AUTORUN.INF Viruses are virus that uses the Autorun feature of Windows to spread itself on computers. This virus makes a copy of the autorun.inf file to the root or main directory of all the drives on your PC, internal and / or external disks, to make the virus runs every time the external disks like pendrives or USB drives were inserted or every time you double-click the drives through the Windows Explorer.
A lot of this infections were found on Bolivia,Viet Nam, Ecuador, Pakistan, Philippines, India, Indonesia, Malaysia, Colombia and Mexico (this list of countries were based on the Google Trends results for the AUTORUN.INF VIRUS keyword search: http://www.google.com/trends?q=autorun.inf+virus). Based on the same source, late of 2007 was the peak of this kind of computer virus infections but it also shows that in year 2008 the autorun.inf virus are still prevalent and keep on spreading. That’s why I decided to write an article about this autorun.inf virus.
Known virus variants of this kind are the YahLover (which uses scvhost.exe and killer.exe), Bacalid (which uses ctfmon.exe), IMGKULOT and FAIZAL.JS virus.
Prevention of Autorun.INF Virus
I still believe that prevention is better than cure so I have prepared here several points on how to prevent this kind of infection.
1. First method is you can disable the AUTORUN feature of Windows by applying a registry modification on the Windows’ Registry Editor. To do this:
- Download: DISABLE-AUTORUN.REG and save this file on your computer.
- After downloading the file, open the folder where you download it and double-click the file. You will be confirmed by Registry Editor if you want to proceed, just click Yes button to continue. (If a different message was seen such as “Registry Editing has been disabled by your administrator.”, possibly your PC is infected already by a virus that prevents registry access. To correct this read the section on Removing Autorun.INF virus.)
- Restart your computer to apply these changes.
2. Another method is to create an AUTORUN.INF folder on the root directories (main directory usually represented by backslash symbol \ ) . You can do this via Windows Explorer or Command Prompt but I will recommend the method via Command Prompt.
- To run command prompt, click Start then Run or press the key combination: Winkey + R
- Type CMD then press enter. This will open the black and white environment.
- On the prompt, type MD C:\AUTORUN.INF then press enter key.
- Repeat this procedure to other hard drives and USB drives. Just replace the C letter from the command with the appropriate drive letter of each storage device.
- If this fails, maybe your computer is infected already by the virus so read the next section for the solution of this problem.
Removing AUTORUN.INF virus manually
Manual removal procedure of the autorun.inf virus will vary depending on the attachment of the virus on the system. Actually this kind of infection is very easy to remove. Simple DOS commands can easily remove this kind of infection.
The following are just generic instructions and some of the steps might not be applicable to some virus infections that uses autorun.inf.
1. First, boot your system in Safe Mode Command Prompt Only. This can be done by restarting your computer and pressing F8 before the Windows Logo displays. It is important that you start the computer in this mode because all start-up programs are not started on this mode.
2. When you see the black and white environment, type the following commands (commands in BOLD). This commands will be used for analysis of the infection only:
- CD \ – This change the current folder to the main directory of drive C
- DIR /AH – Displays all files that are hidden. Usually virus hides their files by changing its attributes to Hidden and System attributes. If you find a file: AUTORUN.INF, it confirms the infection of the virus.
- TYPE AUTORUN.INF – This shows the content of the file autorun.inf. From the picture below you will see that the name of the virus is SAMPLE-VIRUS.EXE, which the name will usually comes with the line Open or Explore or Shell line of the autorun.inf. This shows that the virus carrier is the file SAMPLE-VIRUS.EXE
3. To remove the infection based on the analysis above type the following command:
- ATTRIB -H -R -S C:\AUTORUN.INF – unhides the hidden file autorun.inf
- DEL C:\AUTORUN.INF
- Repeat this step to other drives by replacing C:\ with other letters
4. To make sure that the carrier will not run during start-up, you need to make sure that it is disabled. Do this using the MSCONFIG tool of windows.
- On the same Safemode Command Prompt Mode, type MSCONFIG
- This will run the System Configuration Utility.
