AUTORUN.INF Viruses are virus that uses the Autorun feature of Windows to spread itself on computers. This virus makes a copy of the autorun.inf file to the root or main directory of all the drives on your PC, internal and / or external disks, to make the virus runs every time the external disks like pendrives or USB drives were inserted or every time you double-click the drives through the Windows Explorer.

A lot of this infections were found on Bolivia,Viet Nam, Ecuador, Pakistan, Philippines, India, Indonesia, Malaysia, Colombia and Mexico (this list of countries were based on the Google Trends results for the AUTORUN.INF VIRUS keyword search: http://www.google.com/trends?q=autorun.inf+virus). Based on the same source, late of 2007 was the peak of this kind of computer virus infections but it also shows that in year 2008 the autorun.inf virus are still prevalent and keep on spreading. That’s why I decided to write an article about this autorun.inf virus.

Known virus variants of this kind are the YahLover (which uses scvhost.exe and killer.exe), Bacalid (which uses ctfmon.exe), IMGKULOT and FAIZAL.JS virus.

Prevention of Autorun.INF Virus

I still believe that prevention is better than cure so I have prepared here several points on how to prevent this kind of infection.

1. First method is you can disable the AUTORUN feature of Windows by applying a registry modification on the Windows’ Registry Editor. To do this:

  • Download: DISABLE-AUTORUN.REG and save this file on your computer.
  • After downloading the file, open the folder where you download it and double-click the file. You will be confirmed by Registry Editor if you want to proceed, just click Yes button to continue. (If a different message was seen such as “Registry Editing has been disabled by your administrator.”, possibly your PC is infected already by a virus that prevents registry access. To correct this read the section on Removing Autorun.INF virus.)
  • Restart your computer to apply these changes.

2.    Another method is to create an AUTORUN.INF folder on the root directories (main directory usually represented by backslash symbol \ ) . You can do this via Windows Explorer or Command Prompt but I will recommend the method via Command Prompt.

  • To run command prompt, click Start then Run or press the key combination: Winkey + R
  • Type CMD then press enter. This will open the black and white environment.
  • On the prompt, type MD C:\AUTORUN.INF then press enter key.
  • Repeat this procedure to other hard drives and USB drives. Just replace the C letter from the command with the appropriate drive letter of each storage device.
  • If this fails, maybe your computer is infected already by the virus so read the next section for the solution of this problem.

Removing AUTORUN.INF virus manually

Manual removal procedure of the autorun.inf virus will vary depending on the attachment of the virus on the system. Actually this kind of infection is very easy to remove. Simple DOS commands can easily remove this kind of infection.

The following are just generic instructions and some of the steps might not be applicable to some virus infections that uses autorun.inf.

1. First, boot your system in Safe Mode Command Prompt Only. This can be done by restarting your computer and pressing F8 before the Windows Logo displays. It is important that you start the computer in this mode because all start-up programs are not started on this mode.

2. When you see the black and white environment, type the following commands (commands in BOLD). This commands will be used for analysis of the infection only:

  • CD \ – This change the current folder to the main directory of drive C
  • DIR /AH – Displays all files that are hidden. Usually virus hides their files by changing its attributes to Hidden and System attributes. If you find a file: AUTORUN.INF, it confirms the infection of the virus.
  • TYPE AUTORUN.INF – This shows the content of the file autorun.inf. From the picture below you will see that the name of the virus is SAMPLE-VIRUS.EXE, which the name will usually comes with the line Open or Explore or Shell line of the autorun.inf. This shows that the virus carrier is the file SAMPLE-VIRUS.EXE

Safemode Command Prompt Only

Command Prompt window after dir/ah and type autorun.inf

3. To remove the infection based on the analysis above type the following command:

  • ATTRIB -H -R -S C:\AUTORUN.INF – unhides the hidden file autorun.inf
  • DEL C:\AUTORUN.INF
  • Repeat this step to other drives by replacing C:\ with other letters

4. To make sure that the carrier will not run during start-up, you need to make sure that it is disabled. Do this using the MSCONFIG tool of windows.

