Jump to content


Recommended Posts


We have an issue with a file opening up, on startup, on all client machines. It doesnt appear on the servers when we log on to those. If we delete the files they simply reappear. Currently MBam will not install neither will mbam clean, sure signs that there is an infection somewhere. I ran MBam from my laptop, albeit an old version, targetting the main server drives via mapping but it found nothing. I am unable to update the laptop..although may be able to at home... This is becoming an issue because somehow certain pupils are able to write back the notepad file leaving rude comments!!!



Link to post
Share on other sites

You mention Students / Client workstations, don't you have a IT department with a Network Administrator?

Are you sure you just don't have students using "Broadcast" to broadcast messages "To All Clients"?

What are you running.


MS Active Directory?


Block AutoRun for all devices all the time

You might think that you could protect yourself from AutoRun by using two keys in the Registry known as NoDriveAutoRun and NoDriveTypeAutoRun.

However, self-described "low-budget hacker" Nick Brown points out that these keys can be overridden. A Registry key named MountPoints2 stores information about all USB flash drives and other removable media that have ever been connected to your computer. Brown says this cache overrides the Registry settings that turn off AutoRun.

The solution is to globally block autorun.inf files from executing, without trying to use the dialog boxes in XP and Vista to do this. Here's the procedure:

Step 1. Start Notepad or another text editor.

Step 2. Copy the following text from this page and paste it into your text editor (everything between the square brackets should be all on one line):


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]


Step 3. Save the file with a name like NoAutoRun.reg, taking care to include the .reg extension.

Step 4. Right-click your .reg file and choose Merge. Confirm any warning prompts to add the information to the Registry.

UPDATE 2009-01-21: As an extra precaution, it's a good idea to reboot your PC after Step 4, on the off chance that some old information was residing in cache memory.

Link to post
Share on other sites


Thanks for your reply!

We are the IT dept!

I have attached a copy of the contents of said file...

I am aware that livaalma and portuamor have been connected with the autorun issue and have frequently been found on mem sticks but usually Sophos zaps them. In this case it is not. Students are unable to "broadcast" or MSN as the system is quite tight .. however every now and again we find a student whose user rights are not quite what they should be.




Link to post
Share on other sites


I work at a high school myself.

Last year students would bring in their thumb drives with a portable FF using HTTPS to try and bypass our firewalls. Blocking HTTPS took care of that issue.

I would think you'd be able to set a policy to block both livaalma and portuamor

Link to post
Share on other sites

The district I work for decided to purchase / lease all new staff laptops this school year. Of course they didn't ask any of us Technicians what we thought about doing that. What a nightmare. We knew what was going to happen, but we're just technicians so they don't listen to us.

We always have issues with the staff laptops because they take them home and get them infected. You can set all the server based blocks you want but that doesn't work when they are at home.

The laptops only have a anti-virus program installed but no real time anti-malware, that cost money.

The only nice thing about the laptops is they are all the same model. We have a image for them so when they are infected we just re-image them.

We didn't do that at first but we were spending way to much time trying to clean them.

Yes they lose their data but they are responsible to save / backup it up.

Link to post
Share on other sites

Glad we could help. ;)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.