- As shown below, uncheck the suspected file. This will disable it from start-up and will not run again. To see other places where programs were place to run on start-up, see my previous posts: How to Determine the Windows Startup Programs?
Note: This manual removal is only recommended when your installed anti-virus is not working due to the said autorun.inf virus infection. My advice is that when the virus is already removed manually, try reinstalling or installing an antivirus and update your virus definition file and scan your system to ensure a virus-free PC.
If these steps specified here does not work for you, use TrendMicro Hijackthis (this is free and downloadable). Use it to analyze the system and produce a file called HIJACKTHIS.LOG. Send hijackthis.log produced to my email address so that I could analyze it and suggest an appropriate solution for it.
any one tried this Linux OS, if your windows system is infected with virus, like autorun.inf virus base on my experience it generates/create .exe file. you can easily delete autorun.inf and the exe files it created “TuJvPe.exe” something like this. just boot from your cd drive. then you will realize that your files isnt deleted yet, the virus just hide it. duplicate and rename with .exe folder. Hope it will help
I would like to know if anyone has dealt with this virus on an enterprise scale.
We have over two hundred users, in 10 different locations. We utilize a NAS device to map share drives to the different locations. I now see instances of the autorun.inf file in almost every folder on the NAS. The problem is that I don’t know which (or how many) computers are affected (infected).
What procedures do you think i will need to take? We use Vipre Enterprise anti-virus and AVG, but they only detect the .exe and .scr files that the autorun creates. I cannot delete the autorun.inf files on the network drives as they say they “are use by another program” Is there a way to figure out which pc is the culprit? or will I have to hire a team to run the cleanup on every computer over a weekend when no one is accessing the system.
Worked on One Computer Great, better than any other so-called tipp, but on my other computers in the Same network, I can’t Even Access Safety mode, even Administrator is rejected (no permissions). When trying to del from command, Not possible (file is in use by another process)
Any hint? Don’t want to install Windows and all the other Things on 5 Computers…
@Wishbone, In this case I usually use free anti-malware/virus tools which I listed on my post at http://www.bleuken.com/free-tools-virus-worm-malware-20081120/
Worked on One Computer Great, but Otters, I can’t Even Access Safety mode, even Administrator is rejected (no permissions). When trying to del from command, Not possible (file is in use by another process)
Any hint? Don’t want to install Windows on 5 Computers…
pano sa cellphone sd cards? how to delete the viruS?
Ganon pa rin mafelu. Try mo to have a clean PC muna then install an antivirus before mo insert ang SD Card then i-scan mo. 🙂
I don’t know hat had just happened but it deleted all my files on My Documents. All folder are still there but the contents(file/documents) are all gone. I must have done something wrong, because when i run the del c:\autorun.* /f /s /q /a command I was in “C:\Documents and Settings\Administrator>” on the command prompt. Since my system Restore is disabled I guess I’m pretty f**ked up at this point!!!!
@dez123, try using dir /ah on the command prompt. Check if the files are still there. There are some strain of viruses that hides the original file and create a ‘mimic’ of it. Maybe its Sality or other strain. Try to download AVG Sality remover it will fix this thing. Let me know if there are still some issues.
Thanks! This is the only thing that has worked on the autorun.inf on my flash drives, I followed your instructions re: the regedit, autorun folder and deleting in safe mode and all is well now.
My AV, Noob Killer and Autorun Eater did not work for me, the autorun.inf kept coming back.
Hey man I did everything you said but it looks way to confusing. I got RECYCLER.exe ????? but couldn’t find it on the start up processes in msconfig. I did the hijack this thing so give me your email address and I can send you the text document. I would appreciate it if you can help me out. Thank you.
i have a problem with my u.s.b. it stock because of autorun,inf how can i delete this virus iven anti virus apvast cant delete it please help me.. thank you
This is Ahmed, i have tried cleaning the autorun.inf gone thru Safe mode and disable the autorun folder, but inside the autrun folder i am unable to delete BY UC. folder which says “access denied, write protected”, please help me.