\media\\y\\9953\\9953_cd_fp.jpg"=""
"hs\\media\\y\\9951\\9951_cd_fp.jpg"=""
"hs\\media\\y\\9964\\9964_cd_fp.jpg"=""
"hs\\media\\y\\9968\\9968_cd_fp.jpg"=""
"inf"=""
That only stops what you can proactively stop. If someone were to name
their malicious autorun blahblahblah.exe then you're not stopping it.
Christopher Fisk
--
[during a company sexual harassment training video]
Narrator: Remember, nothing says "good job" like a firm, open-palm slap
on the behind.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Re: [H] Anyone see the CERT today about AUTORUN?
On Wed, 21 Jan 2009, Wayne Johnson wrote: I don't think I completely agree with this solution especially if you have a lan. Alternatively, the following registry key may be deleted: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 If one deletes this then won't they'll lose their mappoints for all the other drives on the lan? It just deletes the autorun cache, not the mountpoints themselves. Good if you're looking to get rid of any memorized autoruns. I do have a reg file that I run that disabled autorun REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\Files] "*setup*.exe"="" "*instal*.exe"="" "*setup*.bat"="" "*instal*.bat"="" "*setup*.cmd"="" "*instal*.cmd"="" "*setup*.com"="" "*instal*.com"="" "Y?kle*"="" "Felrak.exe"="" "Imposta.exe"="" "KUR.exe"="" "Ayarla.exe"="" "sfc2.ico"="" "evanims"="" "0001.tmp"="" "updmoney.exe"="" "hs\\media\\y\\11399\\11399_cd_fp.jpg"="" "hs\\media\\y\\9953\\9953_cd_fp.jpg"="" "hs\\media\\y\\9951\\9951_cd_fp.jpg"="" "hs\\media\\y\\9964\\9964_cd_fp.jpg"="" "hs\\media\\y\\9968\\9968_cd_fp.jpg"="" "inf"="" That only stops what you can proactively stop. If someone were to name their malicious autorun blahblahblah.exe then you're not stopping it. Christopher Fisk -- [during a company sexual harassment training video] Narrator: Remember, nothing says "good job" like a firm, open-palm slap on the behind. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: [H] Anyone see the CERT today about AUTORUN?
On Wed, 21 Jan 2009, Wayne Johnson wrote: At 08:54 AM 1/21/2009, Christopher Fisk typed: TA09-020A http://www.us-cert.gov/cas/techalerts/TA09-020A.html I know a lot of the collective disable autorun, thought this would be useful for you. I don't think I completely agree with this solution especially if you have a lan. Alternatively, the following registry key may be deleted: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 If one deletes this then won't they'll lose their mappoints for all the other drives on the lan? I do have a reg file that I run that disabled autorun REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\Files] "*setup*.exe"="" "*instal*.exe"="" "*setup*.bat"="" "*instal*.bat"="" "*setup*.cmd"="" "*instal*.cmd"="" "*setup*.com"="" "*instal*.com"="" "Y?kle*"="" "Felrak.exe"="" "Imposta.exe"="" "KUR.exe"="" "Ayarla.exe"="" "sfc2.ico"="" "evanims"="" "0001.tmp"="" "updmoney.exe"="" "hs\\media\\y\\11399\\11399_cd_fp.jpg"="" "hs\\media\\y\\9953\\9953_cd_fp.jpg"="" "hs\\media\\y\\9951\\9951_cd_fp.jpg"="" "hs\\media\\y\\9964\\9964_cd_fp.jpg"="" "hs\\media\\y\\9968\\9968_cd_fp.jpg"="" "inf"="" And then there is always using TweakUI to disable it. I'm pretty sure the issue is that the autoplay feature can be susceptable to a buffer overrun, so it still reads the autorun.inf and if that is malformed can cause an issue (If I read it right). Essentially, even with autorun turned off how Microsoft recommends it be turned off it still parses the autorun (To get things like the icon for the drive and stuff). Christopher Fisk -- You know you're using the computer too much when: all of the sudden people ask you to many danm questions on aim or msn messenger -- RedDawn -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: [H] Anyone see the CERT today about AUTORUN?
Quite interesting. Thanks for the heads up. On Jan 21, 2009 4:54 PM, "Christopher Fisk" wrote: TA09-020A http://www.us-cert.gov/cas/techalerts/TA09-020A.html I know a lot of the collective disable autorun, thought this would be useful for you. Christopher Fisk -- "The inside of my head was exploding with fireworks. Fortunately, my last thought turned out the lights when it left." --- Calvin -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[H] Anyone see the CERT today about AUTORUN?
TA09-020A http://www.us-cert.gov/cas/techalerts/TA09-020A.html I know a lot of the collective disable autorun, thought this would be useful for you. Christopher Fisk -- "The inside of my head was exploding with fireworks. Fortunately, my last thought turned out the lights when it left." --- Calvin -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
