AUTORUN.INF Viruses are virus that uses the Autorun feature of Windows to spread itself on computers. This virus makes a copy of the autorun.inf file to the root or main directory of all the drives on your PC, internal and / or external disks, to make the virus runs every time the external disks like pendrives or USB drives were inserted or every time you double-click the drives through the Windows Explorer.

A lot of this infections were found on Bolivia,Viet Nam, Ecuador, Pakistan, Philippines, India, Indonesia, Malaysia, Colombia and Mexico (this list of countries were based on the Google Trends results for the AUTORUN.INF VIRUS keyword search: Based on the same source, late of 2007 was the peak of this kind of computer virus infections but it also shows that in year 2008 the autorun.inf virus are still prevalent and keep on spreading. That’s why I decided to write an article about this autorun.inf virus.

Known virus variants of this kind are the YahLover (which uses scvhost.exe and killer.exe), Bacalid (which uses ctfmon.exe), IMGKULOT and FAIZAL.JS virus.

Prevention of Autorun.INF Virus

I still believe that prevention is better than cure so I have prepared here several points on how to prevent this kind of infection.

1. First method is you can disable the AUTORUN feature of Windows by applying a registry modification on the Windows’ Registry Editor. To do this:

  • Download: DISABLE-AUTORUN.REG and save this file on your computer.
  • After downloading the file, open the folder where you download it and double-click the file. You will be confirmed by Registry Editor if you want to proceed, just click Yes button to continue. (If a different message was seen such as “Registry Editing has been disabled by your administrator.”, possibly your PC is infected already by a virus that prevents registry access. To correct this read the section on Removing Autorun.INF virus.)
  • Restart your computer to apply these changes.

2.    Another method is to create an AUTORUN.INF folder on the root directories (main directory usually represented by backslash symbol \ ) . You can do this via Windows Explorer or Command Prompt but I will recommend the method via Command Prompt.

  • To run command prompt, click Start then Run or press the key combination: Winkey + R
  • Type CMD then press enter. This will open the black and white environment.
  • On the prompt, type MD C:\AUTORUN.INF then press enter key.
  • Repeat this procedure to other hard drives and USB drives. Just replace the C letter from the command with the appropriate drive letter of each storage device.
  • If this fails, maybe your computer is infected already by the virus so read the next section for the solution of this problem.

Removing AUTORUN.INF virus manually

Manual removal procedure of the autorun.inf virus will vary depending on the attachment of the virus on the system. Actually this kind of infection is very easy to remove. Simple DOS commands can easily remove this kind of infection.

The following are just generic instructions and some of the steps might not be applicable to some virus infections that uses autorun.inf.

1. First, boot your system in Safe Mode Command Prompt Only. This can be done by restarting your computer and pressing F8 before the Windows Logo displays. It is important that you start the computer in this mode because all start-up programs are not started on this mode.

2. When you see the black and white environment, type the following commands (commands in BOLD). This commands will be used for analysis of the infection only:

  • CD \ – This change the current folder to the main directory of drive C
  • DIR /AH – Displays all files that are hidden. Usually virus hides their files by changing its attributes to Hidden and System attributes. If you find a file: AUTORUN.INF, it confirms the infection of the virus.
  • TYPE AUTORUN.INF – This shows the content of the file autorun.inf. From the picture below you will see that the name of the virus is SAMPLE-VIRUS.EXE, which the name will usually comes with the line Open or Explore or Shell line of the autorun.inf. This shows that the virus carrier is the file SAMPLE-VIRUS.EXE

Safemode Command Prompt Only

Command Prompt window after dir/ah and type autorun.inf

3. To remove the infection based on the analysis above type the following command:

  • ATTRIB -H -R -S C:\AUTORUN.INF – unhides the hidden file autorun.inf
  • Repeat this step to other drives by replacing C:\ with other letters

4. To make sure that the carrier will not run during start-up, you need to make sure that it is disabled. Do this using the MSCONFIG tool of windows.

  • On the same Safemode Command Prompt Mode, type MSCONFIG
  • This will run the System Configuration Utility.
  • As shown below, uncheck the suspected file. This will disable it from start-up and will not run again. To see other places where programs were place to run on start-up, see my previous posts: How to Determine the Windows Startup Programs?

System Configuration Utility

System Configuration Utility window

Note: This manual removal is only recommended when your installed anti-virus is not working due to the said autorun.inf virus infection. My advice is that when the virus is already removed manually, try reinstalling or installing an antivirus and update your virus definition file and scan your system to ensure a virus-free PC.

If these steps specified here does not work for you, use TrendMicro Hijackthis (this is free and downloadable). Use it to analyze the system and produce a file called HIJACKTHIS.LOG. Send hijackthis.log produced to my email address so that I could analyze it and suggest an appropriate solution for it.


  1. slapstick

    any one tried this Linux OS, if your windows system is infected with virus, like autorun.inf virus base on my experience it generates/create .exe file. you can easily delete autorun.inf and the exe files it created “TuJvPe.exe” something like this. just boot from your cd drive. then you will realize that your files isnt deleted yet, the virus just hide it. duplicate and rename with .exe folder. Hope it will help

  2. Tim

    I would like to know if anyone has dealt with this virus on an enterprise scale.
    We have over two hundred users, in 10 different locations. We utilize a NAS device to map share drives to the different locations. I now see instances of the autorun.inf file in almost every folder on the NAS. The problem is that I don’t know which (or how many) computers are affected (infected).
    What procedures do you think i will need to take? We use Vipre Enterprise anti-virus and AVG, but they only detect the .exe and .scr files that the autorun creates. I cannot delete the autorun.inf files on the network drives as they say they “are use by another program” Is there a way to figure out which pc is the culprit? or will I have to hire a team to run the cleanup on every computer over a weekend when no one is accessing the system.
    Help please?

