Combofix messed up autorun.inf

Welcome to Major Geeks!

Who asked you to run ComboFix to begin with and why? It is not something you should be running without the guidance of a malware removal expert. Also this is not a malware problem!

ComboFix removes the ability to use autorun.inf file because they are a very large cause of infections and spreading of infections. Just about every malware removal expert will tell you that you need to disable autoruns as part of your protection plan. Why do you need to use an autorun.inf file to display an ico file and is it really worth compromising your security?

View of hidden/system files is also enabled as part of ComboFix and it is also a standard procedure during malware removal to help uncover hiding malware files and folders. Uninstalling ComboFix will restore them back to defaults but this will also remove any backups that ComboFix made when you ran it so you may wish to hold off on doing that right now.

Try running the below with fixes autoplay features. Not sure it will fix autorun features though.

http://www.microsoft.com/downloads/en/details.aspx?familyid=c680a7b6-e8fa-45c4-a171-1b389cfacdad&displaylang=en

 

No this is not really true either but it is a tool that needs be only run under expert supervision and other things need to be run before using it. It should never be run just for the heck of it or to test how it works . It has great power and with that great power there are sometimes difficulties that arise. And like many scanners, it also has its own share of false positives; however, the change to autoruns is not really considered a false positive. It is actually considered a necessary change to provide proper security and to also automatically fix several hundred if not thousands of forms of autorun infections.

MBAM is a great tool but it cannot fix every malware problem that exists these days. Not even close which is why forums like this exist. MBAM is one of the tools we also use in our standard cleaning process.

Attach the log from ComboFix. (See: HOW TO: Attach Items To Your Post )

Did you try using System Restore?

 

Why did you run ComboFix with a /u command line option? It is not even valid anymore to use that. That was the old command to uninstall it too.

Did you run ComboFix more than once (it looks like you did) or did you run it with the /u option the first time?

Did you notice that it said

It is possible that you have more files infected if regedit.exe was/is infected.

I see nothing in combofix showing that it deleted any autorun.inf files so it may just be registry settings that were modified. ComboFix may have automatically made changes like the one in the below link to disable autoruns but I'm not sure why a System Restore would not undo those registry changes.

Disabling AutoRuns

 

This was also not a good thing to do because when you did this, you deleted the backups that ComboFix created.

No. It is more likely that you have infected system files or you have versions that do not match the version of Windows that you are running. Just because MBAM and Kaspersky do not find any problems, it is not a guarantee that you are clean. Based on your ComboFix log you have other non-valid sizes for files or you have never properly updated Windows. One file shown that is not expected is Windows Explorer

Code:

2008-04-14   975872  [6.00.2900.5512] c:\windows\explorer.exe
2008-04-14   975872  [6.00.2900.5512] c:\windows\system32\dllcache\explorer.exe

Likely will not work since I really have no way of knowing what some of your settings were to begin with which is why backups of the registry are also recommended in the link I gave you.

It is possible that the Erunt ( registry backup tool ) that ComboFix makes use of still exists ( that is uninstalling ComboFix may not have removed it ). You may be able to do something like below with your Windows XP Pro boot CD.

1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type the following bolded text, and press Enter:
cd erdnt\Hiv-backup
6. At the next prompt, type the following bolded text, and press Enter:
batch erdnt.con
7. The Erunt backups will begin copying.
8. At the next prompt, type the following bolded text, and press Enter to reboot your PC and remove your boot CD and boot normally
exit


If that does not help, the only option that may work is a Windows Repair and if not, then a reinstall.

 

Glad to hear you have it worked out.

Uninstalling ComboFix automatically rehides things.

Also running our cleaning procedures, help you/us see the registry settings to make changes to in necessary. Our cleaning process also unhides things when run and then when we get to final instructions, we rehide everything during the cleanup. In the future, it you have malware problems, it would be best to follow the instructions in the below:

READ & RUN ME FIRST. Malware Removal Guide

However since you have unusual and insecure desires to have autorun work, you should not run ComboFix since it will always change this by default. But do note, that to remove or even detect quite a few infections, ComboFix is a necessity.

 

Not the correct values for these keys. CheckedValue should be 1 and DefaultValue should be 2.

There are many keys that are involved with various aspects of hiding or unhiding files and folders. The below is a list of them but the first registry key listed, is shown with values used to unhide files, system files, and file extensions which is desirable during malware cleanup and also a more desireable state to normally run with. Otherwise you allow malware to too easily hide from view.

 

You're welcome. Surf safely!