[Resolved] autorun infection..

[area51]

you know.. when annoying people (friends of my brother) comes and plug their usb device in my dad pc which i protect very hard..
today avast found a worm on my brother gf's disk-on-key, so me and my father decided to put an end to this.
so i put a password for his user (only user which is also admin), every time he will log off so random ppl wont login, but the question is:
when i logged off completely, i entered a disk and avast still check the disk, so.. if someone enter an infected device while the computer is logged off, will it still try to
run on the OS?
btw, if avast! detected the inf file on the disk-on-key and removed the inf file, is it possible that there are traces in the system? (system restore is off/boot scan=clean)

thank you

[Lisandro]

Is it possible that there are traces in the system? (system restore is off/boot scan=clean)

Most probably you're clean.
Anyway, I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, it is better and safer to send the infected file(s) to quarantine (Chest), rather than simply deleting them.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Read this instructions and provide more info with the logs generated.
6. Clean your Hosts file (replacing it) with HostsMan tool.
7. Disable System Restore and then reenable it again.
8. Immunize your system with SpywareBlaster.
9. Check if you have insecure applications with Secunia Software Inspector.

[area51]

1. i always do that - almost every day no matter what.
2. already done as wrote in my first message (archive scanning on as default)
3. MBAM - already made a full scan (Clean xD)
4. avast! rootkit is built-in, and i said that it said it's clean, so yes did it as well.
5. nvm..
6. nvm..
7. system restore is disabled 5 seconds after every os format i make.. i hate this feature, its a big risk for windows.
8. MBAM and avast! aren't enough? :\
9. nvm..

dude thank you very much
at least 1 helped, and he did it very well.

[Nesivos]

you know.. when annoying people (friends of my brother) comes and plug their usb device in my dad pc which i protect very hard..
today avast found a worm on my brother gf's disk-on-key, so me and my father decided to put an end to this.
so i put a password for his user (only user which is also admin), every time he will log off so random ppl wont login, but the question is:
when i logged off completely, i entered a disk and avast still check the disk, so.. if someone enter an infected device while the computer is logged off, will it still try to
run on the OS?
btw, if avast! detected the inf file on the disk-on-key and removed the inf file, is it possible that there are traces in the system? (system restore is off/boot scan=clean)

thank you

If you have "Plug and Play" (AutoPlay) turned on then a thumb drive can indeed infect your computer when no one is logged in even I believe in sleep mode.

If you want to eliminate the possibility of someone inserting a thumb drive in your computer while it is turned off and infecting the computer then you need to turn off AutoPlay

If you are using W7 go to the Windows ball and click on it.  Then type in "AutoPlay"  Then click on "AutoPlay".  When the AutoPlay screen opens select the appropriate "Media" and click the Down arrow to the right.  Select "Take No Action" to disable AutoPlay/Autorun.   By doing this it will require two activities. 1. someone to be logged in.  2.  Manually running the infected file on the thumb drive in order to set off the virus.

[doktornotor]

Or you can go to Gibson Research and download their nifty "UnPlug n' Pray" utility.  Using this utility it only takes two clicks to turn AutoPlay off or on.

UPnP has nothing to do with autoplay.

[SafeSurf]

I and our malware removal expert recommend Panda USB Vaccine for USB devices (free)
http://research.pandasecurity.com/panda-usb-and-autorun-vaccine/ and it can be run on any drive on your machine for removable devices.

You are given the option to "vaccinate" your machine, which means to disable autorun.inf from infecting your machine again, and you can enable it again (although I wouldn't).  Plus you can "vaccinate" any USB/flash or removable device so that it cannot infect your machine.  This type of malware is easily transmittable because many people use USB's.

[area51]

but if avast! found the autorun.inf it means that he stopped him from working right? so nothing actually ran on the computer.
avast! boot scan and MBAM both says the computer is clean, no suspicious tasks and no more usb as well.

[dansorin]

avast stopped that and you are ok. Panda USB Vaccine is a must-have. and you can set it to automatically vaccinate every usb-stick you connect to the computer.

[Nesivos]

Or you can go to Gibson Research and download their nifty "UnPlug n' Pray" utility.  Using this utility it only takes two clicks to turn AutoPlay off or on.

UPnP has nothing to do with autoplay.

For purposes of this discussion you are correct.

However it is my understanding that the purpose of UPnP is to discover networked device and allows them to seamlessly communicate.  Some networked devices are autoplay so my understanding is that there is a connection between the two.

Thanks for your comment

I removed my comment regarding the GRC UPnP tool.

[doktornotor]

However it is my understanding that the purpose of UPnP is to discover networked device and allows them to seamlessly communicate.  Some networked devices are autoplay so my understanding is that there is a connection between the two.

Nope, UPnP, PnP and autorun (autoplay) are three completely different things.

http://en.wikipedia.org/wiki/Universal_Plug_and_Play
http://en.wikipedia.org/wiki/Plug_and_Play
http://en.wikipedia.org/wiki/Autorun

[Nesivos]

However it is my understanding that the purpose of UPnP is to discover networked device and allows them to seamlessly communicate.  Some networked devices are autoplay so my understanding is that there is a connection between the two.

Nope, UPnP, PnP and autorun (autoplay) are three completely different things.

http://en.wikipedia.org/wiki/Universal_Plug_and_Play
http://en.wikipedia.org/wiki/Plug_and_Play
http://en.wikipedia.org/wiki/Autorun

From your UPnP link above

The concept of UPnP is an extension of plug-and-play, a technology for dynamically attaching devices directly to a computer, although UPnP is not directly related to the earlier plug-and-play technology. UPnP devices are "plug-and-play" in that when connected to a network they automatically establish working configurations with other devices.

Here is my current understanding at this point

AutoPlay = AutoRun

When running a network and using Plug and Play devices there is definitely a connection between UPnP and Plug and Play in the sense that that some Plug and Play devices are also networked.

When using a Plug and Play device and having UPnP enabled that Plug and Play device can be automatically recognized by the network once plugged in.

There is also a connection between Plug and Play and AutoPlay in that some USB devices which are Plug and Play contain software that is AutoPlay/AutoRun.

That is my current understanding.

Thanks for your help in clarifying this.

If more clarification is needed post away

[doktornotor]

UPnP has zero in common with autoplay/autorun. Disabling UPnP will NOT disable autorun in any way. Period.

[Nesivos]

UPnP has zero in common with autoplay/autorun. Disabling UPnP will NOT disable autorun in any way. Period.

If you disable UPnP you reduce or eliminate the possible spreading of malware across your network due to the insertion of a Plug and Play device in one of the computers on the network.  This is because by disabling UPnP you are turning off network discovery.   Therefore if UPnP is disabled and you insert a Plug and Play device with an infected AutoRun file that infection will not spread across the network.

If UPnP is not disabled then any virus set off by AutoPlay/AutoRun when a Plug and Play device is inserted into a networked computer can spread across the network.

That is how I understand they are technologically connected.

[doktornotor]

Yeah, you can as well disconnect the network cable to be even more safe.  Now, can we drop the UPnP off-topic stuff here? UPnP should be disabled for completely other reasons than autorun. And autorun should be disabled globally on your machine and anyone else's for that matter.

[Nesivos]

Yeah, you can as well disconnect the network cable to be even more safe.  Now, can we drop the UPnP off-topic stuff here? UPnP should be disabled for completely other reasons than autorun. And autorun should be disabled globally on your machine and anyone else's for that matter.

Now, can we drop the UPnP off-topic stuff here?

UPnP should be disabled for completely other reasons than autorun.

Absoutely

I think we are finally in agreement on this.

Thanks for sharing on this subject.