  3. Wishbone

    Worked on One Computer Great, better than any other so-called tipp, but on my other computers in the Same network, I can’t Even Access Safety mode, even Administrator is rejected (no permissions). When trying to del from command, Not possible (file is in use by another process)
    Any hint? Don’t want to install Windows and all the other Things on 5 Computers…

  4. Wishbone

    Worked on One Computer Great, but Otters, I can’t Even Access Safety mode, even Administrator is rejected (no permissions). When trying to del from command, Not possible (file is in use by another process)
    Any hint? Don’t want to install Windows on 5 Computers…

  5. mafelu

    pano sa cellphone sd cards? how to delete the viruS?

    1. Ganon pa rin mafelu. Try mo to have a clean PC muna then install an antivirus before mo insert ang SD Card then i-scan mo. 🙂

  6. I don’t know hat had just happened but it deleted all my files on My Documents. All folder are still there but the contents(file/documents) are all gone. I must have done something wrong, because when i run the del c:\autorun.* /f /s /q /a command I was in “C:\Documents and Settings\Administrator>” on the command prompt. Since my system Restore is disabled I guess I’m pretty f**ked up at this point!!!!

    1. @dez123, try using dir /ah on the command prompt. Check if the files are still there. There are some strain of viruses that hides the original file and create a ‘mimic’ of it. Maybe its Sality or other strain. Try to download AVG Sality remover it will fix this thing. Let me know if there are still some issues.

  7. Paul

    Thanks! This is the only thing that has worked on the autorun.inf on my flash drives, I followed your instructions re: the regedit, autorun folder and deleting in safe mode and all is well now.
    My AV, Noob Killer and Autorun Eater did not work for me, the autorun.inf kept coming back.

  8. Moe

    Hey man I did everything you said but it looks way to confusing. I got RECYCLER.exe ????? but couldn’t find it on the start up processes in msconfig. I did the hijack this thing so give me your email address and I can send you the text document. I would appreciate it if you can help me out. Thank you.


    i have a problem with my u.s.b. it stock because of autorun,inf how can i delete this virus iven anti virus apvast cant delete it please help me.. thank you

  10. ahmed

    This is Ahmed, i have tried cleaning the autorun.inf gone thru Safe mode and disable the autorun folder, but inside the autrun folder i am unable to delete BY UC. folder which says “access denied, write protected”, please help me.

  11. ahmed

    Thanks for your respons,
    I tried scanning the system with Karpersky Antivirus, it show the autorun file, but it is not detecting as virus, for past 2 weeks i have the promble my usb is also not working as it say wite protected and unable to upload data to it.
    My systems is full of Autorun.inf, Recycler and some k-1234-7888889999-156 files i tried deleting these files (some cases these files Recycler and some k-1234-7888889999-156 deleted but come again) but the Autorun.inf cannot be deleted as it say “cannot read data”
    but let me try edit autorun.inf command.

  12. ahmed

    I am currently facing the same issue getting the AUTORUN.inf file been created on each drive, i tried deleting the .inf file from the following comments given by you in the safe mode, still i am unable to delete it.
    Can you please let me know how can i remove it

    1. @ahmed, have you tried scanning your system with an updated anti-virus on safemode? One reason why it still coming back because the virus is running on the startup of your system whenever you go back to normal mode. I suggest that you remove the virus first. Autorun.inf is just part of it, you can have a clue on what virus is infecting your system if you will edit autorun.inf using: edit autorun.inf command.

  13. koolkat

    Your DISABLE-AUTORUN.REG download is a trojan !!!

    Trojan.BAT.Teldoor.b: Virus
    c:\documents and settings\owner\my documents\misc\disable-autorun\disable-autorun.reg is Deleted.
    c:\system volume information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\rp51\a0002044.reg is Deleted.

    Thanks for nothing !!

    1. koolkat, Disable-autorun.reg is not a virus. .REG is not an executable file but a registry file (windows xp) that can be embedded to the registry. It contains plain text that switch off the flag value for autorun on your PC. You can open it using your notepad to see its content. There is a possible that some anti-virus will treat it as a trojan horse but it doesn’t contain any code that will harm your computer.

  14. angeli

    Hi! i had bat and vbs detected by avg on my pc, long ago. after following the removal steps that i was able to search on the web, they were successfully deleted. however, the “folder options”” under “Tools”in the explorer window has disappeared! gosh, i really don’t know what to do and i’m not sure if my pc is still doing fine,if it’s still infected or not anymore because the antivirus doesn’t detect the recycler and autorun that i see everytime i open my usb flash disk just recently.

    please help me…

  15. William

    Hello again. I thought that there might be some hidden “thing” running in the memory that was recreating the file and folder. Some viruses will hide from the task manager.
    However, I went and did a system restore, which is to go back to a previous restore point, and that wiped out the virus good and proper. I did have to go and redo some files that weren’t there when I restored the computer back, but all is good, and I’ve created a restore point where all is working well again. Thanks for your help, guys.

  16. sunjaelee

    Hello. I had a problem of that on my mobile phone and my usb drive. For the usb, I deleted the autorun.inf file but it kept on coming back so I made a folder named autorun.inf. since then, my usb is fine but my phone has a problem. I cannot access my phone memory without usingthe software that came with the phone but somehow, the virus. apparently, it says the virus is in my memry stick which i cannot put in m computer because i use a desktop. can anyone tell me how to do it??
    I tried bluetooth and it didnt work. the software can’t see the hidden folder and the phone comes out as “LG Phone” on my computers and because it is a system folder, i cannot go in using windows explorer. I tried going on cmd and searching for every drive from a to z but none worked.

