The Autorun/Autoplay mess (restoring autorun)

**daveislost** · June 27th, 2009, 07:34 PM

Hey guys Im running Windows xp home, i believe ,sp3 and recently i was attacked by a certain autorun.inf i think or .ini. So since it was malware(supposedly) i ran Combofix and im sure it was deleted due to the fact of me trying to re-enable it from the registry didnt work. For the record I like autorun and theres just some things u cant do without it. so any help would be awesome..... I have my xp cd if it helps as far as reinstalling autorun.... ('' Someone wish me luck LOL")

**daveislost** · June 27th, 2009, 07:57 PM

Also i had recently downloaded tweakui and was of no assistance to me which was really confusing .... it should have worked.... anyway any suggestions would be great : )

**daveislost** · June 27th, 2009, 08:07 PM

Another question also... Was it right 4 me 2 start the thread here? or shoyuld i have dug more specifically? ... idk i just dont want to be a nuicance

**NooNoo** · June 28th, 2009, 02:37 AM

Dave you are fine starting a thread here.

What anti virus do you run? AVG 8 will kill this virus... and then all you have to do is sort out the real autorun...

You should also run MalwareBytes AntiMalware to check it's gone.

BUT what most people forget to do is have the usb drive or drives connected when they do the virus/malware scan... so they plug in the usb drive later and promptly get infected again!

Download this and run it - it should fix the autorun so it works correctly.

**daveislost** · June 28th, 2009, 09:44 AM

Ok sounds good but i don't have avg i have eset smart security but i do have malwarebytes and i ran several scans so maybe i did fix it but it probably came back.... and thats why i think it got permanently deleted by Combofix. Anyway i will do what you said and download this . Brb

**daveislost** · June 28th, 2009, 10:01 AM

Ok so i downloaded autofix but should i do my hard drive or do all of them 1 by 1? I just did my dvd/cd rw drive but when i logged back on there was no change.Here's the log,

AutoFix [V5.2.3790.67]
Time [2009-06-28 10:49:05]
Microsoft Windows Version [5.1 (Service Pack 2) <2600>]

Test [The Shell Hardware Detection service is running.] - Instance [N/A]:
Result [AutoStart Setting]: OK
Result [The Shell Hardware Detection service is running.]: OK

Test [Policies] - Instance [D:\, Drive Type: 5]:
Result [HKCU\...\Policies!NoDrives]: OK {Present}
Result [HKCU\...\Policies!NoDriveAutorun]: Problems {Present}
Result [HKCU\...\Policies!NoDriveTypeAutorun]: OK {Present}
>> Repair << [HKCU\...\Policies!NoDriveAutorun]
Step: Resetting policy HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer!NoDriveAutorun to 0x03FFFFF7.
Result: This AutoPlay setting was successfully fixed.

>> Required action: The user must log off and log on again

So i don't really get it.... im going to run another scan with malwarebytes, brb :/

**daveislost** · June 28th, 2009, 10:43 AM

Oh wow I just realized what u said i have several usb devices, i got a bootleg ipod mp4 and sansa music player, a micro card and usb card reader, and a cruzer with the U2 program or something like that. Should i scan each device and run a full scan after ? I don't know where to start LOL and eset just found 2 trojans without me scanning litterally just now. I think 1 was one of my restore points...... This is funny cuz all my restore points were gone when i checked them last i only had 1 month with like 2 points? Anyway not to go off topic but im sure it might shed some light..... k brb after scan

**daveislost** · June 28th, 2009, 11:03 AM

Oh man alright heres the log for those 2 files found on Eset
6/28/2009 11:40:25 AM Real-time file system protection file C:\qoobox\quarantine\c\windows\msa.exe.vir Win32/TrojanDownloader.FakeAlert.ADH trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
6/28/2009 11:40:25 AM Real-time file system protection file C:\system volume information\_restore{a8a7d3ee-33ff-4f3f-bf31-d199ad2813ce}\rp81\A0039865.exe Win32/TrojanDownloader.FakeAlert.ADH trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
And this is even better heres what malwarebytes found,
Malwarebytes' Anti-Malware 1.38
Database version: 2346
Windows 5.1.2600 Service Pack 2

