AUTORUN.INF Viruses are virus that uses the Autorun feature of Windows to spread itself on computers. This virus makes a copy of the autorun.inf file to the root or main directory of all the drives on your PC, internal and / or external disks, to make the virus runs every time the external disks like pendrives or USB drives were inserted or every time you double-click the drives through the Windows Explorer.
A lot of this infections were found on Bolivia,Viet Nam, Ecuador, Pakistan, Philippines, India, Indonesia, Malaysia, Colombia and Mexico (this list of countries were based on the Google Trends results for the AUTORUN.INF VIRUS keyword search: http://www.google.com/trends?q=autorun.inf+virus). Based on the same source, late of 2007 was the peak of this kind of computer virus infections but it also shows that in year 2008 the autorun.inf virus are still prevalent and keep on spreading. That’s why I decided to write an article about this autorun.inf virus.
Known virus variants of this kind are the YahLover (which uses scvhost.exe and killer.exe), Bacalid (which uses ctfmon.exe), IMGKULOT and FAIZAL.JS virus.
Prevention of Autorun.INF Virus
I still believe that prevention is better than cure so I have prepared here several points on how to prevent this kind of infection.
1. First method is you can disable the AUTORUN feature of Windows by applying a registry modification on the Windows’ Registry Editor. To do this:
- Download: DISABLE-AUTORUN.REG and save this file on your computer.
- After downloading the file, open the folder where you download it and double-click the file. You will be confirmed by Registry Editor if you want to proceed, just click Yes button to continue. (If a different message was seen such as “Registry Editing has been disabled by your administrator.”, possibly your PC is infected already by a virus that prevents registry access. To correct this read the section on Removing Autorun.INF virus.)
- Restart your computer to apply these changes.
2. Another method is to create an AUTORUN.INF folder on the root directories (main directory usually represented by backslash symbol ) . You can do this via Windows Explorer or Command Prompt but I will recommend the method via Command Prompt.
- To run command prompt, click Start then Run or press the key combination: Winkey + R
- Type CMD then press enter. This will open the black and white environment.
- On the prompt, type MD C:AUTORUN.INF then press enter key.
- Repeat this procedure to other hard drives and USB drives. Just replace the C letter from the command with the appropriate drive letter of each storage device.
- If this fails, maybe your computer is infected already by the virus so read the next section for the solution of this problem.
Removing AUTORUN.INF virus manually
Manual removal procedure of the autorun.inf virus will vary depending on the attachment of the virus on the system. Actually this kind of infection is very easy to remove. Simple DOS commands can easily remove this kind of infection.
The following are just generic instructions and some of the steps might not be applicable to some virus infections that uses autorun.inf.
1. First, boot your system in Safe Mode Command Prompt Only. This can be done by restarting your computer and pressing F8 before the Windows Logo displays. It is important that you start the computer in this mode because all start-up programs are not started on this mode.
2. When you see the black and white environment, type the following commands (commands in BOLD). This commands will be used for analysis of the infection only:
- CD – This change the current folder to the main directory of drive C
- DIR /AH – Displays all files that are hidden. Usually virus hides their files by changing its attributes to Hidden and System attributes. If you find a file: AUTORUN.INF, it confirms the infection of the virus.
- TYPE AUTORUN.INF – This shows the content of the file autorun.inf. From the picture below you will see that the name of the virus is SAMPLE-VIRUS.EXE, which the name will usually comes with the line Open or Explore or Shell line of the autorun.inf. This shows that the virus carrier is the file SAMPLE-VIRUS.EXE
3. To remove the infection based on the analysis above type the following command:
- ATTRIB -H -R -S C:AUTORUN.INF – unhides the hidden file autorun.inf
- DEL C:AUTORUN.INF
- Repeat this step to other drives by replacing C: with other letters
4. To make sure that the carrier will not run during start-up, you need to make sure that it is disabled. Do this using the MSCONFIG tool of windows.
- On the same Safemode Command Prompt Mode, type MSCONFIG
- This will run the System Configuration Utility.
- As shown below, uncheck the suspected file. This will disable it from start-up and will not run again. To see other places where programs were place to run on start-up, see my previous posts: How to Determine the Windows Startup Programs?
Note: This manual removal is only recommended when your installed anti-virus is not working due to the said autorun.inf virus infection. My advice is that when the virus is already removed manually, try reinstalling or installing an antivirus and update your virus definition file and scan your system to ensure a virus-free PC.
If these steps specified here does not work for you, use TrendMicro Hijackthis (this is free and downloadable). Use it to analyze the system and produce a file called HIJACKTHIS.LOG. Send hijackthis.log produced to my email address so that I could analyze it and suggest an appropriate solution for it.