  17. William

    Hi, everyone. I have some suggestions to make, followed by a question or two. First thought of the day… Anytime you find something and you don’t know what it is, copy the entire file name, go to and paste it in there. You will find out what it is, and then you can delete it if it’s no good. My next comment is to find deltree.exe and download it. It’s a DOS command that will delete any file or folder, read only or not, hidden or not. Beware, as you could accidentally type deltree windows and delete that folder! It will ask you if you’re sure before it starts.
    Having said all that… I have the problem with autorun.inf. I haven’t yet tried all your suggestions, but I will, and get back to you. However, my pressing problem is that the folder RECYCLER is on each drive. I know it’s supposed to be there, because it was there when I first installed Windows. What I don’t know, is why the virus erased everything and put it’s own file in there. My I delete this folder, I can no longer click my computer, then drive C. It’s most annoying. When I delete this folder, because it must be a virus, it comes back. That’s probably because I didn’t mess with the startup menu yet. If you have any thoughts, I’d love to hear them.
    Meanwhile, something else has occured to me. To everyone reading this. Click on the following: Start > All Programs > Accessories > System Tools > System Restore. There are 2 things you can do with this. 1) You can restore your computer back to a point before the virus messed with your stuff. 2) You can create a restore point that you are sure is safe, so you can go back to it later. Beware, though, when you restore your computer. Various files and things you wanted to save may be deleted because they weren’t there before. This little fact reminds us that we should use CD’s to make backup copies of all important files, programs, and install files, anything you need saved.
    As for deltree, you can type deltree autorun.inf and it will kill it. Open Notepad, and save as all files. Now type killer.bat for example. In this file, type deltree c:\autorun.inf, save and exit. Everytime you run this, it will do anything typed in that file. deltree /y means yes do it and don’t ask me about it. Make sure you use this command carefully. Also, if you put it in your Windows folder, you can use the command anywhere on your computer.
    I hope all of this has helped someone…

    1. Thank you for sharing it with us William. With regards to your problem on the virus creating folder when deleted it turns back, it only means that the virus is still running on the system. You should make sure that the virus is not running. How? Well if you can still access your command prompt in safe mode, you should delete it there.

  18. Leon

    i had infected autorun.inf inside my hard disk, i tried many ways online including attrib -s -h -r autorun.inf, del autorun.inf, find out the file to delete it, anti-virus, but it still cannot be delete, i jus make it appear in my folder but still unable to delete it. wat is the problem? i also tried in safe mode, chging the registry.

  19. rd

    help me im a 19 it student and i need elp..i did not encounter this kind of virus.. it destroy my anti virus

    i dont know what virus infected my computer.. when the eset anti virus scanned it show the autorun.inf ..recycler,msdos on my drive D:.. when i delete it.. the autorun.inf still remains.. it infected a lot on my computer and the networking is lost.. help… i don’t want to delete my infected files of this virus.. i just want to heal it and kill this virus.. is there any possible things that i can do? help me…

    just send to my yahoo. rdv_75[at] thanks a lot.. help

    1. @rd, try to follow the instructions on this post. remove autorun.inf, on your PC on all drives. do this in safemode. To repair your network problem cause by the said virus, try to search Winsock Fix and LSP fix, these are the two tools I use to fix network problems.

  20. Thgian

    @bleuken, I think I found the solution. It is like autorun.inf but in different PC’s goes to different folders. In another pc where I put the stick it went to windows/system32/447ff1/578c2e.exe (hidden folder)
    I follow the procedure you described in your article through the command prompt mode and i delete it. After that i delete the hidden folder 447ff1 from system32. Up to now no problem occurred.
    Also it was in System configuration utility in the startup menu where i remove it from there as well.
    Thank you very much for your response and for the article. It was really helpful

  21. @thgian, if you’re not sure about this, you could rename the file instead of deleting it. then try to check if something happen with your PC.

  22. thgian

    Hello my friend.
    I’ve read your post as I have a problem with Autorun.inf virus.
    I have the NOD32 and when I put the USB stick nod says the following:
    “Event occured on a new file created by the application C:\WINDOWS\system3238bec\f88c4a.exe”

    I search for it in Command Prompt mode and I found it in this directory. Unfortunately a small search in the net didn’t gave me some information about this EXE file.

    Can I delete it or this will harm the system?

  23. @Mr Ninja, the worst possible cause of this is the virus that infects your PC corrupted some files. Try restoring your PC to a later period of time but this does not assure that your PC will come back on its previous state.

  24. Mr Ninja

    I’ve had also the Autorun.Inf virus. I’ve manually removed the virus and also I’ve made autorun.inf folders on my drives. But I still have some trouble which could be linked to the virus: when I (re)start Windows, I get a warning that Windows Firewall is disabled. I can enable the firewall, but it still is very strange. Can anybody help me to solve this problem? Because I suspect that there is still something left of the virus on my pc.

  25. Laur

    I don’t know if anyone said this already but TotalCommander can see the autorun.inf, system and hidden files. You can also delete those files, unless they are protected by those attributes..
    Maybe someone could write a simple bat file (with commands to delete the autorun.inf)? And maybe make that file autorun by editing autoexec.bat?

  26. ben

    hi writer,
    thanx. i followed the procedure and it has worked. i’ve removed the autorun.inf and have made AUTORUN.INF dir in all my drives. i hope i will be safe now onwards. thanks.

  27. kingull

    Looks like the basic worm that creates autorun.inf on drives and usb

    This worm made my hard drive appear dead.
    Began with Endless browser hijacking
    then caused blue screen continuous reboots
    and eventually apparent dead hard drive.

    Details and removal:

  28. kingull

    The bug takes over the following:
    Restore System.
    Recycler.(Inserts long name ending in .com)
    Can cause hijack of browsers.
    Can cause infinite blue screen crash.
    The bug carries Microsoft digital signature thus it is not detected by antivirus.
    The bug as yet has not yet been discovered by antivirus.

    Things to do:
    Disable System Restore:
    Install recovery console so you can run fixboot and fixmbr.
    This stops the bug from functioning.
    You need ERD Commander so that you can delete all recyclers and all system volume information folders.