6/28/2009 12:00:45 PM
mbam-log-2009-06-28 (12-00-39).txt

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 173012
Time elapsed: 47 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Qoobox\quarantine\C\WINDOWS\msa.exe.vir (Trojan.FakeAlert) -> No action taken.
c:\system volume information\_restore{a8a7d3ee-33ff-4f3f-bf31-d199ad2813ce}\RP82\A0040013.exe (Dont.Steal.Our.Software.A) -> No action taken.
c:\system volume information\_restore{a8a7d3ee-33ff-4f3f-bf31-d199ad2813ce}\RP87\A0042510.exe (Dont.Steal.Our.Software.A) -> No action taken.
Files Infected:
c:\Qoobox\quarantine\C\WINDOWS\msa.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{a8a7d3ee-33ff-4f3f-bf31-d199ad2813ce}\RP82\A0040013.exe (Dont.Steal.Our.Software.A) -> Quarantined and deleted successfully.
c:\system volume information\_restore{a8a7d3ee-33ff-4f3f-bf31-d199ad2813ce}\RP87\A0042510.exe (Dont.Steal.Our.Software.A) -> Quarantined and deleted successfully.
And now i am promted to restart so i am doing so brb wit some info......

**daveislost** · June 28th, 2009, 12:09 PM

alright i restarted and now im running eset , and also will run spybot and ad aware which will take forever. im not sure if i should be scanning until i scan the usb devices and autofix them but im running them anyway until I know for sure what to do. Im leavin 4 work at 2 so ill probably be back around eight so after eset im gonna stop until i get back. still no luck with autorun.......

**NooNoo** · June 28th, 2009, 12:57 PM

What you have to do is get rid of the fake autoruns and then put back the correct ones.

You might be better off removing the autorun.inf manually from each usb device. To do this go into safe mode and make sure you can see hidden files and folders. Open the usb device in command line...

So open a cmd prompt and type in
X:
Where X is the drive letter of your usb drive
Hit enter
then type in
attrib -r -s -h autorun.inf
hit enter
now type in
del autorun.inf
hit enter

Do this for each of your usb devices.
Then all you have to do is put the correct autorun file back...

**daveislost** · June 29th, 2009, 09:31 AM

Ok i put it in safe mode and checked each device but they dont seem to have autorun. The response I get is autorun.inf not found. Except for my sandisk sansa which doesn't show at all on safe mode for some reason. Maybe they have different file names? Actually i checked the flash drive inside and it doesent have any files related to autorun..... so idk

**NooNoo** · June 29th, 2009, 01:34 PM

Did you make sure that hidden and system files where showing?

**daveislost** · July 2nd, 2009, 11:15 AM

Ok so I didn't select System files so i checked them again without safe mode. They all have no autorun related files BUT I did see some interesting things, First my mp4 has a strange notepad file got 3 squares as the name and when I open it It has what looks like an 18 step list of something in code or another language. It seems to be the only system file besides wmp info. Now 2nd was the sandisk Cruzer. Eset found a Start.exe file AKA win32/autorun.pu worm and deleted it immediately but no other autorun files, 3rd was the memory card which also had no autorun files But does have an ESS file labeled tfs4_160.ess which looks harmless and/or important, and last but not least The sandisk sansa mp3 player which did infact show now not only did it show so did a window labeled Portable Device which looks like autorun (Open device, Sync to wmp, and cancel) Now this is the only device that does that, yet i cant seem to find an autorun file in it either and no strange files. So after all that i checked a disc and no autorun...... im going to redo in safe mode with cmd prompt hopefully it doesent say not found... brb

**daveislost** · July 2nd, 2009, 11:22 AM

I also found something in my quarantine list in ESET 5/16/09 a certain autorun.inf was quarantined and deleted

**daveislost** · July 2nd, 2009, 11:29 AM

oh wow i just realized that it was deleted from the same device The Cruzer...... oh well at least its clean lol. Actaully i want to wait 4 your advice of what to do before I assume seaching for autorun.inf thru cmd promt in safe mode again

Thread: The Autorun/Autoplay mess (restoring autorun)

Thread Tools

Display

The Autorun/Autoplay mess (restoring autorun)

Similar Threads

Hard drive autorun through usb

autorun

Bookmarks

Bookmarks

Posting Permissions