NoDriveTypeAutoRun value change [Archive]

View Full Version : NoDriveTypeAutoRun value change

mrappe

2010-10-14, 05:20

I had a virus win32/alureon.h and have used many tools to remove it. It seems like it is gone but now I have been getting an alert from SpyBot-SD resident that something wants to change the

NoDriveTypeAutoRun value with new data: "hex:5F,00,00,

changed in System Startup user entry!

Does anyone know what may cause this message?

Zenobia

2010-10-14, 07:56

I believe the message is being caused because the NoDriveTypeAutoRun registry entry's value is being changed to 5f 00 00 00,which I *think* may be the default value on a Windows XP computer,from what I can gather(though I'm by no means 100% certain on that.)
Does Teatimer pop up about that when you're specifically doing something,or does it seem random?And could you rightclick Teatimer,select show log,and copy and paste it here?

As for win32/alureon.h,are you certain it was removed?There are no problems or oddities,etc. with your computer that you've noticed?

mrappe

2010-10-14, 17:21

I thought it was removed but today I noticed that whenever I click on a link in Google or Yahoo it is getting re-directed to some ad site. I looked at the non plug and play drivers and there are many that have a yellow explaination mark next to them. Also my browsing to a link is very slow. So Something must still be there. If I type in a http address in the URL window it goes to the right place.

jpChris

2010-10-14, 22:07

Hi mrappe,

The "NoDriveTypeAutoRun" entry in the registry is in several places and (with XP Pro SP2) there are two values: 0x00000091 (145); and 0x00000143 (323).

It's main function is to turn off Auto Play as a safety feature.

So, I'm not thinking that's your problem.

Would you please list the programs you used to kill the bug? Oftentimes to completely eradicate a virus you need to run several programs because what one doesn't see\delete\quarantine, another one will. Plus, they can be persistent little SOB's: They might be in the Prefetch folder, Layout.ini file, hidden in the registry, System Restore, etc.

Zenobia

2010-10-15, 00:18

mrappe,I suggest asking for help in Malware Removal.

Please read and follow Before You Post:
http://forums.spybot.info/showthread.php?t=288

Malware Removal:
http://forums.spybot.info/forumdisplay.php?f=22

Good luck. :)