  29. defjam71

    Ive already used many anti virus programs but doesn’t detect anything. I ll try the Microsoft help support.

  30. defjam71

    Hi, thnx for the tips on autorun, worked perfect but now i have another problem. When ever i go to myy documents and either left or right click on my u torrent download folder it crashes windows explorer. I gather theres a virus in there of some sort but its also got my downloads, which i cant get to.

    1. did you check your system w/ an antivirus already? there’s a lot of possibilities that this might happen. please consult Microsoft Help support for this. 🙂

  31. tigerman

    Sir, I got another question. My sister bought an external hardisk. How can I perform the 2nd method with the external hardisk? Kasi the folder will only appear kapag nakakabit siya sa pc di ba? thanks.

    1. hi tigerman. it’s the same steps. external disks will be assigned by a drive letter and you need to identify it.

  32. tigerman

    Thanks. My hardisk is partitioned into drive c and d. The .reg file is in the drive c. Should I save the said .reg file in the drive d as well? Pasensya na for the many and seemingly unlimited questions hehe. Salamat uli.

    1. it is not needed tigerman. the .reg file sets the autorun settings, affecting all the drives of your system.

  33. tigerman

    After selecting yes, the message “the disable-autorun.reg has been installed into the registry.”

  34. tigerman

    Thanks bleuken. But wait, I’ve already saved the disable-autorun.reg into my pc’s drive c. I right-click the file then selected merge. The next message that came up was “Are you sure you want to add the information C:\ DISABLE-AUTORUN.reg to the registry?” I selected yes. Am I done already with the first method? Thank you very much.

    1. yes the said .REG file change the autorun flag which disables Auto Run of drives. you did it correct tigerman.

  35. tigerman

    Thanks bleuken for the reply. But wait, like I said before I’ve already performed the 2nd method. Should I perform the 1st method as well?

    1. to be sure, i recommend that you should.

  36. vishnu yeroor

    iam running avg but not removed new trojan and auto run

  37. thanks tigerman, just corrected the DISABLE-AUTORUN.REG 404 problem. With regards to the creation of autorun.inf folder, i found it effective and tried it for several times. the concept is simple, autorun.inf virus automatically creates autorun.inf to drives and when they tried to create to drives with existing autorun.inf folder, virus will fail from creating autorun.inf files because they can’t override the folder. if the file was not created then the virus will not start automatically when inserted thus preventing the spread of the virus. 🙂

  38. tigerman

    By the way, I initially tried the 1st method in preventing the autorun.inf but the link DISABLE-AUTORUN.REG apparently doesn’t work as this message appeared afterwards “You Just Step Into Our 404 Zone, Please Browse Our Other Archives To Continue.”

    Thank you very much. Mabuhay ka kapwa ko Pinoy!

  39. tigerman

    I had this same problem autorun.inf. I got this from the memory card of our digicam. By using avast, I tried deleting/moving to chest the said virus but to no avail. So I finally decided to just reformat my pc.

    After reformatting, I saw this website of yours. I performed the 2nd method (create an autorun.inf folder in my drive c and d). How can I check if this method works? Should I connect again my usb device or flash disk in the pc just so I can see if its effective?

  40. dhimpz

    hi sir bleuken,
    tatanong ko sana tong problem namin d2 sa office. nagkaron kasi ng virus ung server namin windows server 2003. na oopen ko ung drive c: pero ung mga partition tulad ng x, y, s pag double click ko na oopen sya sa notepad. marami na akong nabasa sa mga website regarding on this problem ung autorun.inf. pag ra run ko ung regedit lumalabas disabled by your admin.. tpos ung anti virus ko ayaw na din gumana. ginawa ko na rin ung attrib pero ang sinasabi di nya madelete kasi ginagamit nga raw. gusto ko sana i try na delete na lang ung autorun.inf sa main folder nya pero natatakot ako baka mas lalong malintikan.. ayoko take ung risk baka magloko di ko na marecover at wala kameng backup n2..wala din akong mahanap na anti virus for windows server 2003 na free. baka may ma recommend ka saken please help me naman..
    thanks in advance..

  41. ravishankar

    Yes, I have tried to remove it from safe mode command prompt only. I am not techinical, pls explain.

  42. ravishankar

    Hi, bleuken
    I read your article autorun.inf. I am also having the problem with my pc. I have tried deleting autorun.inf through the guide lines given by you(thru attrib -h -r -s autorun.inf, del autorun.inf, and changing the registries). But still after the completion, once again virus scan shown autorun.inf virus. pls help.

    1. did you remove it during safemode command prompt only? try using a tool like Hijackthis to determine start-up programs and try disable anything that you find malicious

  43. Caren

    Hi. I am having trouble with my pc. again, it has to do with the autorun.inf.

    i tried deleting “autorun.inf” using the command prompt two months ago. however, the virus scanner – AVG (i’m not really sure if this thing works!) keeps on detecting it after several attempts of deleting via command prompt. during that time, i am not using any removable disk.

    so, i finally give up. nevertheless, i am continuously irritated by the scan result of AVG that there still an autorun.inf, although it has been “healed” during the previous scanning. this time, i really have to use the flash disk to transfer my school files.

    so, hoping to clean the flash disk, i tried doing it using the command prompt but i was NOT able to have an access. the pc is automatically turned off. i tried doing it again (after turning on the system) and the pc turned off on me the second time when i tried to access command prompt.

    What shall i do??? PLEASE HELP.

    P.S. i know you can also help me with this: everytime i turn on my pc, i have to wait a considerable number of minutes before i can use it. Furthermore, this message pops up (notepad):

    [email protected]%SystemRoot%\system32\shell32.dll,-21787

    and also mozilla firefox with a blank page and on the address bar:


    since i am not a techie, i did not dare delete any files.

    what shall i do??? PLEASE HELP.

