I have 2012 NAV running on WinXP32 Pro. I have used my computers with Autorun/Autoplay turned off for some years now - through gpedit.msc / Computer Configuration / Administrative Templates / System / Turn off Autoplay: On all drives. This is also reflected in my registry as follows:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer: "NoDriveTypeAutoRun"=dword:000000ff
A few days ago I inserted a friend's USB thumb drive into the USB port with full confidence that nothing will autorun or autoplay, which it didn't. In Explorer I could single-click on the Plus (+) next to the device name to display the root folders in the left window and folders and files in the right Explorer window. Still fine. I could see, amongst others, autorun.inf and driver.exe in the root. (I have Display Hidden and System files turned on, and also Hide Known File Extensions turned off.)
I wanted to create a new directory on that USB drive into which I wanted to copy a file, so I right-clicked on a blank area of the right-hand side Explorer window to get the context menu to create the directory. Stuff started happening. Norton piped up about having detected a threat in driver.exe. I thought it had done an autoscan of the contents of the root of that thumb drive.
But no, and this is what troubles me: Norton then reported that it had fixed 58 registry actions which this infected driver.exe had performed on my machine.
1. Why did Norton allow any registry activity from this infected file in the first place? It would have been better if activity had been prevented, surely?
2. Can anyone reveal why the autorun.inf or driver.exe files actually executed at all? I have previously right-clicked in right-hand Explorer windows with autorun.inf files in the root (genuine files, not malware) and the autorun.inf which would've kicked off a Setup or Install of software definitely has never run. Why now on this thumb drive?
Feedback definitely appreciated.