  • On the same Safemode Command Prompt Mode, type MSCONFIG
  • This will run the System Configuration Utility.
  • As shown below, uncheck the suspected file. This will disable it from start-up and will not run again. To see other places where programs were place to run on start-up, see my previous posts: How to Determine the Windows Startup Programs?

System Configuration Utility

System Configuration Utility window

Note: This manual removal is only recommended when your installed anti-virus is not working due to the said autorun.inf virus infection. My advice is that when the virus is already removed manually, try reinstalling or installing an antivirus and update your virus definition file and scan your system to ensure a virus-free PC.

If these steps specified here does not work for you, use TrendMicro Hijackthis (this is free and downloadable). Use it to analyze the system and produce a file called HIJACKTHIS.LOG. Send hijackthis.log produced to my email address so that I could analyze it and suggest an appropriate solution for it.

0 0 votes
Article Rating
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

151 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
slapstick
slapstick
9 years ago

any one tried this Linux OS, if your windows system is infected with virus, like autorun.inf virus base on my experience it generates/create .exe file. you can easily delete autorun.inf and the exe files it created “TuJvPe.exe” something like this. just boot from your cd drive. then you will realize that your files isnt deleted yet, the virus just hide it. duplicate and rename with .exe folder. Hope it will help

Tim
Tim
10 years ago

I would like to know if anyone has dealt with this virus on an enterprise scale.
We have over two hundred users, in 10 different locations. We utilize a NAS device to map share drives to the different locations. I now see instances of the autorun.inf file in almost every folder on the NAS. The problem is that I don’t know which (or how many) computers are affected (infected).
What procedures do you think i will need to take? We use Vipre Enterprise anti-virus and AVG, but they only detect the .exe and .scr files that the autorun creates. I cannot delete the autorun.inf files on the network drives as they say they “are use by another program” Is there a way to figure out which pc is the culprit? or will I have to hire a team to run the cleanup on every computer over a weekend when no one is accessing the system.
Help please?

Wishbone
Wishbone
10 years ago

Worked on One Computer Great, better than any other so-called tipp, but on my other computers in the Same network, I can’t Even Access Safety mode, even Administrator is rejected (no permissions). When trying to del from command, Not possible (file is in use by another process)
Any hint? Don’t want to install Windows and all the other Things on 5 Computers…
Thxs

Wishbone
Wishbone
10 years ago

Worked on One Computer Great, but Otters, I can’t Even Access Safety mode, even Administrator is rejected (no permissions). When trying to del from command, Not possible (file is in use by another process)
Any hint? Don’t want to install Windows on 5 Computers…
Thxs

mafelu
mafelu
11 years ago

pano sa cellphone sd cards? how to delete the viruS?

dez123
11 years ago

I don’t know hat had just happened but it deleted all my files on My Documents. All folder are still there but the contents(file/documents) are all gone. I must have done something wrong, because when i run the del c:\autorun.* /f /s /q /a command I was in “C:\Documents and Settings\Administrator>” on the command prompt. Since my system Restore is disabled I guess I’m pretty f**ked up at this point!!!!

Paul
Paul
13 years ago

Thanks! This is the only thing that has worked on the autorun.inf on my flash drives, I followed your instructions re: the regedit, autorun folder and deleting in safe mode and all is well now.
My AV, Noob Killer and Autorun Eater did not work for me, the autorun.inf kept coming back.

Moe
Moe
13 years ago

Hey man I did everything you said but it looks way to confusing. I got RECYCLER.exe ????? but couldn’t find it on the start up processes in msconfig. I did the hijack this thing so give me your email address and I can send you the text document. I would appreciate it if you can help me out. Thank you.

RYANDAVE
RYANDAVE
13 years ago

i have a problem with my u.s.b. it stock because of autorun,inf how can i delete this virus iven anti virus apvast cant delete it please help me.. thank you

ahmed
ahmed
13 years ago

Hi,
This is Ahmed, i have tried cleaning the autorun.inf gone thru Safe mode and disable the autorun folder, but inside the autrun folder i am unable to delete BY UC. folder which says “access denied, write protected”, please help me.