    1. try downloading AVAST, run the “Schedule Boot Time Scan”

  44. razilia

    hello again! Did you receive my email? I sent the log files. I hope it was the right log files. Hope you can help on checking it if there is any problem. Thanks so much again!

  45. josaragoca

    thanks for the help, but i’ve already avast, and he didn’t detecte anything.
    do you know any removal for this?

  46. razilia

    Sorry for that. I’m just in panic mode right here. I’ll be sending the logfile in a while, I don’t know if it is the right one but hope it helps in determining the problem. Thanks again!!!!!

    1. i did not find any problem yet. 🙂 relax.

  47. razilia

    Thanks for your quick reply, I’m more worried now about my phone. I dunno if it is like what you said. I don’t also have a means to check if it is infected. It uses a MicroSD card and that’s where I install the files I have for the phone? Does it have a remedy too like computers?

    1. as i said, it depend raz if the phone was treated by your system as a storage media it will be infected but if not then there’s nothing to worry. of course there’s a remedy, it will be scanned and cleaned by anti-virus programs the same as your other disks. 🙂

  48. razilia

    Hi there! I found about this site after searching about autorun.inf because I also have the same problem! Well, I’ll follow all the instructions first but I have a question…it affected my removable disks, does that mean my files in it are infected too? I scanned it several times but only autorun.inf appears to be the one infected. And then another thing, I also use the same usb port for my phone, will it affect my phone even though it is not considered a removable disk? Hope you can answer, thanks for this site!

    1. Hi razilia, w/ regards to other files infection, it depends on the strain of virus or worm. There is a virus that attached itself on .exe files like the W32.Sality strain and others just behaves like worms that just spread itself via duplicating your files or folders without altering your files. When phone are attached to infected PC, there’s a possibility that it can be infected if it was used as an external disc and let the OS utilize it as a storage media, which some phones can be used like that.

  49. @josaragoca, try other free antivirus like avira or avast then let me know if the infection was eliminated.

  50. josaragoca

    yesterday i have a problem in my home computer. then i discover the problem is it in the pen.** autorun.inf **
    i have removed the file autorun.inf whit the help of bleuken, running cmd, but he have create a folder named recycler with another folder inside with several numbers, and i don’t know how to del they, i don’t remember the language in DOS to del.
    i need help for this…
    other alert it’s because i use the pen in a recently portatil SO vista, that i bought less a month, and the virus/file is not there, but i see two files in system32 suspicious, this files also have several numbers…. i run norton antivirus and don’t detected anything.

    if you can help me.

  51. @jak, i’m not sure if what file is that. Did you install recently a driver of a printer or any program?

  52. jak


    hi, what is the use of this in my system??

    while i was exploring my pc, all programs-start up-

    i suddenly saw a suspicious folder named iiiiiiii with the directory of the address above, but whenever i open that or explore it, nothing happens,. it was the direcory of my autoru, wat d u think, if i erase this hidden folder, will my system malfunction??

    im using a nod32 antivirus,., ^_^ thanks, pls reply..

  53. jacksinoy

    eh,baka naman po masira yung pc pag dinelete ko yung hidden folder na yun..C:\WINDOWS\system32\E0F2DF\2C0CB8.EXE

    pls reply po. thnkx!

    1. i don’t think it will pero if you really not sure and afraid to delete it then let AVAST delete it for you then.

  54. jacksinoy


    jan po galing yung virus na nadetect ng nod 32.. pag inerase ko po ba yan, maccra yung pc ko?? thnkx po.

    1. just try to delete it if you’re sure that it’s the file detected by the anti-virus as the infected one. if you want try the “Schedule Boot Time Scan” feature by AVAST to remove the infection.

  55. jacksinoy

    hi po,..

    infected po yung pc ko ng INF/autorun.gen trojan,..

    lahat po ng folders ko na nasa usb, naging .exe or naging applications. at naging hidden yung real folders nya,.. ang size po ng mga apps ay 1.44 mb

    nadedetect po xa ng nod 32…everytime lang po na mag iinsert ako ng USB saka lang xa lumalabas galing sa system32…..ano po ba ang gagawin ko para di na maging apps yung folders ko..

    pag ngfufullscan naman po ako,di naman po nadedetect ng nod32 sa drivec pero pag nakainsert tlga yung usb sa drive g at sa iabng drives,saka lang po xa lumalabas……

    ang hirap po kasi especially sa fone ko, nung nilagay ko fone ko po, naging .exe lahat ng folders!
    kahit nireformat ko na po,bumabalik pa rin po talaga yung virus na autorun…. pls help me naman po… maraming maraming salamat po..

  56. cipan

    One last note – if the cvko.exe is still there in your startup (you can see it in the HijackThis scan log if it’s there), then you can’t disable the autorun function via regedit

    It’ll simply change back the hexa value from FF (255) back to the default (enable) value.

  57. cipan

    By the way, many thanks for the leads you gave.

    Specifically how to ID the loader file and also the attrib thingy.


  58. VeryDesperate

    Good Day Bleuken… I somehow found a way how. Every time I removed the virus using the instructions above, it always comes back. But I notice it was about 4-5 seconds before it could return. So what I did? I combined your instructions. Removing it first, then preventing it. The most essential factor is “speed”. The noob.killer.leerz and the comman prompt waas what i used. Before I deleted the autorun.inf virus I already type on the command “F:\AUTORUN.INF”(the virus was in my usb F). At the time of deletion of the autorun.inf virus, I immediately hit the enter button to execute the command on the command prompt. And there is it, No more virus. Thanks for all the information. you’re a really great help.

  59. VeryDesperate

    My autorun.inf has an m.exe… please tell me how to delete it..
    I followd the above but it still won’t work

  60. Tyler

    few days ago, these hidden files appeared in my C & D drives; $RECYLE.BIN, RECYCLER & SYSTEM VOLUME INFORMATION. Any clues as to what they are man?

    1. @Tyler, is it an application or a folder?

  61. cubedm

    Thanks a million. There seems to be very little explaining how to get rid of the thing once you are infected. I’m all clean now, thankyouverymuch!


    how about the hidden files? i cant open it cuz its hidden.. and the proccess that they said is ti go in the control panel and search the folder option but theres no folder option in control panel… where can i find the folder option that they said?

    tnx for helping…

    i learnd a lot..

    hope to learn more…

    1. read the rest of the article you can find commands such as dir /ah to see files in hidden plus tips on how to edit the registry. Folder options can’t be found because the virus might turned it off via registry. but I advice that you let the free tools that I have mentioned on my other post to do the things for your. if the tools does not work, just send me the hijackthis.log via my email address. good luck!


    sir., what can i do to delete the virus. i dont know the virus but b4 starting up my computer theres an message box and it’s a different language so i dont really know d virus. the message was “it’s my birthday” and “don’t kill me” that’ th eonly word that i understand. and i just want to know how can i solve the trend chipaway virus? it’s shutting the computer automaticaly. i already deleted the autorun.inf and it was succesful but in other drive wen i type the command DIR/ah example in the g: theres no autorun.inf but i cant oppen it. what should i do?? the only thing that was shown there are the following:
    System Volume Information
    The renegade Network Marketer, by ann sied_files
    Thumbs .db

    that all. what should i do?

  64. VeryDesperate

    Sir please help me. my computer is opening programs by itself. I’ve tried a lot of programs but it still doesn’t work. I do have trend hijackthis. I fully trust you. I’ll just send to you the log file. Hoping you’ll give me even just a little of your time. 🙂

  65. krizzia

    i just want know where to send (email) hijackthis?

  66. rahul verma

    i can’t remove autorun.inf in all drives it created by flash disinfector. so plz suggest me

  67. @Dave112, maybe it really does not exist. Check if the file exists on the root directory. not on windows dir 🙂

  68. Dave112

    i have already used the disable reg program that u suggested but now i cant find the autorun.inf to delete it.

  69. @haseth, I think Vista handle autorun.inf in a different manner, that’s why. I did not experience any infection on this OS and I think there’s no autorun.inf virus yet that can infect Vista.

  70. haseth

    I had and autorun.inf file in my usb flash drive which was infected and on XP my mcafee firewall would clearly detect it as a virus and i myself could see it with system+ hidden+readonly attributes off.

    But on Vista I can never see the file.It’s as if it doesn’t even exist. Why doesn’t vista detect the file?

  71. khen_clark

    sir i tried using the command prompt but it keeps saying that it cannot find the file

    but if i type G:> autorun.inf, a window comes out

  72. harbans


  73. darwin

    When i press F8,
    there is no option for:
    safe mode command prompt only.

    only option for:
    safe mode with command prompt.

    and it take a hour till windows safe mode.

    if i start normaly, computer will be very slowwwww

  74. @harbans, in xp systems autorun.inf is enough for the system to autorun as long it is not disabled on the registry but in Vista, as of now I can’t think of anything yet that will by-pass the pop-up. I’ll email if I find something that could help you.

  75. harbans

    bleuken, iam working as a software engineer and i been in a work to help the user to automatically run the help files or manuals whenever he/she inserts the CD assuming that the user is not usual computer user ..I know the concept is somewhat similar to VIRUS concept but trust me, i had no such intention. However, there is no one who can tell me the solution of this… I searched all the google stuff but nothing helped…Please mail me if you find any related stuff…[email protected]…i need it urgently..

  76. harbans, that’s why they call Vista as one of the most secured OS because of that pop-up dialog that ask every time b4 executing any apps and I think the only way you can bypass it is when you execute your apps during boot through autoexec.bat which I’m not sure if will work anymore in Vista. By the way, what’s your intention regarding preparing scripts for Vista?

  77. harbans

    @bleuken (Who am I?)
    in our last discussion, you had told that one can write code to edit registry through VBS which can be called automatically through autorun.inf..But i got one problem, as my task is to run a script through autorun.inf which edit some entries in registry on insertion of CD without any user notification. Everything is fine but when i tested this thing in VISTA..It fails…VISTA asks for the permission to run the TEST.VBS when we insert the CD…So please help me and let me know “what should be done to edit the registry on insertion of CD automatically from the very first time without any pop dialog”, there should be no message to the user…Like in VISTA everytime it runs something from autorun.inf, its asks for the permission to run that thing in the form of pop dialog…please let me know…

  78. @jbb_49, please send me a copy of hijackthis.log via my email. (you can produce it using Trendmicro Hijackthis, download it)

  79. jbb_49

    Hi bleuken! i have used your methods in removing autorun.inf and it works on my brother’s pc. it didnt work on my pc at home.
    here’s what i did:
    i followed steps 1 to 3 only on my brother’s computer. i wasnt able to do step 4. after that, it did not recur on the flashdrives and the drive e (where i found the autorun.inf. it wasnt on drive c).
    but as i used the same steps (1-3 only) on my computer at home it didnt work. and the flashdrives got infected. i know it is from the computer. same thing, i didnt find it in drive c. only on drive e. (both computers have 2 hard drives, c and e).
    and when i tried to do step 4 on my pc at home, the System Configuration Utility wont come up. what could be the problem?
    and how come the first pc was ok without doing step 4?
    please help me out.

  80. dyrone

    tnx it works… tnx a lot..

  81. dyrone

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:20:44 AM, on 11/8/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal
    … [log removed] …
    O4 – HKCU..Run: [kxva] C:WINDOWS\\system32\\kxvo.exe
    that’s dat i got

  82. @dyrone, download hijackthis then send me the hijackthis.log. Then, I will email you with my analysis.

  83. dyrone

    i did already actualy just a while a go… the avast home edition did not detect any during its boot…and when i tried to delete the folder i created with name autorun.inf the ca antivirus still detect the autrun.inf… only in my pen drive ofcourse maybe because the autorun.inf directory still exist in driv c and d…. what will i do?

  84. dyrone

    pls help me… and there is another malicious file in my pen drive its name is buis.exe do u have any idea about it.. pls… tnx a lot

  85. dyrone

    gud day!

    I’m new here… Im g;ad of what ive read… but in my case, i followed all ur steps but when i view the hidden files of my pen drive using dos i can’t see the autorun.inf but my ca anitvirus is still alerting me of this kind of virus…. i thought only that when i created a directory autorun.inf the resun i cant find the autorun.inf but wen i delete the directory still the ca alerted me of that virus… pls help… how can i delete the autorun.inf if i cant find that file? tnx…

  86. @harbans, yes but the problem is some anti-virus programs block this kind of script because most of the scripts made for this purpose are considered “malicious programs” specially Registry changing scripts. You can find a lot resources about VBScript on the web. One great tool you can use is VBSEdit.

  87. harbans

    thanks for the reply bleuken…
    but r u sure that a file with extension .vbs will run automatically through autorun.inf and can write enteries in registry and can call an exe afterwards..also can you provide me stuff that can help me writing code in VBS or JS which ever is good ..

  88. @harbans, you can’t write register via autorun.inf. it is only used for triggering CD autorun. The other way aside from not executing .exe is through the use of scripts (JS, VBS) which is what the viruses mentioned on my post are using.

  89. harbans

    I want to know that can we write or edit registry enteries through autorun.inf file without executing any .exe…..i mean can we write code in autorun.inf file that runs on inserting the CD etc. and edits the registry.

    thanks in advance

  90. you’re using avast w/ mcafee? try using one anti-virus at a time. smitfraudfix is a utility program that search for infection of spyware and even detects some autorun.inf virus, it is not a virus. I recommend that you send me a copy of hijackthis.log of your system so I could analyze it thoroughly.

  91. gautam

    but the mcafee antivirus said that smitfraudfix is a virus….

    moreover how can it works

  92. @gautam, download hijackthis. send me a copy of the log generated by the program via email so I could analyze your system or you could try downloading smitfraudfix first and try running it to your system. It fixes some common infections.

  93. gautam

    also plzzzzzzzzzz rank me the top ten antivirus programs

  94. gautam


    the solution which u adviced me is already tried by me but still the problem remains the same

    now plz tell me that whether (autorun.inf) this can damage my system or not

    i have also repaired the avast antivirus

    i have used other antivirus programs also

    why it says about the virus only in external HD other than CD/Dvd

    plz tell me some valuable suggesstion other than to format my system

    either my system safe or not and whether external HD destroyed by this Virus

    waiting for ur reply

  95. @gautam, Try to use the feature of avast – “schedule boot-time scan” and make sure you insert your external disks before the scan process begins. When prompted, choose the delete or clean the infected file option of the scanner. Make sure you finished the whole scanning process. Good luck!

  96. gautam

    sir ,

    my problem is that my antivirus software avast can detect this virus but after deleting this virus it again alert that a virus found and same process continues…………………. this can create me problem only in external hard disk(pen drive/flash drives/ data cables while mobile connected etc) but not inside the computer…

    sir now tell me what should i do

    i have 100% trust on u…………..

    mail me at [email protected]

  97. @Abhishek, i think the virus has nothing to do w/ it. Maybe the problem is either your USB port or your MJ device. Have you tried it using in any other PCs?

  98. Abhishek

    I am using magic jack from past one year.but since this virus has broke out ma pc got infected too via pen drives. Is this responsible for not functioning of ma magic jack. magic jack is a telephone which ma relative sent me from U.S.A so that we can call on any time. Whenever i try to start MJ it shows the device is not connected ..some time though it gets detected but majorly it shows error. is autorun.inf got tu do anything with this. plz reply fast as in wat am i supposed to do to deal with this problem . n thnx in advance

  99. @kemboi, I alway use R-Studio to recover my files from damaged hard disk or flash disk. It is a good tool also for recovering deleted files or formatted disk. Try it they have this trial version on their website, just search it on Google.

    if you want to see your hidden files, use the command prompt and type

    DIR X:/AH

    assuming that the drive letter of your disk is X. If you could send me a copy of the virus via email so I could analyze it and check on the appropriate things to do about it. If you do, just ZIP it. Good luck!

  100. kemboi


    My flash disk was hit by a virus called “yew.bat”. After cleaning the disk with an upto-date version of Kasperksy Antivirus 6.0, I could not see my files though I can see that a good portion of the disk is occupied, a section equivalent to that occupied by my files.

    Windows Explorer does not reveal at the Status Bar whether there are hidden files in the disk.

    The disk contains very important data that I need to use.

    Please help me recover my files.



  101. nicholas_b105

    i D\L’d the pro edition.. just removed AVg as this ouucpy too much storage space on my pc. . .

    It what way easy for you can i send you my log?

    (in the regedit @ the run, i didn’t find the LegalNoticeText in the winlogon)

    . . .

    thanks a lot

  102. @nicholas, did you replace your anti-virus to AVAST Home Edition? try to install it (uninstall AVG first). If you want download a copy of HIJACKTHIS from Trendmicro and send me the log file via email so that I could analyze your system.

  103. nicholas_b105

    sir is there anyway to find out if the autorun.inf was actually removed from the drives? I mean i did all those things that you said but tha hazard symptoms of the autorun is is still abruptly present.. (The files will open it’s own window..)

    help . . . =(

  104. nicholas_b105

    I’m getting extremely desperate right now. I’m using AVG 8 pro + trojan hunter 5 + spybot S and E + Malwarebytes’ only to have my USB infected and transmit it to my pc and softly run without a trace.


  105. @nicholas, its another strain virus which mimics the names of the folders or files (like the Brontok virus), the only thing you can do right now is to download AVAST, run the “Schedule Boot-time Scan” so that it can be removed before the systems starts the virus again. With regards to the messagebox, I think it is posted on the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText

    of your registry. Just remove the text content, don’t delete the key!

  106. nicholas_b105

    tnx a lot. well i followed all of those that you’ve said above and this was the result. i know that the autorun folder in my c: drive is healed, as it’s original folder icon is now ok (when the folder is infected, the folder icon changed into the older xp versions, i am using somewhat a vista-like bricopack so my folders don’t look like xp). But hey, only the autorun was healed, the rest of the folders still looks like the infected ones, and the is still named “foldername.scr”, so maybe they are still not okay.. any recommendations for me sir? Also that huge messagebox during start-up is still there. That one that says something bahasa indonesia in it (not so sure about that language though), and those phrases like “it’s my birthday” and “please don’t kill me”.

    thanks 10x. . .

  107. nicholas_b105

    oh ok.. i never realized you’ve done it already. thanks by the way..
    nice job sir..

  108. @nicholas, just type CD\ to the current C prompt, this will lead u2 to C:\> which is the main or root directory of drive C if you wish to go to drive d, just type D:

    Hope this helps.

  109. nicholas_b105

    sir i have a rather silly question. Yes i have that autorun.inf infection as well as the one named recycler. I am about to do what exactly you said but the problem my default address when i open cprompt is “C:\my documents and settings\admin” instead of c: alone. Now “mydocs” is okay, the autorun.inf lies on the c: and d: drives and im so desperate trying to delete those folders only to come check it again. Just wanna ask how to change the address in cprompt so that when go to run and “cmd”, the address will go to c: and not the other one..

    thank you very much

  110. @Mohamed Rizvi, This is nice steps in removing autorun.inf! Thanks

  111. hi,
    try following step

    1. open autoexec.bat
    2. add follwing commands
    (if you have 4 hard drives on my computer ex: C,D,E,H – F may cd-rom)

    attrib autorun.inf -h -s -r
    del autorun.inf

    attrib autorun.inf -h -s -r
    del autorun.inf

    attrib autorun.inf -h -s -r
    del autorun.inf

    Another method

    goto management console (start –> run –> gpedit.msc)

    goto user configuration –> administrative template —> system — > turn off auto play —> click enable and select all drives then click ok

    this method also help to pverent virus from spreading.
    all ways open removable device by explorer bar

    Mohamed Rizvi
    [email protected]

  112. are you online chingy00? try downloading AVAST and run the “Schedule boot-time scan” and then read my instruction on removing Autorun.inf and make sure you remove yew.bat too that’s the loader of the virus (based on the autorun.inf code you posted)

    Good luck!

  113. chingy00

    i am running kaspersky antivirus 7.0
    i am viewing the autorun.inf through a software named explorerxp
    these files are hidden and i have no idea how to get rid of this.
    please help me

  114. chingy00


    Could you please tell me what virus this is?
    i need help =(

  115. @Yonas Tesfaye, have you tried starting ur PC in Safemode command prompt only? Remove first your flash drive b4 rebooting and try the steps I have specified here on my post.

  116. Yonas Tesfaye

    I am using windows XP and I couldn’t run my pc I can enter only in safe mode I couldn’t run command prompt, task manager. My flash disk showed me that a virus to be called user porn and adminstrator porn please help.

  117. @alchen, actually it is not a damage. it is just that autorun.inf on your drive was not deleted yet. to delete it: first go to command prompt (Start->Programs->Accessories->Command Prompt), if the infected drive is C, type the following commands:

    1. C:
    2. CD\
    3. ATTRIB -H -R -S autorun.inf
    4. DEL autorun.inf

    this series of command will delete the autorun.inf on drive C repeat this steps to other drives (just replace C: with the letter of the drive to apply the solution) then restart your computer to see the effect.

    Thanks for dropping by and just leave comment here if you have something to ask about this solution. Good luck!

  118. alchen


    I’m new here and i was really amaze reading this “autorun.inf” article.
    I would also like to ask you if can also remove specific virus like “kathyros.vbs”? The virus was previously removed by an antivirus software but the damage of the virus was so irritating. You can see the name “kathyros” when you right click your drive C:\ written on the side of “open” and when double click your drive, your computer will prompt you (can not find script file “c:\kathyros.vbs”)
    I hope you can help me on this one.

    Thank You so much!

  119. astig ah! mukang sanay na sanay ka mag DOS. Ni Download ko ung .REG file mo.. Mukang mabagsik na programmer ka tlaga ah hehe.

  120. @KAMY download Hijackthis then run it (use Google to find it). It will produce a log file, attach it to your email & send it to me at admin @ bleuken . com, I will try to analyze it and let us see what can i do about it. 🙂

  121. KAMY

    I thank u for sharing such skills
    but for me,i tried and i did not remove the virus autorun.inf.
    I installed kaspersky anti-virus and it didn’t work;i beg u to help me how to resolve this problem, my computer doesn’t work.
    I ‘m waiting for your answer.

  122. try removing runexe.bat from your system (del c:\windows\system32\runexe.bat). creating the autorun.inf folder prevents autorun.inf to be created by programs not curing it. I don’t use Live-TV toolbar but I will check on it to see if that will be the cause.

  123. Ivan

    i succeed creating the folder autorun.inf in every drive.. but as i remember the nod32 was reporting that autorun.inf was created by c:\windows\system32\runexe.bat.. now this message dissapear, but i still don’t know if my runexe.bat is ok! waht do you think??
    one more thing, i started receiving this messages since i installed the live-tv toolbar
    thank you

  124. Anish Prasad


Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.